Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.exe

Overview

General Information

Sample name:rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.exe
Analysis ID:1591537
MD5:289754998d1520e2bec7190452c464ac
SHA1:a25755aa21ff2512d7f0b19af804c7ca81729767
SHA256:dd82f88cdd4a62e9e9b5a081cbd3f98b542614ee6b0e33c2385817af92c704a1
Tags:exeuser-Porcupine
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Yara detected FormBook
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
C2 URLs / IPs found in malware configuration
Drops VBS files to the startup folder
Found API chain indicative of sandbox detection
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: WScript or CScript Dropper
Switches to a custom stack to bypass stack traces
Tries to detect virtualization through RDTSC time measurements
Tries to resolve many domain names, but no domain seems valid
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Uncommon Svchost Parent Process
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.exe (PID: 424 cmdline: "C:\Users\user\Desktop\rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.exe" MD5: 289754998D1520E2BEC7190452C464AC)
    • overrough.exe (PID: 3608 cmdline: "C:\Users\user\Desktop\rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.exe" MD5: 289754998D1520E2BEC7190452C464AC)
      • svchost.exe (PID: 5264 cmdline: "C:\Users\user\Desktop\rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
        • explorer.exe (PID: 4004 cmdline: C:\Windows\Explorer.EXE MD5: 662F4F92FDE3557E86D110526BB578D5)
          • WWAHost.exe (PID: 5196 cmdline: "C:\Windows\SysWOW64\WWAHost.exe" MD5: 7C7EDAD5BDA9C34FD50C3A58429C90F0)
            • cmd.exe (PID: 2488 cmdline: /c del "C:\Windows\SysWOW64\svchost.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
              • conhost.exe (PID: 6436 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • wscript.exe (PID: 5676 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\overrough.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
            • overrough.exe (PID: 7020 cmdline: "C:\Users\user\AppData\Local\antholite\overrough.exe" MD5: 289754998D1520E2BEC7190452C464AC)
              • svchost.exe (PID: 5708 cmdline: "C:\Users\user\AppData\Local\antholite\overrough.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
          • cmmon32.exe (PID: 3700 cmdline: "C:\Windows\SysWOW64\cmmon32.exe" MD5: DEC326E5B4D23503EA5176878DDDB683)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.partments-in-dubai-66339.bond/bs84/"], "decoy": ["ehuatang.quest", "mart-healthcare.solutions", "arehouse-inventory-59593.bond", "rumpjokes.net", "oonlightshadow.store", "odernoob.website", "sdmedia.net", "0k21l6z.xyz", "kwovenart.shop", "chvb.bid", "06ks28.buzz", "grexvc.online", "unnycdn02.shop", "ettingitgonejunk.net", "lubmango.store", "ustjump.xyz", "ofiveuss.store", "aahasti-inter5.rest", "etclcg.business", "ai365.xyz", "kaislotplay.shop", "ombinedourefforts.net", "skfa.info", "024-fr-cruises.today", "usiness-loans-au-5531141.fyi", "xcavators-32553.bond", "9xx30.xyz", "allerbahisgiris.net", "ostescanadre.xyz", "undofelizpet.store", "ojadobuscabusca.online", "itstops.xyz", "teamcomuunity.online", "lcosta.shop", "rabideen.online", "aajaleh-nane4.rest", "558844a0.shop", "ive-glucofree.store", "kf777.win", "ecuronixds.xyz", "0418.pizza", "odgersfittedhats.shop", "y6c46.pro", "olfgalaxy.xyz", "svural.store", "lasses.tech", "raphic-design-degree-15820.bond", "ental-implants-60954.bond", "lonazap.net", "aconciergerie.xyz", "arehouse-inventory-27582.bond", "rofitways.pro", "erangiral4dp.net", "etenterey.one", "0percentfailrate.biz", "ristav.fun", "uanqi.live", "nline-advertising-98760.bond", "anguage-courses-51973.bond", "arehouse-inventory-44734.bond", "ealthcare-trends-16618.bond", "isab.cloud", "oodydigital.tech", "oetsgarden.art"]}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000D.00000002.2412302004.0000000002EB0000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    0000000D.00000002.2412302004.0000000002EB0000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      0000000D.00000002.2412302004.0000000002EB0000.00000040.10000000.00040000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
      • 0x6251:$a1: 3C 30 50 4F 53 54 74 09 40
      • 0x1cb80:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
      • 0xa9bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
      • 0x158a7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
      0000000D.00000002.2412302004.0000000002EB0000.00000040.10000000.00040000.00000000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b8e7:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c8ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      0000000D.00000002.2412302004.0000000002EB0000.00000040.10000000.00040000.00000000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
      • 0x18809:$sqlite3step: 68 34 1C 7B E1
      • 0x1891c:$sqlite3step: 68 34 1C 7B E1
      • 0x18838:$sqlite3text: 68 38 2A 90 C5
      • 0x1895d:$sqlite3text: 68 38 2A 90 C5
      • 0x1884b:$sqlite3blob: 68 53 D8 7F 8C
      • 0x18973:$sqlite3blob: 68 53 D8 7F 8C
      Click to see the 62 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      3.2.svchost.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        3.2.svchost.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          3.2.svchost.exe.400000.0.raw.unpackWindows_Trojan_Formbook_1112e116unknownunknown
          • 0x6251:$a1: 3C 30 50 4F 53 54 74 09 40
          • 0x1cb80:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
          • 0xa9bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
          • 0x158a7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
          3.2.svchost.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1b8e7:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1c8ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          3.2.svchost.exe.400000.0.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
          • 0x18809:$sqlite3step: 68 34 1C 7B E1
          • 0x1891c:$sqlite3step: 68 34 1C 7B E1
          • 0x18838:$sqlite3text: 68 38 2A 90 C5
          • 0x1895d:$sqlite3text: 68 38 2A 90 C5
          • 0x1884b:$sqlite3blob: 68 53 D8 7F 8C
          • 0x18973:$sqlite3blob: 68 53 D8 7F 8C
          Click to see the 30 entries

          Sigma Signatures

          System Summary

          barindex
          Sigma detected: WScript or CScript Dropper
          Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\overrough.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\overrough.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: C:\Windows\Explorer.EXE, ParentImage: C:\Windows\explorer.exe, ParentProcessId: 4004, ParentProcessName: explorer.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\overrough.vbs" , ProcessId: 5676, ProcessName: wscript.exe
          Sigma detected: Uncommon Svchost Parent Process
          Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.exe", CommandLine: "C:\Users\user\Desktop\rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.exe", ParentImage: C:\Users\user\AppData\Local\antholite\overrough.exe, ParentProcessId: 3608, ParentProcessName: overrough.exe, ProcessCommandLine: "C:\Users\user\Desktop\rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.exe", ProcessId: 5264, ProcessName: svchost.exe
          Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
          Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\overrough.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\overrough.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: C:\Windows\Explorer.EXE, ParentImage: C:\Windows\explorer.exe, ParentProcessId: 4004, ParentProcessName: explorer.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\overrough.vbs" , ProcessId: 5676, ProcessName: wscript.exe
          Sigma detected: Windows Processes Suspicious Parent Directory
          Source: Process startedAuthor: vburov: Data: Command: "C:\Users\user\Desktop\rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.exe", CommandLine: "C:\Users\user\Desktop\rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.exe", ParentImage: C:\Users\user\AppData\Local\antholite\overrough.exe, ParentProcessId: 3608, ParentProcessName: overrough.exe, ProcessCommandLine: "C:\Users\user\Desktop\rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.exe", ProcessId: 5264, ProcessName: svchost.exe

          Data Obfuscation

          barindex
          Sigma detected: Drops script at startup location
          Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\antholite\overrough.exe, ProcessId: 3608, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\overrough.vbs

          Suricata Signatures

          No Suricata rule has matched

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Antivirus / Scanner detection for submitted sample
          Source: rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.exeAvira: detected
          Antivirus detection for dropped file
          Source: C:\Users\user\AppData\Local\antholite\overrough.exeAvira: detection malicious, Label: DR/AutoIt.Gen8
          Found malware configuration
          Source: 0000000D.00000002.2412302004.0000000002EB0000.00000040.10000000.00040000.00000000.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.partments-in-dubai-66339.bond/bs84/"], "decoy": ["ehuatang.quest", "mart-healthcare.solutions", "arehouse-inventory-59593.bond", "rumpjokes.net", "oonlightshadow.store", "odernoob.website", "sdmedia.net", "0k21l6z.xyz", "kwovenart.shop", "chvb.bid", "06ks28.buzz", "grexvc.online", "unnycdn02.shop", "ettingitgonejunk.net", "lubmango.store", "ustjump.xyz", "ofiveuss.store", "aahasti-inter5.rest", "etclcg.business", "ai365.xyz", "kaislotplay.shop", "ombinedourefforts.net", "skfa.info", "024-fr-cruises.today", "usiness-loans-au-5531141.fyi", "xcavators-32553.bond", "9xx30.xyz", "allerbahisgiris.net", "ostescanadre.xyz", "undofelizpet.store", "ojadobuscabusca.online", "itstops.xyz", "teamcomuunity.online", "lcosta.shop", "rabideen.online", "aajaleh-nane4.rest", "558844a0.shop", "ive-glucofree.store", "kf777.win", "ecuronixds.xyz", "0418.pizza", "odgersfittedhats.shop", "y6c46.pro", "olfgalaxy.xyz", "svural.store", "lasses.tech", "raphic-design-degree-15820.bond", "ental-implants-60954.bond", "lonazap.net", "aconciergerie.xyz", "arehouse-inventory-27582.bond", "rofitways.pro", "erangiral4dp.net", "etenterey.one", "0percentfailrate.biz", "ristav.fun", "uanqi.live", "nline-advertising-98760.bond", "anguage-courses-51973.bond", "arehouse-inventory-44734.bond", "ealthcare-trends-16618.bond", "isab.cloud", "oodydigital.tech", "oetsgarden.art"]}
          Multi AV Scanner detection for dropped file
          Source: C:\Users\user\AppData\Local\antholite\overrough.exeReversingLabs: Detection: 28%
          Multi AV Scanner detection for submitted file
          Source: rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.exeVirustotal: Detection: 27%Perma Link
          Source: rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.exeReversingLabs: Detection: 28%
          Yara detected FormBook
          Source: Yara matchFile source: 3.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.overrough.exe.1e20000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.2.overrough.exe.780000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.2.overrough.exe.780000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.overrough.exe.1e20000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 13.2.svchost.exe.2660000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000000D.00000002.2412302004.0000000002EB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.4677557991.0000000003500000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.2312737607.0000000003A80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.2244853461.0000000001E20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.4675478414.00000000034D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.2412264035.0000000002E80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.2376953472.0000000000780000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.2411584179.0000000002661000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.2311984727.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.4673914516.0000000002EE0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.2419449519.0000000000A50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.2312788893.0000000003AB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          AI detected suspicious sample
          Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
          Machine Learning detection for dropped file
          Source: C:\Users\user\AppData\Local\antholite\overrough.exeJoe Sandbox ML: detected
          Machine Learning detection for sample
          Source: rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.exeJoe Sandbox ML: detected
          Source: rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
          Source: Binary string: WWAHost.pdb source: svchost.exe, 00000003.00000003.2311264128.0000000005C00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.2311043729.0000000004100000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.2314283339.0000000005AC0000.00000040.10000000.00040000.00000000.sdmp, WWAHost.exe, 00000005.00000002.4671147451.00000000008E0000.00000040.80000000.00040000.00000000.sdmp
          Source: Binary string: cmmon32.pdb source: svchost.exe, 0000000D.00000003.2410833878.0000000002A1B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000002.2412350421.0000000002EE0000.00000040.10000000.00040000.00000000.sdmp, cmmon32.exe, 0000000E.00000002.2419765780.0000000000B40000.00000040.80000000.00040000.00000000.sdmp
          Source: Binary string: WWAHost.pdbUGP source: svchost.exe, 00000003.00000003.2311264128.0000000005C00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.2311043729.0000000004100000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.2314283339.0000000005AC0000.00000040.10000000.00040000.00000000.sdmp, WWAHost.exe, 00000005.00000002.4671147451.00000000008E0000.00000040.80000000.00040000.00000000.sdmp
          Source: Binary string: cmmon32.pdbGCTL source: svchost.exe, 0000000D.00000003.2410833878.0000000002A1B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000002.2412350421.0000000002EE0000.00000040.10000000.00040000.00000000.sdmp, cmmon32.exe, 0000000E.00000002.2419765780.0000000000B40000.00000040.80000000.00040000.00000000.sdmp
          Source: Binary string: wntdll.pdbUGP source: overrough.exe, 00000002.00000003.2242318249.0000000004000000.00000004.00001000.00020000.00000000.sdmp, overrough.exe, 00000002.00000003.2241215177.0000000003E60000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.2313009652.0000000003D9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.2244871625.0000000003A00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.2313009652.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.2242839467.0000000003800000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 00000005.00000002.4678750405.000000000410E000.00000040.00001000.00020000.00000000.sdmp, WWAHost.exe, 00000005.00000002.4678750405.0000000003F70000.00000040.00001000.00020000.00000000.sdmp, WWAHost.exe, 00000005.00000003.2312039130.00000000039C1000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 00000005.00000003.2315476761.0000000003DBE000.00000004.00000020.00020000.00000000.sdmp, overrough.exe, 0000000C.00000003.2369782526.0000000003930000.00000004.00001000.00020000.00000000.sdmp, overrough.exe, 0000000C.00000003.2376316590.0000000003AD0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.2376377688.0000000002C00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000002.2413064667.0000000003000000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.2378119278.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000002.2413064667.000000000319E000.00000040.00001000.00020000.00000000.sdmp, cmmon32.exe, 0000000E.00000003.2416664218.0000000004A4A000.00000004.00000020.00020000.00000000.sdmp, cmmon32.exe, 0000000E.00000002.2429310298.0000000004BF0000.00000040.00001000.00020000.00000000.sdmp, cmmon32.exe, 0000000E.00000002.2429310298.0000000004D8E000.00000040.00001000.00020000.00000000.sdmp, cmmon32.exe, 0000000E.00000003.2411865564.0000000004895000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: overrough.exe, 00000002.00000003.2242318249.0000000004000000.00000004.00001000.00020000.00000000.sdmp, overrough.exe, 00000002.00000003.2241215177.0000000003E60000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000003.00000002.2313009652.0000000003D9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.2244871625.0000000003A00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.2313009652.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.2242839467.0000000003800000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 00000005.00000002.4678750405.000000000410E000.00000040.00001000.00020000.00000000.sdmp, WWAHost.exe, 00000005.00000002.4678750405.0000000003F70000.00000040.00001000.00020000.00000000.sdmp, WWAHost.exe, 00000005.00000003.2312039130.00000000039C1000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 00000005.00000003.2315476761.0000000003DBE000.00000004.00000020.00020000.00000000.sdmp, overrough.exe, 0000000C.00000003.2369782526.0000000003930000.00000004.00001000.00020000.00000000.sdmp, overrough.exe, 0000000C.00000003.2376316590.0000000003AD0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.2376377688.0000000002C00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000002.2413064667.0000000003000000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.2378119278.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000002.2413064667.000000000319E000.00000040.00001000.00020000.00000000.sdmp, cmmon32.exe, 0000000E.00000003.2416664218.0000000004A4A000.00000004.00000020.00020000.00000000.sdmp, cmmon32.exe, 0000000E.00000002.2429310298.0000000004BF0000.00000040.00001000.00020000.00000000.sdmp, cmmon32.exe, 0000000E.00000002.2429310298.0000000004D8E000.00000040.00001000.00020000.00000000.sdmp, cmmon32.exe, 0000000E.00000003.2411865564.0000000004895000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: svchost.pdb source: explorer.exe, 00000004.00000002.4695099339.000000001090F000.00000004.80000000.00040000.00000000.sdmp, WWAHost.exe, 00000005.00000002.4679918626.00000000044BF000.00000004.10000000.00040000.00000000.sdmp, WWAHost.exe, 00000005.00000002.4677955355.00000000036DC000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: svchost.pdbUGP source: explorer.exe, 00000004.00000002.4695099339.000000001090F000.00000004.80000000.00040000.00000000.sdmp, WWAHost.exe, 00000005.00000002.4679918626.00000000044BF000.00000004.10000000.00040000.00000000.sdmp, WWAHost.exe, 00000005.00000002.4677955355.00000000036DC000.00000004.00000020.00020000.00000000.sdmp
          Source: C:\Users\user\Desktop\rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.exeCode function: 0_2_0039C2A2 FindFirstFileExW,0_2_0039C2A2
          Source: C:\Users\user\Desktop\rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.exeCode function: 0_2_003D68EE FindFirstFileW,FindClose,0_2_003D68EE
          Source: C:\Users\user\Desktop\rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.exeCode function: 0_2_003D698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,0_2_003D698F
          Source: C:\Users\user\Desktop\rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.exeCode function: 0_2_003CD076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_003CD076
          Source: C:\Users\user\Desktop\rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.exeCode function: 0_2_003CD3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_003CD3A9
          Source: C:\Users\user\Desktop\rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.exeCode function: 0_2_003D9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_003D9642
          Source: C:\Users\user\Desktop\rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.exeCode function: 0_2_003D979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_003D979D
          Source: C:\Users\user\Desktop\rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.exeCode function: 0_2_003D9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,0_2_003D9B2B
          Source: C:\Users\user\Desktop\rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.exeCode function: 0_2_003CDBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,0_2_003CDBBE
          Source: C:\Users\user\Desktop\rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.exeCode function: 0_2_003D5C97 FindFirstFileW,FindNextFileW,FindClose,0_2_003D5C97
          Source: C:\Users\user\AppData\Local\antholite\overrough.exeCode function: 2_2_007EC2A2 FindFirstFileExW,2_2_007EC2A2
          Source: C:\Users\user\AppData\Local\antholite\overrough.exeCode function: 2_2_008268EE FindFirstFileW,FindClose,2_2_008268EE
          Source: C:\Users\user\AppData\Local\antholite\overrough.exeCode function: 2_2_0082698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,2_2_0082698F
          Source: C:\Users\user\AppData\Local\antholite\overrough.exeCode function: 2_2_0081D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,2_2_0081D076
          Source: C:\Users\user\AppData\Local\antholite\overrough.exeCode function: 2_2_0081D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,2_2_0081D3A9
          Source: C:\Users\user\AppData\Local\antholite\overrough.exeCode function: 2_2_00829642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,2_2_00829642
          Source: C:\Users\user\AppData\Local\antholite\overrough.exeCode function: 2_2_0082979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,2_2_0082979D
          Source: C:\Users\user\AppData\Local\antholite\overrough.exeCode function: 2_2_0081DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,2_2_0081DBBE
          Source: C:\Users\user\AppData\Local\antholite\overrough.exeCode function: 2_2_00829B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,2_2_00829B2B
          Source: C:\Users\user\AppData\Local\antholite\overrough.exeCode function: 2_2_00825C97 FindFirstFileW,FindNextFileW,FindClose,2_2_00825C97
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4x nop then pop esi3_2_004172ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4x nop then pop ebx3_2_00407B1A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4x nop then pop edi3_2_00416C90

          Networking

          barindex
          C2 URLs / IPs found in malware configuration
          Source: Malware configuration extractorURLs: www.partments-in-dubai-66339.bond/bs84/
          Performs DNS queries to domains with low reputation
          Source: DNS query: www.ustjump.xyz
          Tries to resolve many domain names, but no domain seems valid
          Source: unknownDNS traffic detected: query: www.oodydigital.tech replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.06ks28.buzz replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.ofiveuss.store replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.0418.pizza replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.partments-in-dubai-66339.bond replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.odernoob.website replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.ehuatang.quest replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.kaislotplay.shop replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.ustjump.xyz replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.skfa.info replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.odgersfittedhats.shop replaycode: Name error (3)
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: C:\Users\user\Desktop\rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.exeCode function: 0_2_003DCE44 InternetReadFile,SetEvent,GetLastError,SetEvent,0_2_003DCE44
          Source: global trafficDNS traffic detected: DNS query: www.06ks28.buzz
          Source: global trafficDNS traffic detected: DNS query: www.0418.pizza
          Source: global trafficDNS traffic detected: DNS query: www.odernoob.website
          Source: global trafficDNS traffic detected: DNS query: www.ustjump.xyz
          Source: global trafficDNS traffic detected: DNS query: www.skfa.info
          Source: global trafficDNS traffic detected: DNS query: www.ehuatang.quest
          Source: global trafficDNS traffic detected: DNS query: www.oodydigital.tech
          Source: global trafficDNS traffic detected: DNS query: www.partments-in-dubai-66339.bond
          Source: global trafficDNS traffic detected: DNS query: www.ofiveuss.store
          Source: global trafficDNS traffic detected: DNS query: www.odgersfittedhats.shop
          Source: global trafficDNS traffic detected: DNS query: www.kaislotplay.shop
          Source: explorer.exe, 00000004.00000002.4684747503.000000000978C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2254781265.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2254781265.000000000978C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4684747503.000000000973C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
          Source: explorer.exe, 00000004.00000002.4684747503.000000000978C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2254781265.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2254781265.000000000978C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4684747503.000000000973C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
          Source: explorer.exe, 00000004.00000002.4684747503.000000000978C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2254781265.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2254781265.000000000978C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4684747503.000000000973C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
          Source: explorer.exe, 00000004.00000002.4684747503.000000000978C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2254781265.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2254781265.000000000978C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4684747503.000000000973C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
          Source: explorer.exe, 00000004.00000000.2254781265.000000000962B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4684747503.000000000962B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
          Source: explorer.exe, 00000004.00000000.2251937251.0000000007B50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.2251981518.0000000007B60000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000002.4678811961.00000000028A0000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://schemas.micro
          Source: explorer.exe, 00000004.00000003.2980388685.000000000C53C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980574684.000000000C53D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980765057.000000000C545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4693951170.000000000C540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3075190269.000000000C545000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.0418.pizza
          Source: explorer.exe, 00000004.00000003.2980388685.000000000C53C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980574684.000000000C53D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980765057.000000000C545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4693951170.000000000C540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3075190269.000000000C545000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.0418.pizza/bs84/
          Source: explorer.exe, 00000004.00000003.2980388685.000000000C53C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980574684.000000000C53D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980765057.000000000C545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4693951170.000000000C540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3075190269.000000000C545000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.0418.pizza/bs84/www.odernoob.website
          Source: explorer.exe, 00000004.00000003.2980388685.000000000C53C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980574684.000000000C53D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980765057.000000000C545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4693951170.000000000C540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3075190269.000000000C545000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.0418.pizzaReferer:
          Source: explorer.exe, 00000004.00000003.2980388685.000000000C53C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980574684.000000000C53D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980765057.000000000C545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4693951170.000000000C540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3075190269.000000000C545000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.06ks28.buzz
          Source: explorer.exe, 00000004.00000003.2980388685.000000000C53C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980574684.000000000C53D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980765057.000000000C545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4693951170.000000000C540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3075190269.000000000C545000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.06ks28.buzz/bs84/
          Source: explorer.exe, 00000004.00000003.2980388685.000000000C53C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980574684.000000000C53D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980765057.000000000C545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4693951170.000000000C540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3075190269.000000000C545000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.06ks28.buzz/bs84/www.0418.pizza
          Source: explorer.exe, 00000004.00000003.2980388685.000000000C53C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980574684.000000000C53D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980765057.000000000C545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4693951170.000000000C540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3075190269.000000000C545000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.06ks28.buzzReferer:
          Source: explorer.exe, 00000004.00000003.2980388685.000000000C53C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980574684.000000000C53D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980765057.000000000C545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4693951170.000000000C540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3075190269.000000000C545000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.0percentfailrate.biz
          Source: explorer.exe, 00000004.00000003.2980388685.000000000C53C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980574684.000000000C53D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980765057.000000000C545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4693951170.000000000C540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3075190269.000000000C545000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.0percentfailrate.biz/bs84/
          Source: explorer.exe, 00000004.00000003.2980388685.000000000C53C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980574684.000000000C53D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980765057.000000000C545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4693951170.000000000C540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3075190269.000000000C545000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.0percentfailrate.biz/bs84/www.ecuronixds.xyz
          Source: explorer.exe, 00000004.00000003.2980388685.000000000C53C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980574684.000000000C53D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980765057.000000000C545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4693951170.000000000C540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3075190269.000000000C545000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.0percentfailrate.bizReferer:
          Source: explorer.exe, 00000004.00000003.2980388685.000000000C53C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980574684.000000000C53D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980765057.000000000C545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4693951170.000000000C540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3075190269.000000000C545000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ecuronixds.xyz
          Source: explorer.exe, 00000004.00000003.2980388685.000000000C53C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980574684.000000000C53D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980765057.000000000C545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4693951170.000000000C540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3075190269.000000000C545000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ecuronixds.xyz/bs84/
          Source: explorer.exe, 00000004.00000003.2980388685.000000000C53C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980574684.000000000C53D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980765057.000000000C545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4693951170.000000000C540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3075190269.000000000C545000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ecuronixds.xyz/bs84/www.ristav.fun
          Source: explorer.exe, 00000004.00000003.2980388685.000000000C53C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980574684.000000000C53D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980765057.000000000C545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4693951170.000000000C540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3075190269.000000000C545000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ecuronixds.xyzReferer:
          Source: explorer.exe, 00000004.00000003.2980388685.000000000C53C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980574684.000000000C53D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980765057.000000000C545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4693951170.000000000C540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3075190269.000000000C545000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ehuatang.quest
          Source: explorer.exe, 00000004.00000003.2980388685.000000000C53C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980574684.000000000C53D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980765057.000000000C545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4693951170.000000000C540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3075190269.000000000C545000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ehuatang.quest/bs84/
          Source: explorer.exe, 00000004.00000003.2980388685.000000000C53C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980574684.000000000C53D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980765057.000000000C545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4693951170.000000000C540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3075190269.000000000C545000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ehuatang.quest/bs84/www.grexvc.online
          Source: explorer.exe, 00000004.00000003.2980388685.000000000C53C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980574684.000000000C53D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980765057.000000000C545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4693951170.000000000C540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3075190269.000000000C545000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ehuatang.questReferer:
          Source: explorer.exe, 00000004.00000003.2980388685.000000000C53C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980574684.000000000C53D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980765057.000000000C545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4693951170.000000000C540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3075190269.000000000C545000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.grexvc.online
          Source: explorer.exe, 00000004.00000003.2980388685.000000000C53C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980574684.000000000C53D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980765057.000000000C545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4693951170.000000000C540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3075190269.000000000C545000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.grexvc.online/bs84/
          Source: explorer.exe, 00000004.00000003.2980388685.000000000C53C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980574684.000000000C53D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980765057.000000000C545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4693951170.000000000C540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3075190269.000000000C545000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.grexvc.online/bs84/www.oodydigital.tech
          Source: explorer.exe, 00000004.00000003.2980388685.000000000C53C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980574684.000000000C53D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980765057.000000000C545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4693951170.000000000C540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3075190269.000000000C545000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.grexvc.onlineReferer:
          Source: explorer.exe, 00000004.00000003.2980388685.000000000C53C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980574684.000000000C53D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980765057.000000000C545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4693951170.000000000C540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3075190269.000000000C545000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.kaislotplay.shop
          Source: explorer.exe, 00000004.00000003.2980388685.000000000C53C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980574684.000000000C53D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980765057.000000000C545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4693951170.000000000C540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3075190269.000000000C545000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.kaislotplay.shop/bs84/
          Source: explorer.exe, 00000004.00000003.2980388685.000000000C53C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980574684.000000000C53D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980765057.000000000C545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4693951170.000000000C540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3075190269.000000000C545000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.kaislotplay.shop/bs84/www.unnycdn02.shop
          Source: explorer.exe, 00000004.00000003.2980388685.000000000C53C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980574684.000000000C53D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980765057.000000000C545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4693951170.000000000C540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3075190269.000000000C545000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.kaislotplay.shopReferer:
          Source: explorer.exe, 00000004.00000003.2980388685.000000000C53C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980574684.000000000C53D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980765057.000000000C545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4693951170.000000000C540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3075190269.000000000C545000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.odernoob.website
          Source: explorer.exe, 00000004.00000003.2980388685.000000000C53C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980574684.000000000C53D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980765057.000000000C545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4693951170.000000000C540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3075190269.000000000C545000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.odernoob.website/bs84/
          Source: explorer.exe, 00000004.00000003.2980388685.000000000C53C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980574684.000000000C53D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980765057.000000000C545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4693951170.000000000C540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3075190269.000000000C545000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.odernoob.website/bs84/www.ustjump.xyz
          Source: explorer.exe, 00000004.00000003.2980388685.000000000C53C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980574684.000000000C53D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980765057.000000000C545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4693951170.000000000C540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3075190269.000000000C545000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.odernoob.websiteReferer:
          Source: explorer.exe, 00000004.00000003.2980388685.000000000C53C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980574684.000000000C53D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980765057.000000000C545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4693951170.000000000C540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3075190269.000000000C545000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.odgersfittedhats.shop
          Source: explorer.exe, 00000004.00000003.2980388685.000000000C53C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980574684.000000000C53D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980765057.000000000C545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4693951170.000000000C540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3075190269.000000000C545000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.odgersfittedhats.shop/bs84/
          Source: explorer.exe, 00000004.00000003.2980388685.000000000C53C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980574684.000000000C53D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980765057.000000000C545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4693951170.000000000C540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3075190269.000000000C545000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.odgersfittedhats.shop/bs84/www.kaislotplay.shop
          Source: explorer.exe, 00000004.00000003.2980388685.000000000C53C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980574684.000000000C53D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980765057.000000000C545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4693951170.000000000C540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3075190269.000000000C545000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.odgersfittedhats.shopReferer:
          Source: explorer.exe, 00000004.00000003.2980388685.000000000C53C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980574684.000000000C53D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980765057.000000000C545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4693951170.000000000C540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3075190269.000000000C545000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ofiveuss.store
          Source: explorer.exe, 00000004.00000003.2980388685.000000000C53C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980574684.000000000C53D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980765057.000000000C545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4693951170.000000000C540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3075190269.000000000C545000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ofiveuss.store/bs84/
          Source: explorer.exe, 00000004.00000003.2980388685.000000000C53C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980574684.000000000C53D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980765057.000000000C545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4693951170.000000000C540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3075190269.000000000C545000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ofiveuss.store/bs84/www.odgersfittedhats.shop
          Source: explorer.exe, 00000004.00000003.2980388685.000000000C53C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980574684.000000000C53D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980765057.000000000C545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4693951170.000000000C540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3075190269.000000000C545000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ofiveuss.storeReferer:
          Source: explorer.exe, 00000004.00000003.2980388685.000000000C53C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980574684.000000000C53D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980765057.000000000C545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4693951170.000000000C540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3075190269.000000000C545000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.oodydigital.tech
          Source: explorer.exe, 00000004.00000003.2980388685.000000000C53C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980574684.000000000C53D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980765057.000000000C545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4693951170.000000000C540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3075190269.000000000C545000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.oodydigital.tech/bs84/
          Source: explorer.exe, 00000004.00000003.2980388685.000000000C53C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980574684.000000000C53D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980765057.000000000C545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4693951170.000000000C540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3075190269.000000000C545000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.oodydigital.tech/bs84/www.partments-in-dubai-66339.bond
          Source: explorer.exe, 00000004.00000003.2980388685.000000000C53C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980574684.000000000C53D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980765057.000000000C545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4693951170.000000000C540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3075190269.000000000C545000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.oodydigital.techReferer:
          Source: explorer.exe, 00000004.00000003.2980388685.000000000C53C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980574684.000000000C53D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980765057.000000000C545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4693951170.000000000C540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3075190269.000000000C545000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.partments-in-dubai-66339.bond
          Source: explorer.exe, 00000004.00000003.2980388685.000000000C53C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980574684.000000000C53D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980765057.000000000C545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4693951170.000000000C540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3075190269.000000000C545000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.partments-in-dubai-66339.bond/bs84/
          Source: explorer.exe, 00000004.00000003.2980388685.000000000C53C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980574684.000000000C53D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980765057.000000000C545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4693951170.000000000C540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3075190269.000000000C545000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.partments-in-dubai-66339.bond/bs84/www.ofiveuss.store
          Source: explorer.exe, 00000004.00000003.2980388685.000000000C53C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980574684.000000000C53D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980765057.000000000C545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4693951170.000000000C540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3075190269.000000000C545000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.partments-in-dubai-66339.bondReferer:
          Source: explorer.exe, 00000004.00000003.2980388685.000000000C53C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980574684.000000000C53D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980765057.000000000C545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4693951170.000000000C540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3075190269.000000000C545000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ristav.fun
          Source: explorer.exe, 00000004.00000003.3075190269.000000000C545000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ristav.fun/bs84/
          Source: explorer.exe, 00000004.00000003.2980388685.000000000C53C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980574684.000000000C53D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980765057.000000000C545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4693951170.000000000C540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3075190269.000000000C545000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ristav.funReferer:
          Source: explorer.exe, 00000004.00000003.2980388685.000000000C53C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980574684.000000000C53D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980765057.000000000C545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4693951170.000000000C540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3075190269.000000000C545000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.skfa.info
          Source: explorer.exe, 00000004.00000003.2980388685.000000000C53C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980574684.000000000C53D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980765057.000000000C545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4693951170.000000000C540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3075190269.000000000C545000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.skfa.info/bs84/
          Source: explorer.exe, 00000004.00000003.2980388685.000000000C53C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980574684.000000000C53D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980765057.000000000C545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4693951170.000000000C540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3075190269.000000000C545000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.skfa.info/bs84/www.ehuatang.quest
          Source: explorer.exe, 00000004.00000003.2980388685.000000000C53C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980574684.000000000C53D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980765057.000000000C545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4693951170.000000000C540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3075190269.000000000C545000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.skfa.infoReferer:
          Source: explorer.exe, 00000004.00000003.2980388685.000000000C53C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980574684.000000000C53D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980765057.000000000C545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4693951170.000000000C540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3075190269.000000000C545000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.unnycdn02.shop
          Source: explorer.exe, 00000004.00000003.2980388685.000000000C53C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980574684.000000000C53D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980765057.000000000C545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4693951170.000000000C540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3075190269.000000000C545000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.unnycdn02.shop/bs84/
          Source: explorer.exe, 00000004.00000003.2980388685.000000000C53C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980574684.000000000C53D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980765057.000000000C545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4693951170.000000000C540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3075190269.000000000C545000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.unnycdn02.shop/bs84/www.0percentfailrate.biz
          Source: explorer.exe, 00000004.00000003.2980388685.000000000C53C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980574684.000000000C53D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980765057.000000000C545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4693951170.000000000C540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3075190269.000000000C545000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.unnycdn02.shopReferer:
          Source: explorer.exe, 00000004.00000003.2980388685.000000000C53C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980574684.000000000C53D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980765057.000000000C545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4693951170.000000000C540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3075190269.000000000C545000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ustjump.xyz
          Source: explorer.exe, 00000004.00000003.2980388685.000000000C53C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980574684.000000000C53D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980765057.000000000C545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4693951170.000000000C540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3075190269.000000000C545000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ustjump.xyz/bs84/
          Source: explorer.exe, 00000004.00000003.2980388685.000000000C53C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980574684.000000000C53D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980765057.000000000C545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4693951170.000000000C540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3075190269.000000000C545000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ustjump.xyz/bs84/www.skfa.info
          Source: explorer.exe, 00000004.00000003.2980388685.000000000C53C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980574684.000000000C53D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980765057.000000000C545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4693951170.000000000C540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3075190269.000000000C545000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ustjump.xyzReferer:
          Source: explorer.exe, 00000004.00000002.4685948475.00000000099AB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2981106264.000000000C071000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2979266187.00000000099AB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2256015421.00000000099AB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByApp
          Source: explorer.exe, 00000004.00000003.2980723976.000000000C3AF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980284749.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2267034588.000000000BFDF000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://android.notify.windows.com/iOS
          Source: explorer.exe, 00000004.00000003.2980723976.000000000C3AF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980284749.000000000C39F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://android.notify.windows.com/iOSd
          Source: explorer.exe, 00000004.00000000.2254781265.000000000962B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4684747503.000000000962B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/
          Source: explorer.exe, 00000004.00000000.2254781265.000000000962B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4684747503.000000000962B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/I
          Source: explorer.exe, 00000004.00000000.2254781265.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4684747503.000000000973C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
          Source: explorer.exe, 00000004.00000000.2254781265.000000000962B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4684747503.000000000962B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?
          Source: explorer.exe, 00000004.00000002.4682524491.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2250278472.00000000073E5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=435B7A89D7D74BDF801F2DA188906BAF&timeOut=5000&oc
          Source: explorer.exe, 00000004.00000002.4682524491.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2250278472.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2254781265.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4684747503.000000000973C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
          Source: explorer.exe, 00000004.00000000.2254781265.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4684747503.000000000973C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://arc.msn.com
          Source: explorer.exe, 00000004.00000000.2250278472.00000000073E5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings
          Source: explorer.exe, 00000004.00000000.2250278472.00000000073E5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehwh2.svg
          Source: explorer.exe, 00000004.00000000.2250278472.00000000073E5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV
          Source: explorer.exe, 00000004.00000000.2250278472.00000000073E5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark
          Source: explorer.exe, 00000004.00000002.4682524491.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2250278472.00000000073E5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMhz
          Source: explorer.exe, 00000004.00000002.4682524491.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2250278472.00000000073E5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMhz-dark
          Source: explorer.exe, 00000004.00000002.4691885016.000000000C087000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2981106264.000000000C071000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2267034588.000000000C048000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://excel.office.com-
          Source: explorer.exe, 00000004.00000000.2250278472.00000000073E5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA15Yat4.img
          Source: explorer.exe, 00000004.00000002.4682524491.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2250278472.00000000073E5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAzME7S.img
          Source: explorer.exe, 00000004.00000002.4691885016.000000000C087000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2981106264.000000000C071000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2267034588.000000000C048000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://outlook.come
          Source: explorer.exe, 00000004.00000002.4691885016.000000000BFEF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2267034588.000000000BFEF000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://powerpoint.office.comEMd
          Source: explorer.exe, 00000004.00000002.4682524491.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2250278472.00000000073E5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew
          Source: explorer.exe, 00000004.00000002.4682524491.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2250278472.00000000073E5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew
          Source: explorer.exe, 00000004.00000003.2979834844.000000000C4EE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4693449387.000000000C4EB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://wns.windows.com/
          Source: explorer.exe, 00000004.00000002.4685948475.00000000099AB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2979266187.00000000099AB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2256015421.00000000099AB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://wns.windows.com/e
          Source: explorer.exe, 00000004.00000002.4691885016.000000000C087000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2981106264.000000000C071000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2267034588.000000000C048000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://word.office.comM
          Source: explorer.exe, 00000004.00000002.4682524491.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2250278472.00000000073E5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/personalfinance/10-things-rich-people-never-buy-and-you-shouldn-t-ei
          Source: explorer.exe, 00000004.00000002.4682524491.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2250278472.00000000073E5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/personalfinance/money-matters-changing-institution-of-marriage/ar-AA
          Source: explorer.exe, 00000004.00000002.4682524491.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2250278472.00000000073E5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/realestate/why-this-florida-city-is-a-safe-haven-from-hurricanes/ar-
          Source: explorer.exe, 00000004.00000002.4682524491.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2250278472.00000000073E5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/savingandinvesting/americans-average-net-worth-by-age/ar-AA1h4ngF
          Source: explorer.exe, 00000004.00000002.4682524491.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2250278472.00000000073E5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/politics/how-donald-trump-helped-kari-lake-become-arizona-s-and-ameri
          Source: explorer.exe, 00000004.00000002.4682524491.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2250278472.00000000073E5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/politics/kevin-mccarthy-s-ouster-as-house-speaker-could-cost-gop-its-
          Source: explorer.exe, 00000004.00000002.4682524491.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2250278472.00000000073E5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/politics/republicans-already-barred-trump-from-being-speaker-of-the-h
          Source: explorer.exe, 00000004.00000002.4682524491.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2250278472.00000000073E5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/politics/trump-campaign-says-he-raised-more-than-45-million-in-3rd-qu
          Source: explorer.exe, 00000004.00000002.4682524491.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2250278472.00000000073E5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/technology/a-federal-emergency-alert-will-be-sent-to-us-phones-nation
          Source: explorer.exe, 00000004.00000002.4682524491.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2250278472.00000000073E5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/us/biden-administration-waives-26-federal-laws-to-allow-border-wall-c
          Source: explorer.exe, 00000004.00000002.4682524491.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2250278472.00000000073E5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/us/dumb-and-dumber-12-states-with-the-absolute-worst-education-in-the
          Source: explorer.exe, 00000004.00000002.4682524491.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2250278472.00000000073E5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/world/us-supplies-ukraine-with-a-million-rounds-of-ammunition-seized-
          Source: explorer.exe, 00000004.00000002.4682524491.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2250278472.00000000073E5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/travel/news/you-can-t-beat-bobby-flay-s-phoenix-airport-restaurant-one-of-
          Source: explorer.exe, 00000004.00000002.4682524491.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2250278472.00000000073E5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/weather/topstories/california-s-reservoirs-runneth-over-in-astounding-reve
          Source: explorer.exe, 00000004.00000002.4682524491.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2250278472.00000000073E5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com:443/en-us/feed
          Source: C:\Users\user\Desktop\rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.exeCode function: 0_2_003DEAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_003DEAFF
          Source: C:\Users\user\Desktop\rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.exeCode function: 0_2_003DED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_003DED6A
          Source: C:\Users\user\AppData\Local\antholite\overrough.exeCode function: 2_2_0082ED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,2_2_0082ED6A
          Source: C:\Users\user\Desktop\rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.exeCode function: 0_2_003DEAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_003DEAFF
          Source: C:\Users\user\Desktop\rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.exeCode function: 0_2_003CAA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,0_2_003CAA57
          Source: C:\Users\user\Desktop\rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.exeCode function: 0_2_003F9576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_003F9576
          Source: C:\Users\user\AppData\Local\antholite\overrough.exeCode function: 2_2_00849576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,2_2_00849576

          E-Banking Fraud

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 3.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.overrough.exe.1e20000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.2.overrough.exe.780000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.2.overrough.exe.780000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.overrough.exe.1e20000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 13.2.svchost.exe.2660000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000000D.00000002.2412302004.0000000002EB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.4677557991.0000000003500000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.2312737607.0000000003A80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.2244853461.0000000001E20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.4675478414.00000000034D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.2412264035.0000000002E80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.2376953472.0000000000780000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.2411584179.0000000002661000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.2311984727.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.4673914516.0000000002EE0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.2419449519.0000000000A50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.2312788893.0000000003AB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

          System Summary

          barindex
          Malicious sample detected (through community Yara rule)
          Source: 3.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 3.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 3.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.2.overrough.exe.1e20000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 2.2.overrough.exe.1e20000.1.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.2.overrough.exe.1e20000.1.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 12.2.overrough.exe.780000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 12.2.overrough.exe.780000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 12.2.overrough.exe.780000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 12.2.overrough.exe.780000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 12.2.overrough.exe.780000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 12.2.overrough.exe.780000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.2.overrough.exe.1e20000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 2.2.overrough.exe.1e20000.1.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.2.overrough.exe.1e20000.1.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 3.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 3.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 3.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 13.2.svchost.exe.2660000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 13.2.svchost.exe.2660000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 13.2.svchost.exe.2660000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000D.00000002.2412302004.0000000002EB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 0000000D.00000002.2412302004.0000000002EB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000D.00000002.2412302004.0000000002EB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000002.4677557991.0000000003500000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000005.00000002.4677557991.0000000003500000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000002.4677557991.0000000003500000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000002.2312737607.0000000003A80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000003.00000002.2312737607.0000000003A80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000002.2312737607.0000000003A80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.2244853461.0000000001E20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000002.00000002.2244853461.0000000001E20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.2244853461.0000000001E20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000002.4675478414.00000000034D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000005.00000002.4675478414.00000000034D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000002.4675478414.00000000034D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000D.00000002.2412264035.0000000002E80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 0000000D.00000002.2412264035.0000000002E80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000D.00000002.2412264035.0000000002E80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000C.00000002.2376953472.0000000000780000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 0000000C.00000002.2376953472.0000000000780000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000C.00000002.2376953472.0000000000780000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000D.00000002.2411584179.0000000002661000.00000020.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 0000000D.00000002.2411584179.0000000002661000.00000020.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000D.00000002.2411584179.0000000002661000.00000020.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000002.2311984727.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000003.00000002.2311984727.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000002.2311984727.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000002.4673914516.0000000002EE0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000005.00000002.4673914516.0000000002EE0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000002.4673914516.0000000002EE0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000E.00000002.2419449519.0000000000A50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 0000000E.00000002.2419449519.0000000000A50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000E.00000002.2419449519.0000000000A50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000002.2312788893.0000000003AB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000003.00000002.2312788893.0000000003AB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000002.2312788893.0000000003AB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: Process Memory Space: overrough.exe PID: 3608, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: Process Memory Space: svchost.exe PID: 5264, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: Process Memory Space: explorer.exe PID: 4004, type: MEMORYSTRMatched rule: Semi-Auto-generated - file ironshell.php.txt Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls
          Source: Process Memory Space: WWAHost.exe PID: 5196, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: Process Memory Space: overrough.exe PID: 7020, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: Process Memory Space: svchost.exe PID: 5708, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: Process Memory Space: cmmon32.exe PID: 3700, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Binary is likely a compiled AutoIt script file
          Source: rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.exeString found in binary or memory: This is a third-party compiled AutoIt script.
          Source: rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.exe, 00000000.00000000.2216486272.0000000000422000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_f3b4e11c-4
          Source: rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.exe, 00000000.00000000.2216486272.0000000000422000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_3a6095fc-2
          Source: rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.exe, 00000000.00000003.2226481322.0000000004371000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_54da6d92-7
          Source: rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.exe, 00000000.00000003.2226481322.0000000004371000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_d752723d-5
          Source: overrough.exeString found in binary or memory: This is a third-party compiled AutoIt script.
          Source: overrough.exe, 00000002.00000000.2226925613.0000000000872000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_b3d66602-a
          Source: overrough.exe, 00000002.00000000.2226925613.0000000000872000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_75427dad-c
          Source: overrough.exe, 0000000C.00000000.2359142664.0000000000872000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_ef507a55-7
          Source: overrough.exe, 0000000C.00000000.2359142664.0000000000872000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_d0323d05-7
          Source: rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.exeString found in binary or memory: This is a third-party compiled AutoIt script.memstr_540e513b-3
          Source: rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.exeString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_5d341808-5
          Source: overrough.exe.0.drString found in binary or memory: This is a third-party compiled AutoIt script.memstr_8cfa0a31-b
          Source: overrough.exe.0.drString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_65759fe5-c
          Initial sample is a PE file and has a suspicious name
          Source: initial sampleStatic PE information: Filename: rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.exe
          Source: initial sampleStatic PE information: Filename: rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.exe
          Windows Scripting host queries suspicious COM object (likely to drop second stage)
          Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0041A320 NtCreateFile,3_2_0041A320
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0041A3D0 NtReadFile,3_2_0041A3D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0041A450 NtClose,3_2_0041A450
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0041A500 NtAllocateVirtualMemory,3_2_0041A500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0041A373 NtReadFile,3_2_0041A373
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0041A3CA NtReadFile,3_2_0041A3CA
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0041A4FC NtAllocateVirtualMemory,3_2_0041A4FC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C72BF0 NtAllocateVirtualMemory,LdrInitializeThunk,3_2_03C72BF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C72B60 NtClose,LdrInitializeThunk,3_2_03C72B60
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C72AD0 NtReadFile,LdrInitializeThunk,3_2_03C72AD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C72FE0 NtCreateFile,LdrInitializeThunk,3_2_03C72FE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C72F90 NtProtectVirtualMemory,LdrInitializeThunk,3_2_03C72F90
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C72FB0 NtResumeThread,LdrInitializeThunk,3_2_03C72FB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C72F30 NtCreateSection,LdrInitializeThunk,3_2_03C72F30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C72E80 NtReadVirtualMemory,LdrInitializeThunk,3_2_03C72E80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C72EA0 NtAdjustPrivilegesToken,LdrInitializeThunk,3_2_03C72EA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C72DD0 NtDelayExecution,LdrInitializeThunk,3_2_03C72DD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C72DF0 NtQuerySystemInformation,LdrInitializeThunk,3_2_03C72DF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C72D10 NtMapViewOfSection,LdrInitializeThunk,3_2_03C72D10
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C72D30 NtUnmapViewOfSection,LdrInitializeThunk,3_2_03C72D30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C72CA0 NtQueryInformationToken,LdrInitializeThunk,3_2_03C72CA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C74340 NtSetContextThread,3_2_03C74340
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C74650 NtSuspendThread,3_2_03C74650
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C72BE0 NtQueryValueKey,3_2_03C72BE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C72B80 NtQueryInformationFile,3_2_03C72B80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C72BA0 NtEnumerateValueKey,3_2_03C72BA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C72AF0 NtWriteFile,3_2_03C72AF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C72AB0 NtWaitForSingleObject,3_2_03C72AB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C72FA0 NtQuerySection,3_2_03C72FA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C72F60 NtCreateProcessEx,3_2_03C72F60
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C72EE0 NtQueueApcThread,3_2_03C72EE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C72E30 NtWriteVirtualMemory,3_2_03C72E30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C72DB0 NtEnumerateKey,3_2_03C72DB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C72D00 NtSetInformationFile,3_2_03C72D00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C72CC0 NtQueryVirtualMemory,3_2_03C72CC0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C72CF0 NtOpenProcess,3_2_03C72CF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C72C60 NtCreateKey,3_2_03C72C60
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C72C70 NtFreeVirtualMemory,3_2_03C72C70
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C72C00 NtQueryInformationProcess,3_2_03C72C00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C73090 NtSetValueKey,3_2_03C73090
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C73010 NtOpenDirectoryObject,3_2_03C73010
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C735C0 NtCreateMutant,3_2_03C735C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C739B0 NtGetContextThread,3_2_03C739B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C73D70 NtOpenThread,3_2_03C73D70
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C73D10 NtOpenProcessToken,3_2_03C73D10
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B1A036 NtQueryInformationProcess,NtSuspendThread,NtSetContextThread,NtQueueApcThread,NtResumeThread,NtClose,3_2_03B1A036
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B1A042 NtQueryInformationProcess,3_2_03B1A042
          Source: C:\Windows\explorer.exeCode function: 4_2_112E4232 NtCreateFile,4_2_112E4232
          Source: C:\Windows\explorer.exeCode function: 4_2_112E5E12 NtProtectVirtualMemory,4_2_112E5E12
          Source: C:\Windows\explorer.exeCode function: 4_2_112E5E0A NtProtectVirtualMemory,4_2_112E5E0A
          Source: C:\Users\user\Desktop\rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.exeCode function: 0_2_003CD5EB: CreateFileW,DeviceIoControl,CloseHandle,0_2_003CD5EB
          Source: C:\Users\user\Desktop\rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.exeCode function: 0_2_003C1201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_003C1201
          Source: C:\Users\user\Desktop\rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.exeCode function: 0_2_003CE8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,0_2_003CE8F6
          Source: C:\Users\user\AppData\Local\antholite\overrough.exeCode function: 2_2_0081E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,2_2_0081E8F6
          Source: C:\Users\user\Desktop\rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.exeCode function: 0_2_003680600_2_00368060
          Source: C:\Users\user\Desktop\rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.exeCode function: 0_2_003D20460_2_003D2046
          Source: C:\Users\user\Desktop\rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.exeCode function: 0_2_003C82980_2_003C8298
          Source: C:\Users\user\Desktop\rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.exeCode function: 0_2_0039E4FF0_2_0039E4FF
          Source: C:\Users\user\Desktop\rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.exeCode function: 0_2_0039676B0_2_0039676B
          Source: C:\Users\user\Desktop\rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.exeCode function: 0_2_003F48730_2_003F4873
          Source: C:\Users\user\Desktop\rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.exeCode function: 0_2_0038CAA00_2_0038CAA0
          Source: C:\Users\user\Desktop\rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.exeCode function: 0_2_0036CAF00_2_0036CAF0
          Source: C:\Users\user\Desktop\rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.exeCode function: 0_2_0037CC390_2_0037CC39
          Source: C:\Users\user\Desktop\rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.exeCode function: 0_2_00396DD90_2_00396DD9
          Source: C:\Users\user\Desktop\rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.exeCode function: 0_2_0037B1190_2_0037B119
          Source: C:\Users\user\Desktop\rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.exeCode function: 0_2_003691C00_2_003691C0
          Source: C:\Users\user\Desktop\rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.exeCode function: 0_2_003813940_2_00381394
          Source: C:\Users\user\Desktop\rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.exeCode function: 0_2_0038781B0_2_0038781B
          Source: C:\Users\user\Desktop\rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.exeCode function: 0_2_003679200_2_00367920
          Source: C:\Users\user\Desktop\rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.exeCode function: 0_2_0037997D0_2_0037997D
          Source: C:\Users\user\Desktop\rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.exeCode function: 0_2_00387A4A0_2_00387A4A
          Source: C:\Users\user\Desktop\rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.exeCode function: 0_2_00387CA70_2_00387CA7
          Source: C:\Users\user\Desktop\rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.exeCode function: 0_2_003EBE440_2_003EBE44
          Source: C:\Users\user\Desktop\rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.exeCode function: 0_2_00399EEE0_2_00399EEE
          Source: C:\Users\user\Desktop\rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.exeCode function: 0_2_0036BF400_2_0036BF40
          Source: C:\Users\user\Desktop\rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.exeCode function: 0_2_019B47880_2_019B4788
          Source: C:\Users\user\AppData\Local\antholite\overrough.exeCode function: 2_2_007B80602_2_007B8060
          Source: C:\Users\user\AppData\Local\antholite\overrough.exeCode function: 2_2_008220462_2_00822046
          Source: C:\Users\user\AppData\Local\antholite\overrough.exeCode function: 2_2_008182982_2_00818298
          Source: C:\Users\user\AppData\Local\antholite\overrough.exeCode function: 2_2_007EE4FF2_2_007EE4FF
          Source: C:\Users\user\AppData\Local\antholite\overrough.exeCode function: 2_2_007E676B2_2_007E676B
          Source: C:\Users\user\AppData\Local\antholite\overrough.exeCode function: 2_2_008448732_2_00844873
          Source: C:\Users\user\AppData\Local\antholite\overrough.exeCode function: 2_2_007BCAF02_2_007BCAF0
          Source: C:\Users\user\AppData\Local\antholite\overrough.exeCode function: 2_2_007DCAA02_2_007DCAA0
          Source: C:\Users\user\AppData\Local\antholite\overrough.exeCode function: 2_2_007CCC392_2_007CCC39
          Source: C:\Users\user\AppData\Local\antholite\overrough.exeCode function: 2_2_007E6DD92_2_007E6DD9
          Source: C:\Users\user\AppData\Local\antholite\overrough.exeCode function: 2_2_007CB1192_2_007CB119
          Source: C:\Users\user\AppData\Local\antholite\overrough.exeCode function: 2_2_007B91C02_2_007B91C0
          Source: C:\Users\user\AppData\Local\antholite\overrough.exeCode function: 2_2_007D13942_2_007D1394
          Source: C:\Users\user\AppData\Local\antholite\overrough.exeCode function: 2_2_007D781B2_2_007D781B
          Source: C:\Users\user\AppData\Local\antholite\overrough.exeCode function: 2_2_007C997D2_2_007C997D
          Source: C:\Users\user\AppData\Local\antholite\overrough.exeCode function: 2_2_007B79202_2_007B7920
          Source: C:\Users\user\AppData\Local\antholite\overrough.exeCode function: 2_2_007D7A4A2_2_007D7A4A
          Source: C:\Users\user\AppData\Local\antholite\overrough.exeCode function: 2_2_007D7CA72_2_007D7CA7
          Source: C:\Users\user\AppData\Local\antholite\overrough.exeCode function: 2_2_007E9EEE2_2_007E9EEE
          Source: C:\Users\user\AppData\Local\antholite\overrough.exeCode function: 2_2_0083BE442_2_0083BE44
          Source: C:\Users\user\AppData\Local\antholite\overrough.exeCode function: 2_2_015339782_2_01533978
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_004010303_2_00401030
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0041D92A3_2_0041D92A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0041DBEA3_2_0041DBEA
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0041D5633_2_0041D563
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_00402D873_2_00402D87
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_00402D903_2_00402D90
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_00409E503_2_00409E50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0041EED83_2_0041EED8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_00402FB03_2_00402FB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C4E3F03_2_03C4E3F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03D003E63_2_03D003E6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03CFA3523_2_03CFA352
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03CC02C03_2_03CC02C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03CE02743_2_03CE0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03CF81CC3_2_03CF81CC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03CF41A23_2_03CF41A2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03D001AA3_2_03D001AA
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03CC81583_2_03CC8158
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C301003_2_03C30100
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03CDA1183_2_03CDA118
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03CD20003_2_03CD2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C3C7C03_2_03C3C7C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C647503_2_03C64750
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C407703_2_03C40770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C5C6E03_2_03C5C6E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03D005913_2_03D00591
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C405353_2_03C40535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03CEE4F63_2_03CEE4F6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03CF24463_2_03CF2446
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03CE44203_2_03CE4420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03CF6BD73_2_03CF6BD7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03CFAB403_2_03CFAB40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C3EA803_2_03C3EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C429A03_2_03C429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03D0A9A63_2_03D0A9A6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C569623_2_03C56962
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C6E8F03_2_03C6E8F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C268B83_2_03C268B8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C4A8403_2_03C4A840
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C428403_2_03C42840
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C32FC83_2_03C32FC8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C4CFE03_2_03C4CFE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03CBEFA03_2_03CBEFA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03CB4F403_2_03CB4F40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C82F283_2_03C82F28
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C60F303_2_03C60F30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03CE2F303_2_03CE2F30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03CFEEDB3_2_03CFEEDB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C52E903_2_03C52E90
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03CFCE933_2_03CFCE93
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C40E593_2_03C40E59
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03CFEE263_2_03CFEE26
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C3ADE03_2_03C3ADE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C58DBF3_2_03C58DBF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C4AD003_2_03C4AD00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03CDCD1F3_2_03CDCD1F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C30CF23_2_03C30CF2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03CE0CB53_2_03CE0CB5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C40C003_2_03C40C00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C8739A3_2_03C8739A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C2D34C3_2_03C2D34C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03CF132D3_2_03CF132D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C5B2C03_2_03C5B2C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03CE12ED3_2_03CE12ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C452A03_2_03C452A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C4B1B03_2_03C4B1B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C7516C3_2_03C7516C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C2F1723_2_03C2F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03D0B16B3_2_03D0B16B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03CEF0CC3_2_03CEF0CC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C470C03_2_03C470C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03CF70E93_2_03CF70E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03CFF0E03_2_03CFF0E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03CFF7B03_2_03CFF7B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03CF16CC3_2_03CF16CC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C856303_2_03C85630
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03D095C33_2_03D095C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03CDD5B03_2_03CDD5B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03CF75713_2_03CF7571
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C314603_2_03C31460
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03CFF43F3_2_03CFF43F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03CB5BF03_2_03CB5BF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C7DBF93_2_03C7DBF9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C5FB803_2_03C5FB80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03CFFB763_2_03CFFB76
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03CEDAC63_2_03CEDAC6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03CDDAAC3_2_03CDDAAC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C85AA03_2_03C85AA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03CE1AA33_2_03CE1AA3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03CFFA493_2_03CFFA49
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03CF7A463_2_03CF7A46
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03CB3A6C3_2_03CB3A6C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C499503_2_03C49950
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C5B9503_2_03C5B950
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03CD59103_2_03CD5910
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C438E03_2_03C438E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03CAD8003_2_03CAD800
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C03FD23_2_03C03FD2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C03FD53_2_03C03FD5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C41F923_2_03C41F92
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03CFFFB13_2_03CFFFB1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03CFFF093_2_03CFFF09
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C49EB03_2_03C49EB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C5FDC03_2_03C5FDC0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C43D403_2_03C43D40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03CF1D5A3_2_03CF1D5A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03CF7D733_2_03CF7D73
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03CFFCF23_2_03CFFCF2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03CB9C323_2_03CB9C32
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B1A0363_2_03B1A036
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B1B2323_2_03B1B232
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B110823_2_03B11082
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B1E5CD3_2_03B1E5CD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B15B303_2_03B15B30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B15B323_2_03B15B32
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B189123_2_03B18912
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B12D023_2_03B12D02
          Source: C:\Windows\explorer.exeCode function: 4_2_0E38E2324_2_0E38E232
          Source: C:\Windows\explorer.exeCode function: 4_2_0E388B304_2_0E388B30
          Source: C:\Windows\explorer.exeCode function: 4_2_0E388B324_2_0E388B32
          Source: C:\Windows\explorer.exeCode function: 4_2_0E38D0364_2_0E38D036
          Source: C:\Windows\explorer.exeCode function: 4_2_0E3840824_2_0E384082
          Source: C:\Windows\explorer.exeCode function: 4_2_0E38B9124_2_0E38B912
          Source: C:\Windows\explorer.exeCode function: 4_2_0E385D024_2_0E385D02
          Source: C:\Windows\explorer.exeCode function: 4_2_0E3915CD4_2_0E3915CD
          Source: C:\Windows\explorer.exeCode function: 4_2_111A29124_2_111A2912
          Source: C:\Windows\explorer.exeCode function: 4_2_1119CD024_2_1119CD02
          Source: C:\Windows\explorer.exeCode function: 4_2_111A85CD4_2_111A85CD
          Source: C:\Windows\explorer.exeCode function: 4_2_111A40364_2_111A4036
          Source: C:\Windows\explorer.exeCode function: 4_2_1119B0824_2_1119B082
          Source: C:\Windows\explorer.exeCode function: 4_2_1119FB304_2_1119FB30
          Source: C:\Windows\explorer.exeCode function: 4_2_1119FB324_2_1119FB32
          Source: C:\Windows\explorer.exeCode function: 4_2_111A52324_2_111A5232
          Source: C:\Windows\explorer.exeCode function: 4_2_112E42324_2_112E4232
          Source: C:\Windows\explorer.exeCode function: 4_2_112DEB304_2_112DEB30
          Source: C:\Windows\explorer.exeCode function: 4_2_112DEB324_2_112DEB32
          Source: C:\Windows\explorer.exeCode function: 4_2_112DBD024_2_112DBD02
          Source: C:\Windows\explorer.exeCode function: 4_2_112E19124_2_112E1912
          Source: C:\Windows\explorer.exeCode function: 4_2_112E75CD4_2_112E75CD
          Source: C:\Windows\explorer.exeCode function: 4_2_112E30364_2_112E3036
          Source: C:\Windows\explorer.exeCode function: 4_2_112DA0824_2_112DA082
          Source: C:\Users\user\Desktop\rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.exeCode function: String function: 0037F9F2 appears 40 times
          Source: C:\Users\user\Desktop\rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.exeCode function: String function: 00369CB3 appears 31 times
          Source: C:\Users\user\Desktop\rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.exeCode function: String function: 00380A30 appears 46 times
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03C87E54 appears 111 times
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03CBF290 appears 105 times
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03C75130 appears 58 times
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03C2B970 appears 280 times
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03CAEA12 appears 86 times
          Source: C:\Users\user\AppData\Local\antholite\overrough.exeCode function: String function: 007CF9F2 appears 40 times
          Source: C:\Users\user\AppData\Local\antholite\overrough.exeCode function: String function: 007B9CB3 appears 31 times
          Source: C:\Users\user\AppData\Local\antholite\overrough.exeCode function: String function: 007D0A30 appears 46 times
          Source: rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
          Source: 3.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 3.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 3.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.2.overrough.exe.1e20000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 2.2.overrough.exe.1e20000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.2.overrough.exe.1e20000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 12.2.overrough.exe.780000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 12.2.overrough.exe.780000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 12.2.overrough.exe.780000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 12.2.overrough.exe.780000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 12.2.overrough.exe.780000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 12.2.overrough.exe.780000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.2.overrough.exe.1e20000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 2.2.overrough.exe.1e20000.1.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.2.overrough.exe.1e20000.1.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 3.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 3.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 3.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 13.2.svchost.exe.2660000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 13.2.svchost.exe.2660000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 13.2.svchost.exe.2660000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000D.00000002.2412302004.0000000002EB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 0000000D.00000002.2412302004.0000000002EB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000D.00000002.2412302004.0000000002EB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000002.4677557991.0000000003500000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000005.00000002.4677557991.0000000003500000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000002.4677557991.0000000003500000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000002.2312737607.0000000003A80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000003.00000002.2312737607.0000000003A80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000002.2312737607.0000000003A80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.2244853461.0000000001E20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000002.00000002.2244853461.0000000001E20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.2244853461.0000000001E20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000002.4675478414.00000000034D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000005.00000002.4675478414.00000000034D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000002.4675478414.00000000034D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000D.00000002.2412264035.0000000002E80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 0000000D.00000002.2412264035.0000000002E80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000D.00000002.2412264035.0000000002E80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000C.00000002.2376953472.0000000000780000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 0000000C.00000002.2376953472.0000000000780000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000C.00000002.2376953472.0000000000780000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000D.00000002.2411584179.0000000002661000.00000020.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 0000000D.00000002.2411584179.0000000002661000.00000020.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000D.00000002.2411584179.0000000002661000.00000020.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000002.2311984727.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000003.00000002.2311984727.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000002.2311984727.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000002.4673914516.0000000002EE0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000005.00000002.4673914516.0000000002EE0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000002.4673914516.0000000002EE0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000E.00000002.2419449519.0000000000A50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 0000000E.00000002.2419449519.0000000000A50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000E.00000002.2419449519.0000000000A50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000002.2312788893.0000000003AB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000003.00000002.2312788893.0000000003AB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000002.2312788893.0000000003AB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: Process Memory Space: overrough.exe PID: 3608, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: Process Memory Space: svchost.exe PID: 5264, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: Process Memory Space: explorer.exe PID: 4004, type: MEMORYSTRMatched rule: ironshell_php author = Neo23x0 Yara BRG + customization by Stefan -dfate- Molls, description = Semi-Auto-generated - file ironshell.php.txt, hash = 8bfa2eeb8a3ff6afc619258e39fded56
          Source: Process Memory Space: WWAHost.exe PID: 5196, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: Process Memory Space: overrough.exe PID: 7020, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: Process Memory Space: svchost.exe PID: 5708, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: Process Memory Space: cmmon32.exe PID: 3700, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: classification engineClassification label: mal100.troj.expl.evad.winEXE@18/3@11/0
          Source: C:\Users\user\Desktop\rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.exeCode function: 0_2_003D37B5 GetLastError,FormatMessageW,0_2_003D37B5
          Source: C:\Users\user\Desktop\rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.exeCode function: 0_2_003C10BF AdjustTokenPrivileges,CloseHandle,0_2_003C10BF
          Source: C:\Users\user\Desktop\rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.exeCode function: 0_2_003C16C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,0_2_003C16C3
          Source: C:\Users\user\AppData\Local\antholite\overrough.exeCode function: 2_2_008110BF AdjustTokenPrivileges,CloseHandle,2_2_008110BF
          Source: C:\Users\user\AppData\Local\antholite\overrough.exeCode function: 2_2_008116C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,2_2_008116C3
          Source: C:\Users\user\Desktop\rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.exeCode function: 0_2_003D51CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,0_2_003D51CD
          Source: C:\Users\user\Desktop\rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.exeCode function: 0_2_003EA67C CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_003EA67C
          Source: C:\Users\user\Desktop\rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.exeCode function: 0_2_003D648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,0_2_003D648E
          Source: C:\Users\user\Desktop\rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.exeCode function: 0_2_003642A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_003642A2
          Source: C:\Users\user\Desktop\rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.exeFile created: C:\Users\user\AppData\Local\antholiteJump to behavior
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6436:120:WilError_03
          Source: C:\Users\user\Desktop\rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.exeFile created: C:\Users\user\AppData\Local\Temp\unrosinedJump to behavior
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\overrough.vbs"
          Source: rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.exeVirustotal: Detection: 27%
          Source: rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.exeReversingLabs: Detection: 28%
          Source: C:\Users\user\Desktop\rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.exeFile read: C:\Users\user\Desktop\rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.exeJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.exe "C:\Users\user\Desktop\rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.exe"
          Source: C:\Users\user\Desktop\rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.exeProcess created: C:\Users\user\AppData\Local\antholite\overrough.exe "C:\Users\user\Desktop\rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.exe"
          Source: C:\Users\user\AppData\Local\antholite\overrough.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.exe"
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\WWAHost.exe "C:\Windows\SysWOW64\WWAHost.exe"
          Source: C:\Windows\SysWOW64\WWAHost.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\SysWOW64\svchost.exe"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\overrough.vbs"
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\antholite\overrough.exe "C:\Users\user\AppData\Local\antholite\overrough.exe"
          Source: C:\Users\user\AppData\Local\antholite\overrough.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\AppData\Local\antholite\overrough.exe"
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\cmmon32.exe "C:\Windows\SysWOW64\cmmon32.exe"
          Source: C:\Users\user\Desktop\rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.exeProcess created: C:\Users\user\AppData\Local\antholite\overrough.exe "C:\Users\user\Desktop\rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.exe"Jump to behavior
          Source: C:\Users\user\AppData\Local\antholite\overrough.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.exe"Jump to behavior
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\WWAHost.exe "C:\Windows\SysWOW64\WWAHost.exe"Jump to behavior
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\overrough.vbs" Jump to behavior
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\cmmon32.exe "C:\Windows\SysWOW64\cmmon32.exe"Jump to behavior
          Source: C:\Windows\SysWOW64\WWAHost.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\SysWOW64\svchost.exe"Jump to behavior
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\antholite\overrough.exe "C:\Users\user\AppData\Local\antholite\overrough.exe" Jump to behavior
          Source: C:\Users\user\AppData\Local\antholite\overrough.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\AppData\Local\antholite\overrough.exe" Jump to behavior
          Source: C:\Users\user\Desktop\rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.exeSection loaded: wsock32.dllJump to behavior
          Source: C:\Users\user\Desktop\rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.exeSection loaded: version.dllJump to behavior
          Source: C:\Users\user\Desktop\rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.exeSection loaded: winmm.dllJump to behavior
          Source: C:\Users\user\Desktop\rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.exeSection loaded: mpr.dllJump to behavior
          Source: C:\Users\user\Desktop\rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Users\user\Desktop\rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Users\user\Desktop\rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Users\user\Desktop\rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Users\user\Desktop\rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Users\user\Desktop\rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Users\user\Desktop\rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Users\user\Desktop\rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Users\user\Desktop\rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Users\user\Desktop\rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Users\user\Desktop\rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Users\user\AppData\Local\antholite\overrough.exeSection loaded: wsock32.dllJump to behavior
          Source: C:\Users\user\AppData\Local\antholite\overrough.exeSection loaded: version.dllJump to behavior
          Source: C:\Users\user\AppData\Local\antholite\overrough.exeSection loaded: winmm.dllJump to behavior
          Source: C:\Users\user\AppData\Local\antholite\overrough.exeSection loaded: mpr.dllJump to behavior
          Source: C:\Users\user\AppData\Local\antholite\overrough.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Users\user\AppData\Local\antholite\overrough.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Users\user\AppData\Local\antholite\overrough.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Users\user\AppData\Local\antholite\overrough.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Users\user\AppData\Local\antholite\overrough.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Users\user\AppData\Local\antholite\overrough.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Users\user\AppData\Local\antholite\overrough.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: windows.cloudstore.schema.shell.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: cdprt.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: mfsrcsnk.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: vcruntime140_1.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: vcruntime140.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: msvcp140.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: vcruntime140.dllJump to behavior
          Source: C:\Windows\SysWOW64\WWAHost.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Windows\SysWOW64\WWAHost.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\SysWOW64\WWAHost.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\WWAHost.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Windows\SysWOW64\WWAHost.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Windows\SysWOW64\WWAHost.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: mlang.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
          Source: C:\Users\user\AppData\Local\antholite\overrough.exeSection loaded: wsock32.dllJump to behavior
          Source: C:\Users\user\AppData\Local\antholite\overrough.exeSection loaded: version.dllJump to behavior
          Source: C:\Users\user\AppData\Local\antholite\overrough.exeSection loaded: winmm.dllJump to behavior
          Source: C:\Users\user\AppData\Local\antholite\overrough.exeSection loaded: mpr.dllJump to behavior
          Source: C:\Users\user\AppData\Local\antholite\overrough.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Users\user\AppData\Local\antholite\overrough.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Users\user\AppData\Local\antholite\overrough.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Users\user\AppData\Local\antholite\overrough.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Users\user\AppData\Local\antholite\overrough.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Users\user\AppData\Local\antholite\overrough.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Users\user\AppData\Local\antholite\overrough.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\SysWOW64\cmmon32.exeSection loaded: cmutil.dllJump to behavior
          Source: C:\Windows\SysWOW64\cmmon32.exeSection loaded: version.dllJump to behavior
          Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{50CE75BC-766C-4136-BF5E-9197AA23569E}\InProcServer32Jump to behavior
          Source: Window RecorderWindow detected: More than 3 window changes detected
          Source: rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.exeStatic file information: File size 1464832 > 1048576
          Source: rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
          Source: rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
          Source: rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
          Source: rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
          Source: rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
          Source: rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
          Source: rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
          Source: Binary string: WWAHost.pdb source: svchost.exe, 00000003.00000003.2311264128.0000000005C00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.2311043729.0000000004100000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.2314283339.0000000005AC0000.00000040.10000000.00040000.00000000.sdmp, WWAHost.exe, 00000005.00000002.4671147451.00000000008E0000.00000040.80000000.00040000.00000000.sdmp
          Source: Binary string: cmmon32.pdb source: svchost.exe, 0000000D.00000003.2410833878.0000000002A1B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000002.2412350421.0000000002EE0000.00000040.10000000.00040000.00000000.sdmp, cmmon32.exe, 0000000E.00000002.2419765780.0000000000B40000.00000040.80000000.00040000.00000000.sdmp
          Source: Binary string: WWAHost.pdbUGP source: svchost.exe, 00000003.00000003.2311264128.0000000005C00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.2311043729.0000000004100000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.2314283339.0000000005AC0000.00000040.10000000.00040000.00000000.sdmp, WWAHost.exe, 00000005.00000002.4671147451.00000000008E0000.00000040.80000000.00040000.00000000.sdmp
          Source: Binary string: cmmon32.pdbGCTL source: svchost.exe, 0000000D.00000003.2410833878.0000000002A1B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000002.2412350421.0000000002EE0000.00000040.10000000.00040000.00000000.sdmp, cmmon32.exe, 0000000E.00000002.2419765780.0000000000B40000.00000040.80000000.00040000.00000000.sdmp
          Source: Binary string: wntdll.pdbUGP source: overrough.exe, 00000002.00000003.2242318249.0000000004000000.00000004.00001000.00020000.00000000.sdmp, overrough.exe, 00000002.00000003.2241215177.0000000003E60000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.2313009652.0000000003D9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.2244871625.0000000003A00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.2313009652.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.2242839467.0000000003800000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 00000005.00000002.4678750405.000000000410E000.00000040.00001000.00020000.00000000.sdmp, WWAHost.exe, 00000005.00000002.4678750405.0000000003F70000.00000040.00001000.00020000.00000000.sdmp, WWAHost.exe, 00000005.00000003.2312039130.00000000039C1000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 00000005.00000003.2315476761.0000000003DBE000.00000004.00000020.00020000.00000000.sdmp, overrough.exe, 0000000C.00000003.2369782526.0000000003930000.00000004.00001000.00020000.00000000.sdmp, overrough.exe, 0000000C.00000003.2376316590.0000000003AD0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.2376377688.0000000002C00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000002.2413064667.0000000003000000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.2378119278.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000002.2413064667.000000000319E000.00000040.00001000.00020000.00000000.sdmp, cmmon32.exe, 0000000E.00000003.2416664218.0000000004A4A000.00000004.00000020.00020000.00000000.sdmp, cmmon32.exe, 0000000E.00000002.2429310298.0000000004BF0000.00000040.00001000.00020000.00000000.sdmp, cmmon32.exe, 0000000E.00000002.2429310298.0000000004D8E000.00000040.00001000.00020000.00000000.sdmp, cmmon32.exe, 0000000E.00000003.2411865564.0000000004895000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: overrough.exe, 00000002.00000003.2242318249.0000000004000000.00000004.00001000.00020000.00000000.sdmp, overrough.exe, 00000002.00000003.2241215177.0000000003E60000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000003.00000002.2313009652.0000000003D9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.2244871625.0000000003A00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.2313009652.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.2242839467.0000000003800000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 00000005.00000002.4678750405.000000000410E000.00000040.00001000.00020000.00000000.sdmp, WWAHost.exe, 00000005.00000002.4678750405.0000000003F70000.00000040.00001000.00020000.00000000.sdmp, WWAHost.exe, 00000005.00000003.2312039130.00000000039C1000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 00000005.00000003.2315476761.0000000003DBE000.00000004.00000020.00020000.00000000.sdmp, overrough.exe, 0000000C.00000003.2369782526.0000000003930000.00000004.00001000.00020000.00000000.sdmp, overrough.exe, 0000000C.00000003.2376316590.0000000003AD0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.2376377688.0000000002C00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000002.2413064667.0000000003000000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.2378119278.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000002.2413064667.000000000319E000.00000040.00001000.00020000.00000000.sdmp, cmmon32.exe, 0000000E.00000003.2416664218.0000000004A4A000.00000004.00000020.00020000.00000000.sdmp, cmmon32.exe, 0000000E.00000002.2429310298.0000000004BF0000.00000040.00001000.00020000.00000000.sdmp, cmmon32.exe, 0000000E.00000002.2429310298.0000000004D8E000.00000040.00001000.00020000.00000000.sdmp, cmmon32.exe, 0000000E.00000003.2411865564.0000000004895000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: svchost.pdb source: explorer.exe, 00000004.00000002.4695099339.000000001090F000.00000004.80000000.00040000.00000000.sdmp, WWAHost.exe, 00000005.00000002.4679918626.00000000044BF000.00000004.10000000.00040000.00000000.sdmp, WWAHost.exe, 00000005.00000002.4677955355.00000000036DC000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: svchost.pdbUGP source: explorer.exe, 00000004.00000002.4695099339.000000001090F000.00000004.80000000.00040000.00000000.sdmp, WWAHost.exe, 00000005.00000002.4679918626.00000000044BF000.00000004.10000000.00040000.00000000.sdmp, WWAHost.exe, 00000005.00000002.4677955355.00000000036DC000.00000004.00000020.00020000.00000000.sdmp
          Source: rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
          Source: rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
          Source: rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
          Source: rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
          Source: rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
          Source: C:\Users\user\Desktop\rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.exeCode function: 0_2_003642DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_003642DE
          Source: C:\Users\user\Desktop\rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.exeCode function: 0_2_00380A76 push ecx; ret 0_2_00380A89
          Source: C:\Users\user\AppData\Local\antholite\overrough.exeCode function: 2_2_007D0A76 push ecx; ret 2_2_007D0A89
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0041E976 push ss; ret 3_2_0041E977
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_00417235 push esi; retf 3_2_00417239
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_00417B1B push edx; iretd 3_2_00417B1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_00417BF0 push ebp; retf 3_2_00417CDC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_00409B98 push edx; ret 3_2_00409BA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_00409B98 push edx; ret 3_2_00409BA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_00416C4F push cs; retf 3_2_00416C62
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0041D475 push eax; ret 3_2_0041D4C8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0041D4C2 push eax; ret 3_2_0041D4C8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0041D4CB push eax; ret 3_2_0041D532
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0041D52C push eax; ret 3_2_0041D532
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0041667F push 91E0EF31h; ret 3_2_004166B4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C0225F pushad ; ret 3_2_03C027F9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C027FA pushad ; ret 3_2_03C027F9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C309AD push ecx; mov dword ptr [esp], ecx3_2_03C309B6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C0283D push eax; iretd 3_2_03C02858
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C01368 push eax; iretd 3_2_03C01369
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C01065 push edi; ret 3_2_03C0108A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C018F3 push edx; iretd 3_2_03C01906
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B1EB1E push esp; retn 0000h3_2_03B1EB1F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B1EB02 push esp; retn 0000h3_2_03B1EB03
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B1E9B5 push esp; retn 0000h3_2_03B1EAE7
          Source: C:\Windows\explorer.exeCode function: 4_2_0E391B1E push esp; retn 0000h4_2_0E391B1F
          Source: C:\Windows\explorer.exeCode function: 4_2_0E391B02 push esp; retn 0000h4_2_0E391B03
          Source: C:\Windows\explorer.exeCode function: 4_2_0E3919B5 push esp; retn 0000h4_2_0E391AE7
          Source: C:\Windows\explorer.exeCode function: 4_2_111A89B5 push esp; retn 0000h4_2_111A8AE7
          Source: C:\Windows\explorer.exeCode function: 4_2_111A8B1E push esp; retn 0000h4_2_111A8B1F
          Source: C:\Windows\explorer.exeCode function: 4_2_111A8B02 push esp; retn 0000h4_2_111A8B03
          Source: C:\Windows\explorer.exeCode function: 4_2_112E7B02 push esp; retn 0000h4_2_112E7B03
          Source: C:\Users\user\Desktop\rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.exeFile created: C:\Users\user\AppData\Local\antholite\overrough.exeJump to dropped file

          Boot Survival

          barindex
          Drops VBS files to the startup folder
          Source: C:\Users\user\AppData\Local\antholite\overrough.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\overrough.vbsJump to dropped file
          Source: C:\Users\user\AppData\Local\antholite\overrough.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\overrough.vbsJump to behavior
          Source: C:\Users\user\AppData\Local\antholite\overrough.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\overrough.vbsJump to behavior
          Source: C:\Users\user\Desktop\rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.exeCode function: 0_2_0037F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_0037F98E
          Source: C:\Users\user\Desktop\rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.exeCode function: 0_2_003F1C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_003F1C41
          Source: C:\Users\user\AppData\Local\antholite\overrough.exeCode function: 2_2_007CF98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,2_2_007CF98E
          Source: C:\Users\user\AppData\Local\antholite\overrough.exeCode function: 2_2_00841C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,2_2_00841C41
          Source: C:\Users\user\Desktop\rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\antholite\overrough.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\antholite\overrough.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WWAHost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\antholite\overrough.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\antholite\overrough.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion

          barindex
          Found API chain indicative of sandbox detection
          Source: C:\Users\user\Desktop\rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.exeSandbox detection routine: GetForegroundWindow, DecisionNode, Sleepgraph_0-96806
          Source: C:\Users\user\AppData\Local\antholite\overrough.exeSandbox detection routine: GetForegroundWindow, DecisionNode, Sleep
          Switches to a custom stack to bypass stack traces
          Source: C:\Users\user\AppData\Local\antholite\overrough.exeAPI/Special instruction interceptor: Address: 153359C
          Source: C:\Windows\SysWOW64\svchost.exeAPI/Special instruction interceptor: Address: 7FFDB442D324
          Source: C:\Windows\SysWOW64\svchost.exeAPI/Special instruction interceptor: Address: 7FFDB4430774
          Source: C:\Windows\SysWOW64\svchost.exeAPI/Special instruction interceptor: Address: 7FFDB4430154
          Source: C:\Windows\SysWOW64\svchost.exeAPI/Special instruction interceptor: Address: 7FFDB442D8A4
          Source: C:\Windows\SysWOW64\svchost.exeAPI/Special instruction interceptor: Address: 7FFDB442DA44
          Source: C:\Windows\SysWOW64\svchost.exeAPI/Special instruction interceptor: Address: 7FFDB442D1E4
          Source: C:\Users\user\AppData\Local\antholite\overrough.exeAPI/Special instruction interceptor: Address: 10D13AC
          Source: C:\Windows\SysWOW64\WWAHost.exeAPI/Special instruction interceptor: Address: 7FFDB442D324
          Source: C:\Windows\SysWOW64\WWAHost.exeAPI/Special instruction interceptor: Address: 7FFDB4430774
          Source: C:\Windows\SysWOW64\WWAHost.exeAPI/Special instruction interceptor: Address: 7FFDB442D944
          Source: C:\Windows\SysWOW64\WWAHost.exeAPI/Special instruction interceptor: Address: 7FFDB442D504
          Source: C:\Windows\SysWOW64\WWAHost.exeAPI/Special instruction interceptor: Address: 7FFDB442D544
          Source: C:\Windows\SysWOW64\WWAHost.exeAPI/Special instruction interceptor: Address: 7FFDB442D1E4
          Source: C:\Windows\SysWOW64\WWAHost.exeAPI/Special instruction interceptor: Address: 7FFDB4430154
          Source: C:\Windows\SysWOW64\WWAHost.exeAPI/Special instruction interceptor: Address: 7FFDB442D8A4
          Source: C:\Windows\SysWOW64\WWAHost.exeAPI/Special instruction interceptor: Address: 7FFDB442DA44
          Tries to detect virtualization through RDTSC time measurements
          Source: C:\Windows\SysWOW64\svchost.exeRDTSC instruction interceptor: First address: 409904 second address: 40990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\svchost.exeRDTSC instruction interceptor: First address: 409B6E second address: 409B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\WWAHost.exeRDTSC instruction interceptor: First address: 2EE9904 second address: 2EE990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\WWAHost.exeRDTSC instruction interceptor: First address: 2EE9B6E second address: 2EE9B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\svchost.exeRDTSC instruction interceptor: First address: 2669904 second address: 266990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\svchost.exeRDTSC instruction interceptor: First address: 2669B6E second address: 2669B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\cmmon32.exeRDTSC instruction interceptor: First address: A59904 second address: A5990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\cmmon32.exeRDTSC instruction interceptor: First address: A59B6E second address: A59B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_00409AA0 rdtsc 3_2_00409AA0
          Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
          Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 9652Jump to behavior
          Source: C:\Windows\explorer.exeWindow / User API: foregroundWindowGot 790Jump to behavior
          Source: C:\Windows\explorer.exeWindow / User API: foregroundWindowGot 798Jump to behavior
          Source: C:\Windows\SysWOW64\WWAHost.exeWindow / User API: threadDelayed 382Jump to behavior
          Source: C:\Windows\SysWOW64\WWAHost.exeWindow / User API: threadDelayed 9591Jump to behavior
          Source: C:\Users\user\Desktop\rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.exeAPI coverage: 3.5 %
          Source: C:\Users\user\AppData\Local\antholite\overrough.exeAPI coverage: 3.8 %
          Source: C:\Windows\SysWOW64\svchost.exeAPI coverage: 2.0 %
          Source: C:\Windows\explorer.exe TID: 5476Thread sleep time: -19304000s >= -30000sJump to behavior
          Source: C:\Windows\explorer.exe TID: 5476Thread sleep time: -580000s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\WWAHost.exe TID: 3532Thread sleep count: 382 > 30Jump to behavior
          Source: C:\Windows\SysWOW64\WWAHost.exe TID: 3532Thread sleep time: -764000s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\WWAHost.exe TID: 3532Thread sleep count: 9591 > 30Jump to behavior
          Source: C:\Windows\SysWOW64\WWAHost.exe TID: 3532Thread sleep time: -19182000s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\WWAHost.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\WWAHost.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.exeCode function: 0_2_0039C2A2 FindFirstFileExW,0_2_0039C2A2
          Source: C:\Users\user\Desktop\rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.exeCode function: 0_2_003D68EE FindFirstFileW,FindClose,0_2_003D68EE
          Source: C:\Users\user\Desktop\rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.exeCode function: 0_2_003D698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,0_2_003D698F
          Source: C:\Users\user\Desktop\rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.exeCode function: 0_2_003CD076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_003CD076
          Source: C:\Users\user\Desktop\rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.exeCode function: 0_2_003CD3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_003CD3A9
          Source: C:\Users\user\Desktop\rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.exeCode function: 0_2_003D9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_003D9642
          Source: C:\Users\user\Desktop\rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.exeCode function: 0_2_003D979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_003D979D
          Source: C:\Users\user\Desktop\rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.exeCode function: 0_2_003D9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,0_2_003D9B2B
          Source: C:\Users\user\Desktop\rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.exeCode function: 0_2_003CDBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,0_2_003CDBBE
          Source: C:\Users\user\Desktop\rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.exeCode function: 0_2_003D5C97 FindFirstFileW,FindNextFileW,FindClose,0_2_003D5C97
          Source: C:\Users\user\AppData\Local\antholite\overrough.exeCode function: 2_2_007EC2A2 FindFirstFileExW,2_2_007EC2A2
          Source: C:\Users\user\AppData\Local\antholite\overrough.exeCode function: 2_2_008268EE FindFirstFileW,FindClose,2_2_008268EE
          Source: C:\Users\user\AppData\Local\antholite\overrough.exeCode function: 2_2_0082698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,2_2_0082698F
          Source: C:\Users\user\AppData\Local\antholite\overrough.exeCode function: 2_2_0081D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,2_2_0081D076
          Source: C:\Users\user\AppData\Local\antholite\overrough.exeCode function: 2_2_0081D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,2_2_0081D3A9
          Source: C:\Users\user\AppData\Local\antholite\overrough.exeCode function: 2_2_00829642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,2_2_00829642
          Source: C:\Users\user\AppData\Local\antholite\overrough.exeCode function: 2_2_0082979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,2_2_0082979D
          Source: C:\Users\user\AppData\Local\antholite\overrough.exeCode function: 2_2_0081DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,2_2_0081DBBE
          Source: C:\Users\user\AppData\Local\antholite\overrough.exeCode function: 2_2_00829B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,2_2_00829B2B
          Source: C:\Users\user\AppData\Local\antholite\overrough.exeCode function: 2_2_00825C97 FindFirstFileW,FindNextFileW,FindClose,2_2_00825C97
          Source: C:\Users\user\Desktop\rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.exeCode function: 0_2_003642DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_003642DE
          Source: explorer.exe, 00000004.00000000.2254781265.000000000962B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4684747503.000000000962B000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWystem32\DriverStore\en-US\msmouse.inf_locv
          Source: explorer.exe, 00000004.00000000.2256015421.00000000097F3000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
          Source: explorer.exe, 00000004.00000000.2254781265.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4684747503.000000000973C000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWws
          Source: explorer.exe, 00000004.00000000.2256015421.00000000098AD000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}RoamingCom
          Source: explorer.exe, 00000004.00000002.4684747503.0000000009605000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: NXTVMWare
          Source: explorer.exe, 00000004.00000002.4672455527.0000000000D99000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: #CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000004.00000002.4672455527.0000000000D99000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000W
          Source: explorer.exe, 00000004.00000002.4684747503.000000000978C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2254781265.000000000978C000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
          Source: explorer.exe, 00000004.00000000.2250278472.00000000073E5000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
          Source: explorer.exe, 00000004.00000000.2256015421.00000000098AD000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}lnkramW6
          Source: explorer.exe, 00000004.00000002.4672455527.0000000000D99000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
          Source: explorer.exe, 00000004.00000002.4672455527.0000000000D99000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000004.00000000.2256015421.00000000098AD000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000
          Source: C:\Windows\SysWOW64\svchost.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\SysWOW64\WWAHost.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\SysWOW64\cmmon32.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_00409AA0 rdtsc 3_2_00409AA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0040ACE0 LdrLoadDll,3_2_0040ACE0
          Source: C:\Users\user\Desktop\rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.exeCode function: 0_2_003DEAA2 BlockInput,0_2_003DEAA2
          Source: C:\Users\user\Desktop\rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.exeCode function: 0_2_00392622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00392622
          Source: C:\Users\user\Desktop\rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.exeCode function: 0_2_003642DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_003642DE
          Source: C:\Users\user\Desktop\rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.exeCode function: 0_2_00384CE8 mov eax, dword ptr fs:[00000030h]0_2_00384CE8
          Source: C:\Users\user\Desktop\rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.exeCode function: 0_2_019B4618 mov eax, dword ptr fs:[00000030h]0_2_019B4618
          Source: C:\Users\user\Desktop\rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.exeCode function: 0_2_019B4678 mov eax, dword ptr fs:[00000030h]0_2_019B4678
          Source: C:\Users\user\Desktop\rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.exeCode function: 0_2_019B2FA8 mov eax, dword ptr fs:[00000030h]0_2_019B2FA8
          Source: C:\Users\user\AppData\Local\antholite\overrough.exeCode function: 2_2_007D4CE8 mov eax, dword ptr fs:[00000030h]2_2_007D4CE8
          Source: C:\Users\user\AppData\Local\antholite\overrough.exeCode function: 2_2_01532198 mov eax, dword ptr fs:[00000030h]2_2_01532198
          Source: C:\Users\user\AppData\Local\antholite\overrough.exeCode function: 2_2_01533868 mov eax, dword ptr fs:[00000030h]2_2_01533868
          Source: C:\Users\user\AppData\Local\antholite\overrough.exeCode function: 2_2_01533808 mov eax, dword ptr fs:[00000030h]2_2_01533808
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03CEC3CD mov eax, dword ptr fs:[00000030h]3_2_03CEC3CD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C3A3C0 mov eax, dword ptr fs:[00000030h]3_2_03C3A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C3A3C0 mov eax, dword ptr fs:[00000030h]3_2_03C3A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C3A3C0 mov eax, dword ptr fs:[00000030h]3_2_03C3A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C3A3C0 mov eax, dword ptr fs:[00000030h]3_2_03C3A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C3A3C0 mov eax, dword ptr fs:[00000030h]3_2_03C3A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C3A3C0 mov eax, dword ptr fs:[00000030h]3_2_03C3A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C383C0 mov eax, dword ptr fs:[00000030h]3_2_03C383C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C383C0 mov eax, dword ptr fs:[00000030h]3_2_03C383C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C383C0 mov eax, dword ptr fs:[00000030h]3_2_03C383C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C383C0 mov eax, dword ptr fs:[00000030h]3_2_03C383C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03CB63C0 mov eax, dword ptr fs:[00000030h]3_2_03CB63C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03CDE3DB mov eax, dword ptr fs:[00000030h]3_2_03CDE3DB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03CDE3DB mov eax, dword ptr fs:[00000030h]3_2_03CDE3DB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03CDE3DB mov ecx, dword ptr fs:[00000030h]3_2_03CDE3DB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03CDE3DB mov eax, dword ptr fs:[00000030h]3_2_03CDE3DB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03CD43D4 mov eax, dword ptr fs:[00000030h]3_2_03CD43D4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03CD43D4 mov eax, dword ptr fs:[00000030h]3_2_03CD43D4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C403E9 mov eax, dword ptr fs:[00000030h]3_2_03C403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C403E9 mov eax, dword ptr fs:[00000030h]3_2_03C403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C403E9 mov eax, dword ptr fs:[00000030h]3_2_03C403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C403E9 mov eax, dword ptr fs:[00000030h]3_2_03C403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C403E9 mov eax, dword ptr fs:[00000030h]3_2_03C403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C403E9 mov eax, dword ptr fs:[00000030h]3_2_03C403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C403E9 mov eax, dword ptr fs:[00000030h]3_2_03C403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C403E9 mov eax, dword ptr fs:[00000030h]3_2_03C403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C4E3F0 mov eax, dword ptr fs:[00000030h]3_2_03C4E3F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C4E3F0 mov eax, dword ptr fs:[00000030h]3_2_03C4E3F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C4E3F0 mov eax, dword ptr fs:[00000030h]3_2_03C4E3F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C663FF mov eax, dword ptr fs:[00000030h]3_2_03C663FF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C2E388 mov eax, dword ptr fs:[00000030h]3_2_03C2E388
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C2E388 mov eax, dword ptr fs:[00000030h]3_2_03C2E388
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C2E388 mov eax, dword ptr fs:[00000030h]3_2_03C2E388
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C5438F mov eax, dword ptr fs:[00000030h]3_2_03C5438F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C5438F mov eax, dword ptr fs:[00000030h]3_2_03C5438F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C28397 mov eax, dword ptr fs:[00000030h]3_2_03C28397
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C28397 mov eax, dword ptr fs:[00000030h]3_2_03C28397
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C28397 mov eax, dword ptr fs:[00000030h]3_2_03C28397
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03CB2349 mov eax, dword ptr fs:[00000030h]3_2_03CB2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03CB2349 mov eax, dword ptr fs:[00000030h]3_2_03CB2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03CB2349 mov eax, dword ptr fs:[00000030h]3_2_03CB2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03CB2349 mov eax, dword ptr fs:[00000030h]3_2_03CB2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03CB2349 mov eax, dword ptr fs:[00000030h]3_2_03CB2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03CB2349 mov eax, dword ptr fs:[00000030h]3_2_03CB2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03CB2349 mov eax, dword ptr fs:[00000030h]3_2_03CB2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03CB2349 mov eax, dword ptr fs:[00000030h]3_2_03CB2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03CB2349 mov eax, dword ptr fs:[00000030h]3_2_03CB2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03CB2349 mov eax, dword ptr fs:[00000030h]3_2_03CB2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03CB2349 mov eax, dword ptr fs:[00000030h]3_2_03CB2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03CB2349 mov eax, dword ptr fs:[00000030h]3_2_03CB2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03CB2349 mov eax, dword ptr fs:[00000030h]3_2_03CB2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03CB2349 mov eax, dword ptr fs:[00000030h]3_2_03CB2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03CB2349 mov eax, dword ptr fs:[00000030h]3_2_03CB2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03CB035C mov eax, dword ptr fs:[00000030h]3_2_03CB035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03CB035C mov eax, dword ptr fs:[00000030h]3_2_03CB035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03CB035C mov eax, dword ptr fs:[00000030h]3_2_03CB035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03CB035C mov ecx, dword ptr fs:[00000030h]3_2_03CB035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03CB035C mov eax, dword ptr fs:[00000030h]3_2_03CB035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03CB035C mov eax, dword ptr fs:[00000030h]3_2_03CB035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03CFA352 mov eax, dword ptr fs:[00000030h]3_2_03CFA352
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03CD8350 mov ecx, dword ptr fs:[00000030h]3_2_03CD8350
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03D0634F mov eax, dword ptr fs:[00000030h]3_2_03D0634F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03CD437C mov eax, dword ptr fs:[00000030h]3_2_03CD437C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C6A30B mov eax, dword ptr fs:[00000030h]3_2_03C6A30B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C6A30B mov eax, dword ptr fs:[00000030h]3_2_03C6A30B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C6A30B mov eax, dword ptr fs:[00000030h]3_2_03C6A30B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C2C310 mov ecx, dword ptr fs:[00000030h]3_2_03C2C310
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C50310 mov ecx, dword ptr fs:[00000030h]3_2_03C50310
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03D08324 mov eax, dword ptr fs:[00000030h]3_2_03D08324
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03D08324 mov ecx, dword ptr fs:[00000030h]3_2_03D08324
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03D08324 mov eax, dword ptr fs:[00000030h]3_2_03D08324
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03D08324 mov eax, dword ptr fs:[00000030h]3_2_03D08324
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C3A2C3 mov eax, dword ptr fs:[00000030h]3_2_03C3A2C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C3A2C3 mov eax, dword ptr fs:[00000030h]3_2_03C3A2C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C3A2C3 mov eax, dword ptr fs:[00000030h]3_2_03C3A2C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C3A2C3 mov eax, dword ptr fs:[00000030h]3_2_03C3A2C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C3A2C3 mov eax, dword ptr fs:[00000030h]3_2_03C3A2C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03D062D6 mov eax, dword ptr fs:[00000030h]3_2_03D062D6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C402E1 mov eax, dword ptr fs:[00000030h]3_2_03C402E1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C402E1 mov eax, dword ptr fs:[00000030h]3_2_03C402E1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C402E1 mov eax, dword ptr fs:[00000030h]3_2_03C402E1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C6E284 mov eax, dword ptr fs:[00000030h]3_2_03C6E284
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C6E284 mov eax, dword ptr fs:[00000030h]3_2_03C6E284
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03CB0283 mov eax, dword ptr fs:[00000030h]3_2_03CB0283
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03CB0283 mov eax, dword ptr fs:[00000030h]3_2_03CB0283
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03CB0283 mov eax, dword ptr fs:[00000030h]3_2_03CB0283
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03CC62A0 mov eax, dword ptr fs:[00000030h]3_2_03CC62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03CC62A0 mov ecx, dword ptr fs:[00000030h]3_2_03CC62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03CC62A0 mov eax, dword ptr fs:[00000030h]3_2_03CC62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03CC62A0 mov eax, dword ptr fs:[00000030h]3_2_03CC62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03CC62A0 mov eax, dword ptr fs:[00000030h]3_2_03CC62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03CC62A0 mov eax, dword ptr fs:[00000030h]3_2_03CC62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03CB8243 mov eax, dword ptr fs:[00000030h]3_2_03CB8243
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03CB8243 mov ecx, dword ptr fs:[00000030h]3_2_03CB8243
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03D0625D mov eax, dword ptr fs:[00000030h]3_2_03D0625D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C2A250 mov eax, dword ptr fs:[00000030h]3_2_03C2A250
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C36259 mov eax, dword ptr fs:[00000030h]3_2_03C36259
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03CEA250 mov eax, dword ptr fs:[00000030h]3_2_03CEA250
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03CEA250 mov eax, dword ptr fs:[00000030h]3_2_03CEA250
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C34260 mov eax, dword ptr fs:[00000030h]3_2_03C34260
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C34260 mov eax, dword ptr fs:[00000030h]3_2_03C34260
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C34260 mov eax, dword ptr fs:[00000030h]3_2_03C34260
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C2826B mov eax, dword ptr fs:[00000030h]3_2_03C2826B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03CE0274 mov eax, dword ptr fs:[00000030h]3_2_03CE0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03CE0274 mov eax, dword ptr fs:[00000030h]3_2_03CE0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03CE0274 mov eax, dword ptr fs:[00000030h]3_2_03CE0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03CE0274 mov eax, dword ptr fs:[00000030h]3_2_03CE0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03CE0274 mov eax, dword ptr fs:[00000030h]3_2_03CE0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03CE0274 mov eax, dword ptr fs:[00000030h]3_2_03CE0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03CE0274 mov eax, dword ptr fs:[00000030h]3_2_03CE0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03CE0274 mov eax, dword ptr fs:[00000030h]3_2_03CE0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03CE0274 mov eax, dword ptr fs:[00000030h]3_2_03CE0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03CE0274 mov eax, dword ptr fs:[00000030h]3_2_03CE0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03CE0274 mov eax, dword ptr fs:[00000030h]3_2_03CE0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03CE0274 mov eax, dword ptr fs:[00000030h]3_2_03CE0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C2823B mov eax, dword ptr fs:[00000030h]3_2_03C2823B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03CF61C3 mov eax, dword ptr fs:[00000030h]3_2_03CF61C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03CF61C3 mov eax, dword ptr fs:[00000030h]3_2_03CF61C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03CAE1D0 mov eax, dword ptr fs:[00000030h]3_2_03CAE1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03CAE1D0 mov eax, dword ptr fs:[00000030h]3_2_03CAE1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03CAE1D0 mov ecx, dword ptr fs:[00000030h]3_2_03CAE1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03CAE1D0 mov eax, dword ptr fs:[00000030h]3_2_03CAE1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03CAE1D0 mov eax, dword ptr fs:[00000030h]3_2_03CAE1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03D061E5 mov eax, dword ptr fs:[00000030h]3_2_03D061E5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C601F8 mov eax, dword ptr fs:[00000030h]3_2_03C601F8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C70185 mov eax, dword ptr fs:[00000030h]3_2_03C70185
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03CEC188 mov eax, dword ptr fs:[00000030h]3_2_03CEC188
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03CEC188 mov eax, dword ptr fs:[00000030h]3_2_03CEC188
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03CD4180 mov eax, dword ptr fs:[00000030h]3_2_03CD4180
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03CD4180 mov eax, dword ptr fs:[00000030h]3_2_03CD4180
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03CB019F mov eax, dword ptr fs:[00000030h]3_2_03CB019F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03CB019F mov eax, dword ptr fs:[00000030h]3_2_03CB019F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03CB019F mov eax, dword ptr fs:[00000030h]3_2_03CB019F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03CB019F mov eax, dword ptr fs:[00000030h]3_2_03CB019F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C2A197 mov eax, dword ptr fs:[00000030h]3_2_03C2A197
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C2A197 mov eax, dword ptr fs:[00000030h]3_2_03C2A197
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C2A197 mov eax, dword ptr fs:[00000030h]3_2_03C2A197
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03CC4144 mov eax, dword ptr fs:[00000030h]3_2_03CC4144
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03CC4144 mov eax, dword ptr fs:[00000030h]3_2_03CC4144
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03CC4144 mov ecx, dword ptr fs:[00000030h]3_2_03CC4144
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03CC4144 mov eax, dword ptr fs:[00000030h]3_2_03CC4144
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03CC4144 mov eax, dword ptr fs:[00000030h]3_2_03CC4144
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C2C156 mov eax, dword ptr fs:[00000030h]3_2_03C2C156
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03CC8158 mov eax, dword ptr fs:[00000030h]3_2_03CC8158
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C36154 mov eax, dword ptr fs:[00000030h]3_2_03C36154
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C36154 mov eax, dword ptr fs:[00000030h]3_2_03C36154
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03D04164 mov eax, dword ptr fs:[00000030h]3_2_03D04164
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03D04164 mov eax, dword ptr fs:[00000030h]3_2_03D04164
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03CDE10E mov eax, dword ptr fs:[00000030h]3_2_03CDE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03CDE10E mov ecx, dword ptr fs:[00000030h]3_2_03CDE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03CDE10E mov eax, dword ptr fs:[00000030h]3_2_03CDE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03CDE10E mov eax, dword ptr fs:[00000030h]3_2_03CDE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03CDE10E mov ecx, dword ptr fs:[00000030h]3_2_03CDE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03CDE10E mov eax, dword ptr fs:[00000030h]3_2_03CDE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03CDE10E mov eax, dword ptr fs:[00000030h]3_2_03CDE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03CDE10E mov ecx, dword ptr fs:[00000030h]3_2_03CDE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03CDE10E mov eax, dword ptr fs:[00000030h]3_2_03CDE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03CDE10E mov ecx, dword ptr fs:[00000030h]3_2_03CDE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03CDA118 mov ecx, dword ptr fs:[00000030h]3_2_03CDA118
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03CDA118 mov eax, dword ptr fs:[00000030h]3_2_03CDA118
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03CDA118 mov eax, dword ptr fs:[00000030h]3_2_03CDA118
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03CDA118 mov eax, dword ptr fs:[00000030h]3_2_03CDA118
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03CF0115 mov eax, dword ptr fs:[00000030h]3_2_03CF0115
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C60124 mov eax, dword ptr fs:[00000030h]3_2_03C60124
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03CB20DE mov eax, dword ptr fs:[00000030h]3_2_03CB20DE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C2A0E3 mov ecx, dword ptr fs:[00000030h]3_2_03C2A0E3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C380E9 mov eax, dword ptr fs:[00000030h]3_2_03C380E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03CB60E0 mov eax, dword ptr fs:[00000030h]3_2_03CB60E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C2C0F0 mov eax, dword ptr fs:[00000030h]3_2_03C2C0F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C720F0 mov ecx, dword ptr fs:[00000030h]3_2_03C720F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C3208A mov eax, dword ptr fs:[00000030h]3_2_03C3208A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C280A0 mov eax, dword ptr fs:[00000030h]3_2_03C280A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03CC80A8 mov eax, dword ptr fs:[00000030h]3_2_03CC80A8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03CF60B8 mov eax, dword ptr fs:[00000030h]3_2_03CF60B8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03CF60B8 mov ecx, dword ptr fs:[00000030h]3_2_03CF60B8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C32050 mov eax, dword ptr fs:[00000030h]3_2_03C32050
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03CB6050 mov eax, dword ptr fs:[00000030h]3_2_03CB6050
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C5C073 mov eax, dword ptr fs:[00000030h]3_2_03C5C073
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03CB4000 mov ecx, dword ptr fs:[00000030h]3_2_03CB4000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03CD2000 mov eax, dword ptr fs:[00000030h]3_2_03CD2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03CD2000 mov eax, dword ptr fs:[00000030h]3_2_03CD2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03CD2000 mov eax, dword ptr fs:[00000030h]3_2_03CD2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03CD2000 mov eax, dword ptr fs:[00000030h]3_2_03CD2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03CD2000 mov eax, dword ptr fs:[00000030h]3_2_03CD2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03CD2000 mov eax, dword ptr fs:[00000030h]3_2_03CD2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03CD2000 mov eax, dword ptr fs:[00000030h]3_2_03CD2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03CD2000 mov eax, dword ptr fs:[00000030h]3_2_03CD2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C4E016 mov eax, dword ptr fs:[00000030h]3_2_03C4E016
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C4E016 mov eax, dword ptr fs:[00000030h]3_2_03C4E016
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C4E016 mov eax, dword ptr fs:[00000030h]3_2_03C4E016
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C4E016 mov eax, dword ptr fs:[00000030h]3_2_03C4E016
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C2A020 mov eax, dword ptr fs:[00000030h]3_2_03C2A020
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C2C020 mov eax, dword ptr fs:[00000030h]3_2_03C2C020
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03CC6030 mov eax, dword ptr fs:[00000030h]3_2_03CC6030
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C3C7C0 mov eax, dword ptr fs:[00000030h]3_2_03C3C7C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03CB07C3 mov eax, dword ptr fs:[00000030h]3_2_03CB07C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C527ED mov eax, dword ptr fs:[00000030h]3_2_03C527ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C527ED mov eax, dword ptr fs:[00000030h]3_2_03C527ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C527ED mov eax, dword ptr fs:[00000030h]3_2_03C527ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03CBE7E1 mov eax, dword ptr fs:[00000030h]3_2_03CBE7E1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C347FB mov eax, dword ptr fs:[00000030h]3_2_03C347FB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C347FB mov eax, dword ptr fs:[00000030h]3_2_03C347FB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03CD678E mov eax, dword ptr fs:[00000030h]3_2_03CD678E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C307AF mov eax, dword ptr fs:[00000030h]3_2_03C307AF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03CE47A0 mov eax, dword ptr fs:[00000030h]3_2_03CE47A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C6674D mov esi, dword ptr fs:[00000030h]3_2_03C6674D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C6674D mov eax, dword ptr fs:[00000030h]3_2_03C6674D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C6674D mov eax, dword ptr fs:[00000030h]3_2_03C6674D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C30750 mov eax, dword ptr fs:[00000030h]3_2_03C30750
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03CBE75D mov eax, dword ptr fs:[00000030h]3_2_03CBE75D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C72750 mov eax, dword ptr fs:[00000030h]3_2_03C72750
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C72750 mov eax, dword ptr fs:[00000030h]3_2_03C72750
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03CB4755 mov eax, dword ptr fs:[00000030h]3_2_03CB4755
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C38770 mov eax, dword ptr fs:[00000030h]3_2_03C38770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C40770 mov eax, dword ptr fs:[00000030h]3_2_03C40770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C40770 mov eax, dword ptr fs:[00000030h]3_2_03C40770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C40770 mov eax, dword ptr fs:[00000030h]3_2_03C40770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C40770 mov eax, dword ptr fs:[00000030h]3_2_03C40770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C40770 mov eax, dword ptr fs:[00000030h]3_2_03C40770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C40770 mov eax, dword ptr fs:[00000030h]3_2_03C40770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C40770 mov eax, dword ptr fs:[00000030h]3_2_03C40770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C40770 mov eax, dword ptr fs:[00000030h]3_2_03C40770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C40770 mov eax, dword ptr fs:[00000030h]3_2_03C40770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C40770 mov eax, dword ptr fs:[00000030h]3_2_03C40770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C40770 mov eax, dword ptr fs:[00000030h]3_2_03C40770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C40770 mov eax, dword ptr fs:[00000030h]3_2_03C40770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C6C700 mov eax, dword ptr fs:[00000030h]3_2_03C6C700
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C30710 mov eax, dword ptr fs:[00000030h]3_2_03C30710
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C60710 mov eax, dword ptr fs:[00000030h]3_2_03C60710
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C6C720 mov eax, dword ptr fs:[00000030h]3_2_03C6C720
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C6C720 mov eax, dword ptr fs:[00000030h]3_2_03C6C720
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C6273C mov eax, dword ptr fs:[00000030h]3_2_03C6273C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C6273C mov ecx, dword ptr fs:[00000030h]3_2_03C6273C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C6273C mov eax, dword ptr fs:[00000030h]3_2_03C6273C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03CAC730 mov eax, dword ptr fs:[00000030h]3_2_03CAC730
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C6A6C7 mov ebx, dword ptr fs:[00000030h]3_2_03C6A6C7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C6A6C7 mov eax, dword ptr fs:[00000030h]3_2_03C6A6C7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03CAE6F2 mov eax, dword ptr fs:[00000030h]3_2_03CAE6F2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03CAE6F2 mov eax, dword ptr fs:[00000030h]3_2_03CAE6F2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03CAE6F2 mov eax, dword ptr fs:[00000030h]3_2_03CAE6F2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03CAE6F2 mov eax, dword ptr fs:[00000030h]3_2_03CAE6F2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03CB06F1 mov eax, dword ptr fs:[00000030h]3_2_03CB06F1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03CB06F1 mov eax, dword ptr fs:[00000030h]3_2_03CB06F1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C34690 mov eax, dword ptr fs:[00000030h]3_2_03C34690
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C34690 mov eax, dword ptr fs:[00000030h]3_2_03C34690
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C6C6A6 mov eax, dword ptr fs:[00000030h]3_2_03C6C6A6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C666B0 mov eax, dword ptr fs:[00000030h]3_2_03C666B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C4C640 mov eax, dword ptr fs:[00000030h]3_2_03C4C640
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03CF866E mov eax, dword ptr fs:[00000030h]3_2_03CF866E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03CF866E mov eax, dword ptr fs:[00000030h]3_2_03CF866E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C6A660 mov eax, dword ptr fs:[00000030h]3_2_03C6A660
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C6A660 mov eax, dword ptr fs:[00000030h]3_2_03C6A660
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C62674 mov eax, dword ptr fs:[00000030h]3_2_03C62674
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03CAE609 mov eax, dword ptr fs:[00000030h]3_2_03CAE609
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C4260B mov eax, dword ptr fs:[00000030h]3_2_03C4260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C4260B mov eax, dword ptr fs:[00000030h]3_2_03C4260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C4260B mov eax, dword ptr fs:[00000030h]3_2_03C4260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C4260B mov eax, dword ptr fs:[00000030h]3_2_03C4260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C4260B mov eax, dword ptr fs:[00000030h]3_2_03C4260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C4260B mov eax, dword ptr fs:[00000030h]3_2_03C4260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C4260B mov eax, dword ptr fs:[00000030h]3_2_03C4260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C72619 mov eax, dword ptr fs:[00000030h]3_2_03C72619
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C4E627 mov eax, dword ptr fs:[00000030h]3_2_03C4E627
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C66620 mov eax, dword ptr fs:[00000030h]3_2_03C66620
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C68620 mov eax, dword ptr fs:[00000030h]3_2_03C68620
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C3262C mov eax, dword ptr fs:[00000030h]3_2_03C3262C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C6E5CF mov eax, dword ptr fs:[00000030h]3_2_03C6E5CF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C6E5CF mov eax, dword ptr fs:[00000030h]3_2_03C6E5CF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C365D0 mov eax, dword ptr fs:[00000030h]3_2_03C365D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C6A5D0 mov eax, dword ptr fs:[00000030h]3_2_03C6A5D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C6A5D0 mov eax, dword ptr fs:[00000030h]3_2_03C6A5D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C5E5E7 mov eax, dword ptr fs:[00000030h]3_2_03C5E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C5E5E7 mov eax, dword ptr fs:[00000030h]3_2_03C5E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C5E5E7 mov eax, dword ptr fs:[00000030h]3_2_03C5E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C5E5E7 mov eax, dword ptr fs:[00000030h]3_2_03C5E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C5E5E7 mov eax, dword ptr fs:[00000030h]3_2_03C5E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C5E5E7 mov eax, dword ptr fs:[00000030h]3_2_03C5E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C5E5E7 mov eax, dword ptr fs:[00000030h]3_2_03C5E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C5E5E7 mov eax, dword ptr fs:[00000030h]3_2_03C5E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C325E0 mov eax, dword ptr fs:[00000030h]3_2_03C325E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C6C5ED mov eax, dword ptr fs:[00000030h]3_2_03C6C5ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C6C5ED mov eax, dword ptr fs:[00000030h]3_2_03C6C5ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C32582 mov eax, dword ptr fs:[00000030h]3_2_03C32582
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C32582 mov ecx, dword ptr fs:[00000030h]3_2_03C32582
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C64588 mov eax, dword ptr fs:[00000030h]3_2_03C64588
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C6E59C mov eax, dword ptr fs:[00000030h]3_2_03C6E59C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03CB05A7 mov eax, dword ptr fs:[00000030h]3_2_03CB05A7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03CB05A7 mov eax, dword ptr fs:[00000030h]3_2_03CB05A7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03CB05A7 mov eax, dword ptr fs:[00000030h]3_2_03CB05A7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C545B1 mov eax, dword ptr fs:[00000030h]3_2_03C545B1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C545B1 mov eax, dword ptr fs:[00000030h]3_2_03C545B1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C38550 mov eax, dword ptr fs:[00000030h]3_2_03C38550
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C38550 mov eax, dword ptr fs:[00000030h]3_2_03C38550
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C6656A mov eax, dword ptr fs:[00000030h]3_2_03C6656A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C6656A mov eax, dword ptr fs:[00000030h]3_2_03C6656A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C6656A mov eax, dword ptr fs:[00000030h]3_2_03C6656A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03CC6500 mov eax, dword ptr fs:[00000030h]3_2_03CC6500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03D04500 mov eax, dword ptr fs:[00000030h]3_2_03D04500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03D04500 mov eax, dword ptr fs:[00000030h]3_2_03D04500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03D04500 mov eax, dword ptr fs:[00000030h]3_2_03D04500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03D04500 mov eax, dword ptr fs:[00000030h]3_2_03D04500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03D04500 mov eax, dword ptr fs:[00000030h]3_2_03D04500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03D04500 mov eax, dword ptr fs:[00000030h]3_2_03D04500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03D04500 mov eax, dword ptr fs:[00000030h]3_2_03D04500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C40535 mov eax, dword ptr fs:[00000030h]3_2_03C40535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C40535 mov eax, dword ptr fs:[00000030h]3_2_03C40535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C40535 mov eax, dword ptr fs:[00000030h]3_2_03C40535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C40535 mov eax, dword ptr fs:[00000030h]3_2_03C40535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C40535 mov eax, dword ptr fs:[00000030h]3_2_03C40535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C40535 mov eax, dword ptr fs:[00000030h]3_2_03C40535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C5E53E mov eax, dword ptr fs:[00000030h]3_2_03C5E53E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C5E53E mov eax, dword ptr fs:[00000030h]3_2_03C5E53E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C5E53E mov eax, dword ptr fs:[00000030h]3_2_03C5E53E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C5E53E mov eax, dword ptr fs:[00000030h]3_2_03C5E53E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C5E53E mov eax, dword ptr fs:[00000030h]3_2_03C5E53E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C304E5 mov ecx, dword ptr fs:[00000030h]3_2_03C304E5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03CEA49A mov eax, dword ptr fs:[00000030h]3_2_03CEA49A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C364AB mov eax, dword ptr fs:[00000030h]3_2_03C364AB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C644B0 mov ecx, dword ptr fs:[00000030h]3_2_03C644B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03CBA4B0 mov eax, dword ptr fs:[00000030h]3_2_03CBA4B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C6E443 mov eax, dword ptr fs:[00000030h]3_2_03C6E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C6E443 mov eax, dword ptr fs:[00000030h]3_2_03C6E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C6E443 mov eax, dword ptr fs:[00000030h]3_2_03C6E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C6E443 mov eax, dword ptr fs:[00000030h]3_2_03C6E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C6E443 mov eax, dword ptr fs:[00000030h]3_2_03C6E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C6E443 mov eax, dword ptr fs:[00000030h]3_2_03C6E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C6E443 mov eax, dword ptr fs:[00000030h]3_2_03C6E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C6E443 mov eax, dword ptr fs:[00000030h]3_2_03C6E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03CEA456 mov eax, dword ptr fs:[00000030h]3_2_03CEA456
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C2645D mov eax, dword ptr fs:[00000030h]3_2_03C2645D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C5245A mov eax, dword ptr fs:[00000030h]3_2_03C5245A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03CBC460 mov ecx, dword ptr fs:[00000030h]3_2_03CBC460
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C5A470 mov eax, dword ptr fs:[00000030h]3_2_03C5A470
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C5A470 mov eax, dword ptr fs:[00000030h]3_2_03C5A470
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C5A470 mov eax, dword ptr fs:[00000030h]3_2_03C5A470
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C68402 mov eax, dword ptr fs:[00000030h]3_2_03C68402
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C68402 mov eax, dword ptr fs:[00000030h]3_2_03C68402
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C68402 mov eax, dword ptr fs:[00000030h]3_2_03C68402
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C2E420 mov eax, dword ptr fs:[00000030h]3_2_03C2E420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C2E420 mov eax, dword ptr fs:[00000030h]3_2_03C2E420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C2E420 mov eax, dword ptr fs:[00000030h]3_2_03C2E420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C2C427 mov eax, dword ptr fs:[00000030h]3_2_03C2C427
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03CB6420 mov eax, dword ptr fs:[00000030h]3_2_03CB6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03CB6420 mov eax, dword ptr fs:[00000030h]3_2_03CB6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03CB6420 mov eax, dword ptr fs:[00000030h]3_2_03CB6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03CB6420 mov eax, dword ptr fs:[00000030h]3_2_03CB6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03CB6420 mov eax, dword ptr fs:[00000030h]3_2_03CB6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03CB6420 mov eax, dword ptr fs:[00000030h]3_2_03CB6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03CB6420 mov eax, dword ptr fs:[00000030h]3_2_03CB6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C6A430 mov eax, dword ptr fs:[00000030h]3_2_03C6A430
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C50BCB mov eax, dword ptr fs:[00000030h]3_2_03C50BCB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C50BCB mov eax, dword ptr fs:[00000030h]3_2_03C50BCB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C50BCB mov eax, dword ptr fs:[00000030h]3_2_03C50BCB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C30BCD mov eax, dword ptr fs:[00000030h]3_2_03C30BCD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C30BCD mov eax, dword ptr fs:[00000030h]3_2_03C30BCD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C30BCD mov eax, dword ptr fs:[00000030h]3_2_03C30BCD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03CDEBD0 mov eax, dword ptr fs:[00000030h]3_2_03CDEBD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C38BF0 mov eax, dword ptr fs:[00000030h]3_2_03C38BF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C38BF0 mov eax, dword ptr fs:[00000030h]3_2_03C38BF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C38BF0 mov eax, dword ptr fs:[00000030h]3_2_03C38BF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C5EBFC mov eax, dword ptr fs:[00000030h]3_2_03C5EBFC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03CBCBF0 mov eax, dword ptr fs:[00000030h]3_2_03CBCBF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C40BBE mov eax, dword ptr fs:[00000030h]3_2_03C40BBE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C40BBE mov eax, dword ptr fs:[00000030h]3_2_03C40BBE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03CE4BB0 mov eax, dword ptr fs:[00000030h]3_2_03CE4BB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03CE4BB0 mov eax, dword ptr fs:[00000030h]3_2_03CE4BB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03CE4B4B mov eax, dword ptr fs:[00000030h]3_2_03CE4B4B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03CE4B4B mov eax, dword ptr fs:[00000030h]3_2_03CE4B4B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03D02B57 mov eax, dword ptr fs:[00000030h]3_2_03D02B57
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03D02B57 mov eax, dword ptr fs:[00000030h]3_2_03D02B57
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03D02B57 mov eax, dword ptr fs:[00000030h]3_2_03D02B57
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03D02B57 mov eax, dword ptr fs:[00000030h]3_2_03D02B57
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03CC6B40 mov eax, dword ptr fs:[00000030h]3_2_03CC6B40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03CC6B40 mov eax, dword ptr fs:[00000030h]3_2_03CC6B40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03CFAB40 mov eax, dword ptr fs:[00000030h]3_2_03CFAB40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03CD8B42 mov eax, dword ptr fs:[00000030h]3_2_03CD8B42
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C28B50 mov eax, dword ptr fs:[00000030h]3_2_03C28B50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03CDEB50 mov eax, dword ptr fs:[00000030h]3_2_03CDEB50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C2CB7E mov eax, dword ptr fs:[00000030h]3_2_03C2CB7E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03D04B00 mov eax, dword ptr fs:[00000030h]3_2_03D04B00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03CAEB1D mov eax, dword ptr fs:[00000030h]3_2_03CAEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03CAEB1D mov eax, dword ptr fs:[00000030h]3_2_03CAEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03CAEB1D mov eax, dword ptr fs:[00000030h]3_2_03CAEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03CAEB1D mov eax, dword ptr fs:[00000030h]3_2_03CAEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03CAEB1D mov eax, dword ptr fs:[00000030h]3_2_03CAEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03CAEB1D mov eax, dword ptr fs:[00000030h]3_2_03CAEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03CAEB1D mov eax, dword ptr fs:[00000030h]3_2_03CAEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03CAEB1D mov eax, dword ptr fs:[00000030h]3_2_03CAEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03CAEB1D mov eax, dword ptr fs:[00000030h]3_2_03CAEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C5EB20 mov eax, dword ptr fs:[00000030h]3_2_03C5EB20
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C5EB20 mov eax, dword ptr fs:[00000030h]3_2_03C5EB20
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03CF8B28 mov eax, dword ptr fs:[00000030h]3_2_03CF8B28
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03CF8B28 mov eax, dword ptr fs:[00000030h]3_2_03CF8B28
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C86ACC mov eax, dword ptr fs:[00000030h]3_2_03C86ACC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C86ACC mov eax, dword ptr fs:[00000030h]3_2_03C86ACC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C86ACC mov eax, dword ptr fs:[00000030h]3_2_03C86ACC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C30AD0 mov eax, dword ptr fs:[00000030h]3_2_03C30AD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C64AD0 mov eax, dword ptr fs:[00000030h]3_2_03C64AD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C64AD0 mov eax, dword ptr fs:[00000030h]3_2_03C64AD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C6AAEE mov eax, dword ptr fs:[00000030h]3_2_03C6AAEE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C6AAEE mov eax, dword ptr fs:[00000030h]3_2_03C6AAEE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C3EA80 mov eax, dword ptr fs:[00000030h]3_2_03C3EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C3EA80 mov eax, dword ptr fs:[00000030h]3_2_03C3EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C3EA80 mov eax, dword ptr fs:[00000030h]3_2_03C3EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C3EA80 mov eax, dword ptr fs:[00000030h]3_2_03C3EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C3EA80 mov eax, dword ptr fs:[00000030h]3_2_03C3EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C3EA80 mov eax, dword ptr fs:[00000030h]3_2_03C3EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C3EA80 mov eax, dword ptr fs:[00000030h]3_2_03C3EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C3EA80 mov eax, dword ptr fs:[00000030h]3_2_03C3EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C3EA80 mov eax, dword ptr fs:[00000030h]3_2_03C3EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03D04A80 mov eax, dword ptr fs:[00000030h]3_2_03D04A80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C68A90 mov edx, dword ptr fs:[00000030h]3_2_03C68A90
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C38AA0 mov eax, dword ptr fs:[00000030h]3_2_03C38AA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C38AA0 mov eax, dword ptr fs:[00000030h]3_2_03C38AA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C86AA4 mov eax, dword ptr fs:[00000030h]3_2_03C86AA4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C36A50 mov eax, dword ptr fs:[00000030h]3_2_03C36A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C36A50 mov eax, dword ptr fs:[00000030h]3_2_03C36A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C36A50 mov eax, dword ptr fs:[00000030h]3_2_03C36A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C36A50 mov eax, dword ptr fs:[00000030h]3_2_03C36A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C36A50 mov eax, dword ptr fs:[00000030h]3_2_03C36A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C36A50 mov eax, dword ptr fs:[00000030h]3_2_03C36A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C36A50 mov eax, dword ptr fs:[00000030h]3_2_03C36A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C40A5B mov eax, dword ptr fs:[00000030h]3_2_03C40A5B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C40A5B mov eax, dword ptr fs:[00000030h]3_2_03C40A5B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C6CA6F mov eax, dword ptr fs:[00000030h]3_2_03C6CA6F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C6CA6F mov eax, dword ptr fs:[00000030h]3_2_03C6CA6F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C6CA6F mov eax, dword ptr fs:[00000030h]3_2_03C6CA6F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03CDEA60 mov eax, dword ptr fs:[00000030h]3_2_03CDEA60
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03CACA72 mov eax, dword ptr fs:[00000030h]3_2_03CACA72
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03CACA72 mov eax, dword ptr fs:[00000030h]3_2_03CACA72
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03CBCA11 mov eax, dword ptr fs:[00000030h]3_2_03CBCA11
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C6CA24 mov eax, dword ptr fs:[00000030h]3_2_03C6CA24
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C5EA2E mov eax, dword ptr fs:[00000030h]3_2_03C5EA2E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C54A35 mov eax, dword ptr fs:[00000030h]3_2_03C54A35
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C54A35 mov eax, dword ptr fs:[00000030h]3_2_03C54A35
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C6CA38 mov eax, dword ptr fs:[00000030h]3_2_03C6CA38
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03CC69C0 mov eax, dword ptr fs:[00000030h]3_2_03CC69C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C3A9D0 mov eax, dword ptr fs:[00000030h]3_2_03C3A9D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C3A9D0 mov eax, dword ptr fs:[00000030h]3_2_03C3A9D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C3A9D0 mov eax, dword ptr fs:[00000030h]3_2_03C3A9D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C3A9D0 mov eax, dword ptr fs:[00000030h]3_2_03C3A9D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C3A9D0 mov eax, dword ptr fs:[00000030h]3_2_03C3A9D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C3A9D0 mov eax, dword ptr fs:[00000030h]3_2_03C3A9D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C649D0 mov eax, dword ptr fs:[00000030h]3_2_03C649D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03CFA9D3 mov eax, dword ptr fs:[00000030h]3_2_03CFA9D3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03CBE9E0 mov eax, dword ptr fs:[00000030h]3_2_03CBE9E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C629F9 mov eax, dword ptr fs:[00000030h]3_2_03C629F9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C629F9 mov eax, dword ptr fs:[00000030h]3_2_03C629F9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C429A0 mov eax, dword ptr fs:[00000030h]3_2_03C429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C429A0 mov eax, dword ptr fs:[00000030h]3_2_03C429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C429A0 mov eax, dword ptr fs:[00000030h]3_2_03C429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C429A0 mov eax, dword ptr fs:[00000030h]3_2_03C429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C429A0 mov eax, dword ptr fs:[00000030h]3_2_03C429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C429A0 mov eax, dword ptr fs:[00000030h]3_2_03C429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C429A0 mov eax, dword ptr fs:[00000030h]3_2_03C429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C429A0 mov eax, dword ptr fs:[00000030h]3_2_03C429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C429A0 mov eax, dword ptr fs:[00000030h]3_2_03C429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C429A0 mov eax, dword ptr fs:[00000030h]3_2_03C429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C429A0 mov eax, dword ptr fs:[00000030h]3_2_03C429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C429A0 mov eax, dword ptr fs:[00000030h]3_2_03C429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C429A0 mov eax, dword ptr fs:[00000030h]3_2_03C429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C309AD mov eax, dword ptr fs:[00000030h]3_2_03C309AD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C309AD mov eax, dword ptr fs:[00000030h]3_2_03C309AD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03CB89B3 mov esi, dword ptr fs:[00000030h]3_2_03CB89B3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03CB89B3 mov eax, dword ptr fs:[00000030h]3_2_03CB89B3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03CB89B3 mov eax, dword ptr fs:[00000030h]3_2_03CB89B3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03CB0946 mov eax, dword ptr fs:[00000030h]3_2_03CB0946
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03D04940 mov eax, dword ptr fs:[00000030h]3_2_03D04940
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C56962 mov eax, dword ptr fs:[00000030h]3_2_03C56962
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C56962 mov eax, dword ptr fs:[00000030h]3_2_03C56962
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C56962 mov eax, dword ptr fs:[00000030h]3_2_03C56962
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C7096E mov eax, dword ptr fs:[00000030h]3_2_03C7096E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C7096E mov edx, dword ptr fs:[00000030h]3_2_03C7096E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C7096E mov eax, dword ptr fs:[00000030h]3_2_03C7096E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03CD4978 mov eax, dword ptr fs:[00000030h]3_2_03CD4978
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03CD4978 mov eax, dword ptr fs:[00000030h]3_2_03CD4978
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03CBC97C mov eax, dword ptr fs:[00000030h]3_2_03CBC97C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03CAE908 mov eax, dword ptr fs:[00000030h]3_2_03CAE908
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03CAE908 mov eax, dword ptr fs:[00000030h]3_2_03CAE908
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03CBC912 mov eax, dword ptr fs:[00000030h]3_2_03CBC912
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C28918 mov eax, dword ptr fs:[00000030h]3_2_03C28918
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C28918 mov eax, dword ptr fs:[00000030h]3_2_03C28918
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03CB892A mov eax, dword ptr fs:[00000030h]3_2_03CB892A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03CC892B mov eax, dword ptr fs:[00000030h]3_2_03CC892B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C5E8C0 mov eax, dword ptr fs:[00000030h]3_2_03C5E8C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03D008C0 mov eax, dword ptr fs:[00000030h]3_2_03D008C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03CFA8E4 mov eax, dword ptr fs:[00000030h]3_2_03CFA8E4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C6C8F9 mov eax, dword ptr fs:[00000030h]3_2_03C6C8F9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C6C8F9 mov eax, dword ptr fs:[00000030h]3_2_03C6C8F9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C30887 mov eax, dword ptr fs:[00000030h]3_2_03C30887
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03CBC89D mov eax, dword ptr fs:[00000030h]3_2_03CBC89D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C42840 mov ecx, dword ptr fs:[00000030h]3_2_03C42840
          Source: C:\Users\user\Desktop\rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.exeCode function: 0_2_003C0B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,0_2_003C0B62
          Source: C:\Windows\SysWOW64\svchost.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Users\user\Desktop\rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.exeCode function: 0_2_00392622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00392622
          Source: C:\Users\user\Desktop\rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.exeCode function: 0_2_0038083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0038083F
          Source: C:\Users\user\Desktop\rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.exeCode function: 0_2_003809D5 SetUnhandledExceptionFilter,0_2_003809D5
          Source: C:\Users\user\Desktop\rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.exeCode function: 0_2_00380C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00380C21
          Source: C:\Users\user\AppData\Local\antholite\overrough.exeCode function: 2_2_007E2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_007E2622
          Source: C:\Users\user\AppData\Local\antholite\overrough.exeCode function: 2_2_007D083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_007D083F
          Source: C:\Users\user\AppData\Local\antholite\overrough.exeCode function: 2_2_007D09D5 SetUnhandledExceptionFilter,2_2_007D09D5
          Source: C:\Users\user\AppData\Local\antholite\overrough.exeCode function: 2_2_007D0C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,2_2_007D0C21

          HIPS / PFW / Operating System Protection Evasion

          barindex
          Maps a DLL or memory area into another process
          Source: C:\Users\user\AppData\Local\antholite\overrough.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Windows\SysWOW64\WWAHost.exe protection: execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Windows\SysWOW64\WWAHost.exe protection: execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\WWAHost.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: read writeJump to behavior
          Source: C:\Windows\SysWOW64\WWAHost.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Source: C:\Users\user\AppData\Local\antholite\overrough.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Windows\SysWOW64\cmmon32.exe protection: execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Windows\SysWOW64\cmmon32.exe protection: execute and read and writeJump to behavior
          Modifies the context of a thread in another process (thread injection)
          Source: C:\Windows\SysWOW64\svchost.exeThread register set: target process: 4004Jump to behavior
          Source: C:\Windows\SysWOW64\WWAHost.exeThread register set: target process: 4004Jump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeThread register set: target process: 4004Jump to behavior
          Queues an APC in another process (thread injection)
          Source: C:\Windows\SysWOW64\svchost.exeThread APC queued: target process: C:\Windows\explorer.exeJump to behavior
          Sample uses process hollowing technique
          Source: C:\Windows\SysWOW64\svchost.exeSection unmapped: C:\Windows\SysWOW64\WWAHost.exe base address: 8E0000Jump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeSection unmapped: C:\Windows\SysWOW64\cmmon32.exe base address: B40000Jump to behavior
          Writes to foreign memory regions
          Source: C:\Users\user\AppData\Local\antholite\overrough.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 312E008Jump to behavior
          Source: C:\Users\user\AppData\Local\antholite\overrough.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 25A7008Jump to behavior
          Source: C:\Users\user\Desktop\rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.exeCode function: 0_2_003C1201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_003C1201
          Source: C:\Users\user\Desktop\rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.exeCode function: 0_2_003A2BA5 SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_003A2BA5
          Source: C:\Users\user\Desktop\rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.exeCode function: 0_2_003CB226 SendInput,keybd_event,0_2_003CB226
          Source: C:\Users\user\Desktop\rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.exeCode function: 0_2_003E22DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,0_2_003E22DA
          Source: C:\Users\user\AppData\Local\antholite\overrough.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.exe"Jump to behavior
          Source: C:\Windows\SysWOW64\WWAHost.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\SysWOW64\svchost.exe"Jump to behavior
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\antholite\overrough.exe "C:\Users\user\AppData\Local\antholite\overrough.exe" Jump to behavior
          Source: C:\Users\user\AppData\Local\antholite\overrough.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\AppData\Local\antholite\overrough.exe" Jump to behavior
          Source: C:\Users\user\Desktop\rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.exeCode function: 0_2_003C0B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,0_2_003C0B62
          Source: C:\Users\user\Desktop\rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.exeCode function: 0_2_003C1663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_003C1663
          Source: rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.exe, overrough.exe.0.drBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
          Source: explorer.exe, 00000004.00000002.4678273565.00000000013A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.2248112608.00000000013A0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: IProgram Manager
          Source: rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.exe, overrough.exe, explorer.exe, 00000004.00000002.4678273565.00000000013A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000002.4682271702.00000000048E0000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000004.00000002.4678273565.00000000013A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.2248112608.00000000013A0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
          Source: explorer.exe, 00000004.00000002.4672455527.0000000000D69000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2247652004.0000000000D69000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: +Progman
          Source: explorer.exe, 00000004.00000002.4678273565.00000000013A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.2248112608.00000000013A0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
          Source: explorer.exe, 00000004.00000002.4685948475.00000000098AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2979266187.00000000098AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2256015421.00000000098AD000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Shell_TrayWnd31A
          Source: C:\Users\user\Desktop\rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.exeCode function: 0_2_00380698 cpuid 0_2_00380698
          Source: C:\Users\user\Desktop\rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.exeCode function: 0_2_003D8195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,0_2_003D8195
          Source: C:\Users\user\Desktop\rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.exeCode function: 0_2_003BD27A GetUserNameW,0_2_003BD27A
          Source: C:\Users\user\Desktop\rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.exeCode function: 0_2_0039B952 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,0_2_0039B952
          Source: C:\Users\user\Desktop\rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.exeCode function: 0_2_003642DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_003642DE
          Source: C:\Users\user\Desktop\rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

          Stealing of Sensitive Information

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 3.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.overrough.exe.1e20000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.2.overrough.exe.780000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.2.overrough.exe.780000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.overrough.exe.1e20000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 13.2.svchost.exe.2660000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000000D.00000002.2412302004.0000000002EB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.4677557991.0000000003500000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.2312737607.0000000003A80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.2244853461.0000000001E20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.4675478414.00000000034D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.2412264035.0000000002E80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.2376953472.0000000000780000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.2411584179.0000000002661000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.2311984727.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.4673914516.0000000002EE0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.2419449519.0000000000A50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.2312788893.0000000003AB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: overrough.exeBinary or memory string: WIN_81
          Source: overrough.exeBinary or memory string: WIN_XP
          Source: overrough.exe.0.drBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
          Source: overrough.exeBinary or memory string: WIN_XPe
          Source: overrough.exeBinary or memory string: WIN_VISTA
          Source: overrough.exeBinary or memory string: WIN_7
          Source: overrough.exeBinary or memory string: WIN_8

          Remote Access Functionality

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 3.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.overrough.exe.1e20000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.2.overrough.exe.780000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.2.overrough.exe.780000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.overrough.exe.1e20000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 13.2.svchost.exe.2660000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000000D.00000002.2412302004.0000000002EB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.4677557991.0000000003500000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.2312737607.0000000003A80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.2244853461.0000000001E20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.4675478414.00000000034D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.2412264035.0000000002E80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.2376953472.0000000000780000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.2411584179.0000000002661000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.2311984727.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.4673914516.0000000002EE0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.2419449519.0000000000A50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.2312788893.0000000003AB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: C:\Users\user\Desktop\rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.exeCode function: 0_2_003E1204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,0_2_003E1204
          Source: C:\Users\user\Desktop\rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.exeCode function: 0_2_003E1806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_003E1806
          Source: C:\Users\user\AppData\Local\antholite\overrough.exeCode function: 2_2_00831204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,2_2_00831204
          Source: C:\Users\user\AppData\Local\antholite\overrough.exeCode function: 2_2_00831806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,2_2_00831806

          Mitre Att&ck Matrix

          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
          Gather Victim Identity Information111
          Scripting          		2
          Valid Accounts          		1
          Native API          		111
          Scripting          		1
          Exploitation for Privilege Escalation          		1
          Disable or Modify Tools          		21
          Input Capture          		2
          System Time Discovery          		Remote Services1
          Archive Collected Data          		1
          Ingress Tool Transfer          		Exfiltration Over Other Network Medium1
          System Shutdown/Reboot
          CredentialsDomainsDefault Accounts1
          Shared Modules          		1
          DLL Side-Loading          		1
          DLL Side-Loading          		1
          Deobfuscate/Decode Files or Information          		LSASS Memory1
          Account Discovery          		Remote Desktop Protocol21
          Input Capture          		1
          Encrypted Channel          		Exfiltration Over BluetoothNetwork Denial of Service
          Email AddressesDNS ServerDomain AccountsAt2
          Valid Accounts          		2
          Valid Accounts          		3
          Obfuscated Files or Information          		Security Account Manager2
          File and Directory Discovery          		SMB/Windows Admin Shares3
          Clipboard Data          		1
          Non-Application Layer Protocol          		Automated ExfiltrationData Encrypted for Impact
          Employee NamesVirtual Private ServerLocal AccountsCron2
          Registry Run Keys / Startup Folder          		21
          Access Token Manipulation          		1
          DLL Side-Loading          		NTDS216
          System Information Discovery          		Distributed Component Object ModelInput Capture11
          Application Layer Protocol          		Traffic DuplicationData Destruction
          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script512
          Process Injection          		1
          Masquerading          		LSA Secrets441
          Security Software Discovery          		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts2
          Registry Run Keys / Startup Folder          		2
          Valid Accounts          		Cached Domain Credentials12
          Virtualization/Sandbox Evasion          		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
          DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
          Virtualization/Sandbox Evasion          		DCSync3
          Process Discovery          		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
          Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job21
          Access Token Manipulation          		Proc Filesystem11
          Application Window Discovery          		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
          Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt512
          Process Injection          		/etc/passwd and /etc/shadow1
          System Owner/User Discovery          		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1591537 Sample: rRFQ_BIDLET-PO772917811_PRO... Startdate: 15/01/2025 Architecture: WINDOWS Score: 100 46 www.ustjump.xyz 2->46 48 www.skfa.info 2->48 50 9 other IPs or domains 2->50 66 Found malware configuration 2->66 68 Malicious sample detected (through community Yara rule) 2->68 70 Antivirus / Scanner detection for submitted sample 2->70 74 10 other signatures 2->74 12 rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.exe 3 2->12         started        signatures3 72 Performs DNS queries to domains with low reputation 46->72 process4 file5 44 C:\Users\user\AppData\Local\...\overrough.exe, PE32 12->44 dropped 100 Binary is likely a compiled AutoIt script file 12->100 102 Found API chain indicative of sandbox detection 12->102 16 overrough.exe 1 12->16         started        signatures6 process7 file8 42 C:\Users\user\AppData\...\overrough.vbs, data 16->42 dropped 58 Antivirus detection for dropped file 16->58 60 Multi AV Scanner detection for dropped file 16->60 62 Binary is likely a compiled AutoIt script file 16->62 64 6 other signatures 16->64 20 svchost.exe 16->20         started        signatures9 process10 signatures11 76 Modifies the context of a thread in another process (thread injection) 20->76 78 Maps a DLL or memory area into another process 20->78 80 Sample uses process hollowing technique 20->80 82 3 other signatures 20->82 23 explorer.exe 69 2 20->23 injected process12 process13 25 wscript.exe 1 23->25         started        28 WWAHost.exe 23->28         started        30 cmmon32.exe 23->30         started        signatures14 90 Windows Scripting host queries suspicious COM object (likely to drop second stage) 25->90 32 overrough.exe 25->32         started        92 Modifies the context of a thread in another process (thread injection) 28->92 94 Maps a DLL or memory area into another process 28->94 96 Tries to detect virtualization through RDTSC time measurements 28->96 98 Switches to a custom stack to bypass stack traces 28->98 35 cmd.exe 1 28->35         started        process15 signatures16 52 Binary is likely a compiled AutoIt script file 32->52 54 Writes to foreign memory regions 32->54 56 Maps a DLL or memory area into another process 32->56 37 svchost.exe 32->37         started        40 conhost.exe 35->40         started        process17 signatures18 84 Modifies the context of a thread in another process (thread injection) 37->84 86 Maps a DLL or memory area into another process 37->86 88 Sample uses process hollowing technique 37->88

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.exe28%VirustotalBrowse
          rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.exe29%ReversingLabsWin32.Trojan.Generic
          rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.exe100%AviraDR/AutoIt.Gen8
          rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.exe100%Joe Sandbox ML

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Users\user\AppData\Local\antholite\overrough.exe100%AviraDR/AutoIt.Gen8
          C:\Users\user\AppData\Local\antholite\overrough.exe100%Joe Sandbox ML
          C:\Users\user\AppData\Local\antholite\overrough.exe29%ReversingLabsWin32.Trojan.Generic

          Unpacked PE Files

          No Antivirus matches

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          http://www.ristav.funReferer:0%Avira URL Cloudsafe
          http://www.06ks28.buzzReferer:0%Avira URL Cloudsafe
          http://www.odernoob.website/bs84/www.ustjump.xyz0%Avira URL Cloudsafe
          http://www.kaislotplay.shopReferer:0%Avira URL Cloudsafe
          http://www.unnycdn02.shop/bs84/0%Avira URL Cloudsafe
          http://www.partments-in-dubai-66339.bond/bs84/www.ofiveuss.store0%Avira URL Cloudsafe
          http://www.skfa.infoReferer:0%Avira URL Cloudsafe
          http://www.ehuatang.quest0%Avira URL Cloudsafe
          http://www.skfa.info0%Avira URL Cloudsafe
          http://www.06ks28.buzz/bs84/0%Avira URL Cloudsafe
          http://www.ustjump.xyzReferer:0%Avira URL Cloudsafe
          http://www.0percentfailrate.bizReferer:0%Avira URL Cloudsafe
          http://www.ristav.fun0%Avira URL Cloudsafe
          http://www.skfa.info/bs84/www.ehuatang.quest0%Avira URL Cloudsafe
          http://www.ecuronixds.xyz/bs84/0%Avira URL Cloudsafe
          http://www.partments-in-dubai-66339.bond0%Avira URL Cloudsafe
          http://www.odgersfittedhats.shop0%Avira URL Cloudsafe
          http://www.06ks28.buzz0%Avira URL Cloudsafe
          http://www.0418.pizza/bs84/0%Avira URL Cloudsafe
          http://www.ristav.fun/bs84/0%Avira URL Cloudsafe
          http://www.ecuronixds.xyzReferer:0%Avira URL Cloudsafe
          http://www.ustjump.xyz/bs84/0%Avira URL Cloudsafe
          http://www.oodydigital.tech0%Avira URL Cloudsafe
          http://www.odernoob.websiteReferer:0%Avira URL Cloudsafe
          http://www.ecuronixds.xyz0%Avira URL Cloudsafe
          http://www.0percentfailrate.biz0%Avira URL Cloudsafe
          http://www.ofiveuss.store/bs84/www.odgersfittedhats.shop0%Avira URL Cloudsafe
          http://www.grexvc.online/bs84/0%Avira URL Cloudsafe
          http://www.ofiveuss.store/bs84/0%Avira URL Cloudsafe
          http://www.odgersfittedhats.shop/bs84/0%Avira URL Cloudsafe
          http://www.0418.pizza/bs84/www.odernoob.website0%Avira URL Cloudsafe
          http://www.partments-in-dubai-66339.bondReferer:0%Avira URL Cloudsafe
          http://www.odernoob.website/bs84/0%Avira URL Cloudsafe
          http://www.odernoob.website0%Avira URL Cloudsafe
          http://www.ehuatang.questReferer:0%Avira URL Cloudsafe
          http://www.kaislotplay.shop0%Avira URL Cloudsafe
          http://www.ofiveuss.storeReferer:0%Avira URL Cloudsafe
          http://www.odgersfittedhats.shop/bs84/www.kaislotplay.shop0%Avira URL Cloudsafe
          http://www.partments-in-dubai-66339.bond/bs84/0%Avira URL Cloudsafe
          http://www.ecuronixds.xyz/bs84/www.ristav.fun0%Avira URL Cloudsafe
          http://www.unnycdn02.shop0%Avira URL Cloudsafe
          http://www.grexvc.online0%Avira URL Cloudsafe
          http://www.skfa.info/bs84/0%Avira URL Cloudsafe
          http://www.ehuatang.quest/bs84/www.grexvc.online0%Avira URL Cloudsafe
          http://www.oodydigital.techReferer:0%Avira URL Cloudsafe
          http://www.kaislotplay.shop/bs84/www.unnycdn02.shop0%Avira URL Cloudsafe
          http://www.0percentfailrate.biz/bs84/0%Avira URL Cloudsafe
          http://www.ehuatang.quest/bs84/0%Avira URL Cloudsafe
          http://www.grexvc.online/bs84/www.oodydigital.tech0%Avira URL Cloudsafe
          http://www.oodydigital.tech/bs84/0%Avira URL Cloudsafe
          www.partments-in-dubai-66339.bond/bs84/0%Avira URL Cloudsafe
          http://www.grexvc.onlineReferer:0%Avira URL Cloudsafe
          http://www.0percentfailrate.biz/bs84/www.ecuronixds.xyz0%Avira URL Cloudsafe
          http://www.06ks28.buzz/bs84/www.0418.pizza0%Avira URL Cloudsafe
          http://www.odgersfittedhats.shopReferer:0%Avira URL Cloudsafe
          http://www.ustjump.xyz0%Avira URL Cloudsafe
          http://www.0418.pizzaReferer:0%Avira URL Cloudsafe
          http://www.ofiveuss.store0%Avira URL Cloudsafe
          http://www.unnycdn02.shop/bs84/www.0percentfailrate.biz0%Avira URL Cloudsafe
          http://www.ustjump.xyz/bs84/www.skfa.info0%Avira URL Cloudsafe
          http://www.unnycdn02.shopReferer:0%Avira URL Cloudsafe
          http://www.oodydigital.tech/bs84/www.partments-in-dubai-66339.bond0%Avira URL Cloudsafe
          http://www.kaislotplay.shop/bs84/0%Avira URL Cloudsafe
          http://www.0418.pizza0%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          s-part-0017.t-0009.t-msedge.net
          		13.107.246.45
          		truefalse
            		high
            www.odernoob.website
            		unknown
            		unknowntrue
              		unknown
              www.odgersfittedhats.shop
              		unknown
              		unknowntrue
                		unknown
                www.0418.pizza
                		unknown
                		unknowntrue
                  		unknown
                  www.skfa.info
                  		unknown
                  		unknowntrue
                    		unknown
                    www.partments-in-dubai-66339.bond
                    		unknown
                    		unknowntrue
                      		unknown
                      www.ehuatang.quest
                      		unknown
                      		unknowntrue
                        		unknown
                        www.ofiveuss.store
                        		unknown
                        		unknowntrue
                          		unknown
                          www.oodydigital.tech
                          		unknown
                          		unknowntrue
                            		unknown
                            www.06ks28.buzz
                            		unknown
                            		unknowntrue
                              		unknown
                              www.ustjump.xyz
                              		unknown
                              		unknowntrue
                                		unknown
                                www.kaislotplay.shop
                                		unknown
                                		unknowntrue
                                  		unknown

                                  Contacted URLs

                                  NameMaliciousAntivirus DetectionReputation
                                  www.partments-in-dubai-66339.bond/bs84/true
                                  • Avira URL Cloud: safe
                                  		unknown

                                  URLs from Memory and Binaries

                                  NameSourceMaliciousAntivirus DetectionReputation
                                  http://www.skfa.infoexplorer.exe, 00000004.00000003.2980388685.000000000C53C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980574684.000000000C53D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980765057.000000000C545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4693951170.000000000C540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3075190269.000000000C545000.00000004.00000001.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DVexplorer.exe, 00000004.00000000.2250278472.00000000073E5000.00000004.00000001.00020000.00000000.sdmpfalse
                                    		high
                                    https://www.msn.com/en-us/money/savingandinvesting/americans-average-net-worth-by-age/ar-AA1h4ngFexplorer.exe, 00000004.00000002.4682524491.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2250278472.00000000073E5000.00000004.00000001.00020000.00000000.sdmpfalse
                                      		high
                                      http://www.ristav.funReferer:explorer.exe, 00000004.00000003.2980388685.000000000C53C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980574684.000000000C53D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980765057.000000000C545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4693951170.000000000C540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3075190269.000000000C545000.00000004.00000001.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://api.msn.com:443/v1/news/Feed/Windows?explorer.exe, 00000004.00000002.4682524491.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2250278472.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2254781265.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4684747503.000000000973C000.00000004.00000001.00020000.00000000.sdmpfalse
                                        		high
                                        http://www.odernoob.website/bs84/www.ustjump.xyzexplorer.exe, 00000004.00000003.2980388685.000000000C53C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980574684.000000000C53D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980765057.000000000C545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4693951170.000000000C540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3075190269.000000000C545000.00000004.00000001.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://word.office.comMexplorer.exe, 00000004.00000002.4691885016.000000000C087000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2981106264.000000000C071000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2267034588.000000000C048000.00000004.00000001.00020000.00000000.sdmpfalse
                                          		high
                                          http://www.unnycdn02.shop/bs84/explorer.exe, 00000004.00000003.2980388685.000000000C53C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980574684.000000000C53D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980765057.000000000C545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4693951170.000000000C540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3075190269.000000000C545000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.06ks28.buzzReferer:explorer.exe, 00000004.00000003.2980388685.000000000C53C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980574684.000000000C53D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980765057.000000000C545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4693951170.000000000C540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3075190269.000000000C545000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://www.msn.com/en-us/money/realestate/why-this-florida-city-is-a-safe-haven-from-hurricanes/ar-explorer.exe, 00000004.00000002.4682524491.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2250278472.00000000073E5000.00000004.00000001.00020000.00000000.sdmpfalse
                                            		high
                                            https://www.msn.com/en-us/news/politics/how-donald-trump-helped-kari-lake-become-arizona-s-and-ameriexplorer.exe, 00000004.00000002.4682524491.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2250278472.00000000073E5000.00000004.00000001.00020000.00000000.sdmpfalse
                                              		high
                                              http://www.partments-in-dubai-66339.bond/bs84/www.ofiveuss.storeexplorer.exe, 00000004.00000003.2980388685.000000000C53C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980574684.000000000C53D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980765057.000000000C545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4693951170.000000000C540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3075190269.000000000C545000.00000004.00000001.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.06ks28.buzz/bs84/explorer.exe, 00000004.00000003.2980388685.000000000C53C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980574684.000000000C53D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980765057.000000000C545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4693951170.000000000C540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3075190269.000000000C545000.00000004.00000001.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.skfa.infoReferer:explorer.exe, 00000004.00000003.2980388685.000000000C53C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980574684.000000000C53D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980765057.000000000C545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4693951170.000000000C540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3075190269.000000000C545000.00000004.00000001.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://wns.windows.com/explorer.exe, 00000004.00000003.2979834844.000000000C4EE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4693449387.000000000C4EB000.00000004.00000001.00020000.00000000.sdmpfalse
                                                		high
                                                https://wns.windows.com/eexplorer.exe, 00000004.00000002.4685948475.00000000099AB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2979266187.00000000099AB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2256015421.00000000099AB000.00000004.00000001.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://android.notify.windows.com/iOSdexplorer.exe, 00000004.00000003.2980723976.000000000C3AF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980284749.000000000C39F000.00000004.00000001.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://www.ehuatang.questexplorer.exe, 00000004.00000003.2980388685.000000000C53C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980574684.000000000C53D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980765057.000000000C545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4693951170.000000000C540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3075190269.000000000C545000.00000004.00000001.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.kaislotplay.shopReferer:explorer.exe, 00000004.00000003.2980388685.000000000C53C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980574684.000000000C53D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980765057.000000000C545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4693951170.000000000C540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3075190269.000000000C545000.00000004.00000001.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earningsexplorer.exe, 00000004.00000000.2250278472.00000000073E5000.00000004.00000001.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://www.ustjump.xyzReferer:explorer.exe, 00000004.00000003.2980388685.000000000C53C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980574684.000000000C53D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980765057.000000000C545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4693951170.000000000C540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3075190269.000000000C545000.00000004.00000001.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      https://api.msn.com/v1/news/Feed/Windows?activityId=435B7A89D7D74BDF801F2DA188906BAF&timeOut=5000&ocexplorer.exe, 00000004.00000002.4682524491.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2250278472.00000000073E5000.00000004.00000001.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNewexplorer.exe, 00000004.00000002.4682524491.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2250278472.00000000073E5000.00000004.00000001.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://www.skfa.info/bs84/www.ehuatang.questexplorer.exe, 00000004.00000003.2980388685.000000000C53C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980574684.000000000C53D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980765057.000000000C545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4693951170.000000000C540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3075190269.000000000C545000.00000004.00000001.00020000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          https://www.msn.com/en-us/travel/news/you-can-t-beat-bobby-flay-s-phoenix-airport-restaurant-one-of-explorer.exe, 00000004.00000002.4682524491.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2250278472.00000000073E5000.00000004.00000001.00020000.00000000.sdmpfalse
                                                            		high
                                                            http://www.partments-in-dubai-66339.bondexplorer.exe, 00000004.00000003.2980388685.000000000C53C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980574684.000000000C53D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980765057.000000000C545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4693951170.000000000C540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3075190269.000000000C545000.00000004.00000001.00020000.00000000.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            http://www.ecuronixds.xyz/bs84/explorer.exe, 00000004.00000003.2980388685.000000000C53C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980574684.000000000C53D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980765057.000000000C545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4693951170.000000000C540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3075190269.000000000C545000.00000004.00000001.00020000.00000000.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            https://android.notify.windows.com/iOSexplorer.exe, 00000004.00000003.2980723976.000000000C3AF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980284749.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2267034588.000000000BFDF000.00000004.00000001.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://outlook.comeexplorer.exe, 00000004.00000002.4691885016.000000000C087000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2981106264.000000000C071000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2267034588.000000000C048000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppexplorer.exe, 00000004.00000002.4685948475.00000000099AB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2981106264.000000000C071000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2979266187.00000000099AB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2256015421.00000000099AB000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://www.msn.com/en-us/news/us/dumb-and-dumber-12-states-with-the-absolute-worst-education-in-theexplorer.exe, 00000004.00000002.4682524491.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2250278472.00000000073E5000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    http://www.0percentfailrate.bizReferer:explorer.exe, 00000004.00000003.2980388685.000000000C53C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980574684.000000000C53D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980765057.000000000C545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4693951170.000000000C540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3075190269.000000000C545000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                    • Avira URL Cloud: safe
                                                                    		unknown
                                                                    http://www.ristav.funexplorer.exe, 00000004.00000003.2980388685.000000000C53C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980574684.000000000C53D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980765057.000000000C545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4693951170.000000000C540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3075190269.000000000C545000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                    • Avira URL Cloud: safe
                                                                    		unknown
                                                                    http://www.0418.pizza/bs84/explorer.exe, 00000004.00000003.2980388685.000000000C53C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980574684.000000000C53D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980765057.000000000C545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4693951170.000000000C540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3075190269.000000000C545000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                    • Avira URL Cloud: safe
                                                                    		unknown
                                                                    http://www.06ks28.buzzexplorer.exe, 00000004.00000003.2980388685.000000000C53C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980574684.000000000C53D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980765057.000000000C545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4693951170.000000000C540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3075190269.000000000C545000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                    • Avira URL Cloud: safe
                                                                    		unknown
                                                                    http://www.odgersfittedhats.shopexplorer.exe, 00000004.00000003.2980388685.000000000C53C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980574684.000000000C53D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980765057.000000000C545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4693951170.000000000C540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3075190269.000000000C545000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                    • Avira URL Cloud: safe
                                                                    		unknown
                                                                    https://www.msn.com/en-us/news/politics/kevin-mccarthy-s-ouster-as-house-speaker-could-cost-gop-its-explorer.exe, 00000004.00000002.4682524491.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2250278472.00000000073E5000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      http://www.ristav.fun/bs84/explorer.exe, 00000004.00000003.3075190269.000000000C545000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                      • Avira URL Cloud: safe
                                                                      		unknown
                                                                      http://www.ecuronixds.xyzReferer:explorer.exe, 00000004.00000003.2980388685.000000000C53C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980574684.000000000C53D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980765057.000000000C545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4693951170.000000000C540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3075190269.000000000C545000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                      • Avira URL Cloud: safe
                                                                      		unknown
                                                                      https://api.msn.com/v1/news/Feed/Windows?explorer.exe, 00000004.00000000.2254781265.000000000962B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4684747503.000000000962B000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        http://www.oodydigital.techexplorer.exe, 00000004.00000003.2980388685.000000000C53C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980574684.000000000C53D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980765057.000000000C545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4693951170.000000000C540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3075190269.000000000C545000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                        • Avira URL Cloud: safe
                                                                        		unknown
                                                                        http://www.ustjump.xyz/bs84/explorer.exe, 00000004.00000003.2980388685.000000000C53C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980574684.000000000C53D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980765057.000000000C545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4693951170.000000000C540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3075190269.000000000C545000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                        • Avira URL Cloud: safe
                                                                        		unknown
                                                                        https://api.msn.com/Iexplorer.exe, 00000004.00000000.2254781265.000000000962B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4684747503.000000000962B000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          http://www.odernoob.websiteReferer:explorer.exe, 00000004.00000003.2980388685.000000000C53C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980574684.000000000C53D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980765057.000000000C545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4693951170.000000000C540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3075190269.000000000C545000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                          • Avira URL Cloud: safe
                                                                          		unknown
                                                                          http://www.0percentfailrate.bizexplorer.exe, 00000004.00000003.2980388685.000000000C53C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980574684.000000000C53D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980765057.000000000C545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4693951170.000000000C540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3075190269.000000000C545000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                          • Avira URL Cloud: safe
                                                                          		unknown
                                                                          http://www.grexvc.online/bs84/explorer.exe, 00000004.00000003.2980388685.000000000C53C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980574684.000000000C53D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980765057.000000000C545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4693951170.000000000C540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3075190269.000000000C545000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                          • Avira URL Cloud: safe
                                                                          		unknown
                                                                          http://www.ecuronixds.xyzexplorer.exe, 00000004.00000003.2980388685.000000000C53C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980574684.000000000C53D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980765057.000000000C545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4693951170.000000000C540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3075190269.000000000C545000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                          • Avira URL Cloud: safe
                                                                          		unknown
                                                                          http://www.ofiveuss.store/bs84/explorer.exe, 00000004.00000003.2980388685.000000000C53C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980574684.000000000C53D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980765057.000000000C545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4693951170.000000000C540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3075190269.000000000C545000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                          • Avira URL Cloud: safe
                                                                          		unknown
                                                                          http://www.odgersfittedhats.shop/bs84/explorer.exe, 00000004.00000003.2980388685.000000000C53C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980574684.000000000C53D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980765057.000000000C545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4693951170.000000000C540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3075190269.000000000C545000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                          • Avira URL Cloud: safe
                                                                          		unknown
                                                                          http://www.ofiveuss.store/bs84/www.odgersfittedhats.shopexplorer.exe, 00000004.00000003.2980388685.000000000C53C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980574684.000000000C53D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980765057.000000000C545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4693951170.000000000C540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3075190269.000000000C545000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                          • Avira URL Cloud: safe
                                                                          		unknown
                                                                          http://www.partments-in-dubai-66339.bondReferer:explorer.exe, 00000004.00000003.2980388685.000000000C53C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980574684.000000000C53D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980765057.000000000C545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4693951170.000000000C540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3075190269.000000000C545000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                          • Avira URL Cloud: safe
                                                                          		unknown
                                                                          http://www.0418.pizza/bs84/www.odernoob.websiteexplorer.exe, 00000004.00000003.2980388685.000000000C53C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980574684.000000000C53D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980765057.000000000C545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4693951170.000000000C540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3075190269.000000000C545000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                          • Avira URL Cloud: safe
                                                                          		unknown
                                                                          http://www.odernoob.website/bs84/explorer.exe, 00000004.00000003.2980388685.000000000C53C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980574684.000000000C53D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980765057.000000000C545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4693951170.000000000C540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3075190269.000000000C545000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                          • Avira URL Cloud: safe
                                                                          		unknown
                                                                          http://schemas.microexplorer.exe, 00000004.00000000.2251937251.0000000007B50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.2251981518.0000000007B60000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000002.4678811961.00000000028A0000.00000002.00000001.00040000.00000000.sdmpfalse
                                                                            		high
                                                                            http://www.odgersfittedhats.shop/bs84/www.kaislotplay.shopexplorer.exe, 00000004.00000003.2980388685.000000000C53C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980574684.000000000C53D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980765057.000000000C545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4693951170.000000000C540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3075190269.000000000C545000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                            • Avira URL Cloud: safe
                                                                            		unknown
                                                                            http://www.kaislotplay.shopexplorer.exe, 00000004.00000003.2980388685.000000000C53C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980574684.000000000C53D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980765057.000000000C545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4693951170.000000000C540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3075190269.000000000C545000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                            • Avira URL Cloud: safe
                                                                            		unknown
                                                                            http://www.ehuatang.questReferer:explorer.exe, 00000004.00000003.2980388685.000000000C53C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980574684.000000000C53D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980765057.000000000C545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4693951170.000000000C540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3075190269.000000000C545000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                            • Avira URL Cloud: safe
                                                                            		unknown
                                                                            http://www.ofiveuss.storeReferer:explorer.exe, 00000004.00000003.2980388685.000000000C53C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980574684.000000000C53D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980765057.000000000C545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4693951170.000000000C540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3075190269.000000000C545000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                            • Avira URL Cloud: safe
                                                                            		unknown
                                                                            https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNewexplorer.exe, 00000004.00000002.4682524491.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2250278472.00000000073E5000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              http://www.odernoob.websiteexplorer.exe, 00000004.00000003.2980388685.000000000C53C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980574684.000000000C53D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980765057.000000000C545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4693951170.000000000C540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3075190269.000000000C545000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                              • Avira URL Cloud: safe
                                                                              		unknown
                                                                              http://www.partments-in-dubai-66339.bond/bs84/explorer.exe, 00000004.00000003.2980388685.000000000C53C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980574684.000000000C53D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980765057.000000000C545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4693951170.000000000C540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3075190269.000000000C545000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                              • Avira URL Cloud: safe
                                                                              		unknown
                                                                              http://www.ecuronixds.xyz/bs84/www.ristav.funexplorer.exe, 00000004.00000003.2980388685.000000000C53C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980574684.000000000C53D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980765057.000000000C545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4693951170.000000000C540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3075190269.000000000C545000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                              • Avira URL Cloud: safe
                                                                              		unknown
                                                                              http://www.unnycdn02.shopexplorer.exe, 00000004.00000003.2980388685.000000000C53C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980574684.000000000C53D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980765057.000000000C545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4693951170.000000000C540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3075190269.000000000C545000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                              • Avira URL Cloud: safe
                                                                              		unknown
                                                                              http://www.skfa.info/bs84/explorer.exe, 00000004.00000003.2980388685.000000000C53C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980574684.000000000C53D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980765057.000000000C545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4693951170.000000000C540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3075190269.000000000C545000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                              • Avira URL Cloud: safe
                                                                              		unknown
                                                                              http://www.grexvc.onlineexplorer.exe, 00000004.00000003.2980388685.000000000C53C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980574684.000000000C53D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980765057.000000000C545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4693951170.000000000C540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3075190269.000000000C545000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                              • Avira URL Cloud: safe
                                                                              		unknown
                                                                              https://www.msn.com/en-us/news/politics/republicans-already-barred-trump-from-being-speaker-of-the-hexplorer.exe, 00000004.00000002.4682524491.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2250278472.00000000073E5000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                https://www.msn.com/en-us/news/politics/trump-campaign-says-he-raised-more-than-45-million-in-3rd-quexplorer.exe, 00000004.00000002.4682524491.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2250278472.00000000073E5000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  http://www.ehuatang.quest/bs84/www.grexvc.onlineexplorer.exe, 00000004.00000003.2980388685.000000000C53C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980574684.000000000C53D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980765057.000000000C545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4693951170.000000000C540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3075190269.000000000C545000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                  • Avira URL Cloud: safe
                                                                                  		unknown
                                                                                  http://www.oodydigital.techReferer:explorer.exe, 00000004.00000003.2980388685.000000000C53C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980574684.000000000C53D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980765057.000000000C545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4693951170.000000000C540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3075190269.000000000C545000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                  • Avira URL Cloud: safe
                                                                                  		unknown
                                                                                  http://www.kaislotplay.shop/bs84/www.unnycdn02.shopexplorer.exe, 00000004.00000003.2980388685.000000000C53C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980574684.000000000C53D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980765057.000000000C545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4693951170.000000000C540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3075190269.000000000C545000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                  • Avira URL Cloud: safe
                                                                                  		unknown
                                                                                  http://www.0percentfailrate.biz/bs84/explorer.exe, 00000004.00000003.2980388685.000000000C53C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980574684.000000000C53D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980765057.000000000C545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4693951170.000000000C540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3075190269.000000000C545000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                  • Avira URL Cloud: safe
                                                                                  		unknown
                                                                                  https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMhzexplorer.exe, 00000004.00000002.4682524491.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2250278472.00000000073E5000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    https://excel.office.com-explorer.exe, 00000004.00000002.4691885016.000000000C087000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2981106264.000000000C071000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2267034588.000000000C048000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      http://www.ehuatang.quest/bs84/explorer.exe, 00000004.00000003.2980388685.000000000C53C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980574684.000000000C53D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980765057.000000000C545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4693951170.000000000C540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3075190269.000000000C545000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                      • Avira URL Cloud: safe
                                                                                      		unknown
                                                                                      https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehwh2.svgexplorer.exe, 00000004.00000000.2250278472.00000000073E5000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        http://www.grexvc.online/bs84/www.oodydigital.techexplorer.exe, 00000004.00000003.2980388685.000000000C53C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980574684.000000000C53D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980765057.000000000C545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4693951170.000000000C540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3075190269.000000000C545000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                        • Avira URL Cloud: safe
                                                                                        		unknown
                                                                                        http://www.oodydigital.tech/bs84/explorer.exe, 00000004.00000003.2980388685.000000000C53C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980574684.000000000C53D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980765057.000000000C545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4693951170.000000000C540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3075190269.000000000C545000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                        • Avira URL Cloud: safe
                                                                                        		unknown
                                                                                        http://www.0percentfailrate.biz/bs84/www.ecuronixds.xyzexplorer.exe, 00000004.00000003.2980388685.000000000C53C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980574684.000000000C53D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980765057.000000000C545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4693951170.000000000C540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3075190269.000000000C545000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                        • Avira URL Cloud: safe
                                                                                        		unknown
                                                                                        https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMhz-darkexplorer.exe, 00000004.00000002.4682524491.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2250278472.00000000073E5000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          https://www.msn.com/en-us/money/personalfinance/money-matters-changing-institution-of-marriage/ar-AAexplorer.exe, 00000004.00000002.4682524491.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2250278472.00000000073E5000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            http://www.06ks28.buzz/bs84/www.0418.pizzaexplorer.exe, 00000004.00000003.2980388685.000000000C53C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980574684.000000000C53D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980765057.000000000C545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4693951170.000000000C540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3075190269.000000000C545000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                            • Avira URL Cloud: safe
                                                                                            		unknown
                                                                                            https://www.msn.com/en-us/news/us/biden-administration-waives-26-federal-laws-to-allow-border-wall-cexplorer.exe, 00000004.00000002.4682524491.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2250278472.00000000073E5000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              https://www.msn.com/en-us/weather/topstories/california-s-reservoirs-runneth-over-in-astounding-reveexplorer.exe, 00000004.00000002.4682524491.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2250278472.00000000073E5000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                https://powerpoint.office.comEMdexplorer.exe, 00000004.00000002.4691885016.000000000BFEF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2267034588.000000000BFEF000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  http://www.grexvc.onlineReferer:explorer.exe, 00000004.00000003.2980388685.000000000C53C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980574684.000000000C53D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980765057.000000000C545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4693951170.000000000C540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3075190269.000000000C545000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                  • Avira URL Cloud: safe
                                                                                                  		unknown
                                                                                                  http://www.odgersfittedhats.shopReferer:explorer.exe, 00000004.00000003.2980388685.000000000C53C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980574684.000000000C53D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980765057.000000000C545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4693951170.000000000C540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3075190269.000000000C545000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                  • Avira URL Cloud: safe
                                                                                                  		unknown
                                                                                                  http://www.ustjump.xyzexplorer.exe, 00000004.00000003.2980388685.000000000C53C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980574684.000000000C53D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980765057.000000000C545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4693951170.000000000C540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3075190269.000000000C545000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                  • Avira URL Cloud: safe
                                                                                                  		unknown
                                                                                                  http://www.0418.pizzaReferer:explorer.exe, 00000004.00000003.2980388685.000000000C53C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980574684.000000000C53D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980765057.000000000C545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4693951170.000000000C540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3075190269.000000000C545000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                  • Avira URL Cloud: safe
                                                                                                  		unknown
                                                                                                  http://www.ofiveuss.storeexplorer.exe, 00000004.00000003.2980388685.000000000C53C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980574684.000000000C53D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980765057.000000000C545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4693951170.000000000C540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3075190269.000000000C545000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                  • Avira URL Cloud: safe
                                                                                                  		unknown
                                                                                                  http://www.unnycdn02.shop/bs84/www.0percentfailrate.bizexplorer.exe, 00000004.00000003.2980388685.000000000C53C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980574684.000000000C53D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980765057.000000000C545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4693951170.000000000C540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3075190269.000000000C545000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                  • Avira URL Cloud: safe
                                                                                                  		unknown
                                                                                                  http://www.unnycdn02.shopReferer:explorer.exe, 00000004.00000003.2980388685.000000000C53C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980574684.000000000C53D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980765057.000000000C545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4693951170.000000000C540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3075190269.000000000C545000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                  • Avira URL Cloud: safe
                                                                                                  		unknown
                                                                                                  http://www.ustjump.xyz/bs84/www.skfa.infoexplorer.exe, 00000004.00000003.2980388685.000000000C53C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980574684.000000000C53D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980765057.000000000C545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4693951170.000000000C540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3075190269.000000000C545000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                  • Avira URL Cloud: safe
                                                                                                  		unknown
                                                                                                  https://www.msn.com/en-us/news/technology/a-federal-emergency-alert-will-be-sent-to-us-phones-nationexplorer.exe, 00000004.00000002.4682524491.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2250278472.00000000073E5000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    http://www.oodydigital.tech/bs84/www.partments-in-dubai-66339.bondexplorer.exe, 00000004.00000003.2980388685.000000000C53C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980574684.000000000C53D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980765057.000000000C545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4693951170.000000000C540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3075190269.000000000C545000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                    • Avira URL Cloud: safe
                                                                                                    		unknown
                                                                                                    http://www.kaislotplay.shop/bs84/explorer.exe, 00000004.00000003.2980388685.000000000C53C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980574684.000000000C53D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980765057.000000000C545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4693951170.000000000C540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3075190269.000000000C545000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                    • Avira URL Cloud: safe
                                                                                                    		unknown
                                                                                                    https://api.msn.com/explorer.exe, 00000004.00000000.2254781265.000000000962B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4684747503.000000000962B000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      http://www.0418.pizzaexplorer.exe, 00000004.00000003.2980388685.000000000C53C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980574684.000000000C53D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2980765057.000000000C545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.4693951170.000000000C540000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3075190269.000000000C545000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                      • Avira URL Cloud: safe
                                                                                                      		unknown
                                                                                                      https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-darkexplorer.exe, 00000004.00000000.2250278472.00000000073E5000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        https://www.msn.com:443/en-us/feedexplorer.exe, 00000004.00000002.4682524491.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.2250278472.00000000073E5000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                          		high

                                                                                                          World Map of Contacted IPs

                                                                                                          No contacted IP infos

                                                                                                          General Information

                                                                                                          Joe Sandbox version:42.0.0 Malachite
                                                                                                          Analysis ID:1591537
                                                                                                          Start date and time:2025-01-15 03:03:33 +01:00
                                                                                                          Joe Sandbox product:CloudBasic
                                                                                                          Overall analysis duration:0h 11m 24s
                                                                                                          Hypervisor based Inspection enabled:false
                                                                                                          Report type:full
                                                                                                          Cookbook file name:default.jbs
                                                                                                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                          Number of analysed new started processes analysed:15
                                                                                                          Number of new started drivers analysed:0
                                                                                                          Number of existing processes analysed:0
                                                                                                          Number of existing drivers analysed:0
                                                                                                          Number of injected processes analysed:1
                                                                                                          Technologies:
                                                                                                          • HCA enabled
                                                                                                          • EGA enabled
                                                                                                          • AMSI enabled
                                                                                                          Analysis Mode:default
                                                                                                          Sample name:rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.exe
                                                                                                          Detection:MAL
                                                                                                          Classification:mal100.troj.expl.evad.winEXE@18/3@11/0
                                                                                                          EGA Information:
                                                                                                          • Successful, ratio: 100%
                                                                                                          HCA Information:
                                                                                                          • Successful, ratio: 99%
                                                                                                          • Number of executed functions: 47
                                                                                                          • Number of non-executed functions: 309
                                                                                                          Cookbook Comments:
                                                                                                          • Found application associated with file extension: .exe
                                                                                                          • Override analysis time to 240000 for current running targets taking high CPU consumption

                                                                                                          Warnings

                                                                                                          • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                                                                                          • Excluded IPs from analysis (whitelisted): 13.107.246.45, 4.245.163.56
                                                                                                          • Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, ctldl.windowsupdate.com, azureedge-t-prod.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
                                                                                                          • Not all processes where analyzed, report is missing behavior information
                                                                                                          • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                                                          • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                          • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                                          • Report size getting too big, too many NtEnumerateKey calls found.
                                                                                                          • Report size getting too big, too many NtOpenKey calls found.
                                                                                                          • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                          • Report size getting too big, too many NtQueryValueKey calls found.

                                                                                                          Simulations

                                                                                                          Behavior and APIs

                                                                                                          TimeTypeDescription
                                                                                                          03:04:38AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\overrough.vbs
                                                                                                          21:04:36API Interceptor8650360x Sleep call for process: explorer.exe modified
                                                                                                          21:05:19API Interceptor7654103x Sleep call for process: WWAHost.exe modified

                                                                                                          Joe Sandbox View / Context

                                                                                                          IPs

                                                                                                          No context

                                                                                                          Domains

                                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                          s-part-0017.t-0009.t-msedge.netxjljKPlxqO.dllGet hashmaliciousWannacryBrowse
                                                                                                          • 13.107.246.45
                                                                                                          GUtEaDsc9X.dllGet hashmaliciousWannacryBrowse
                                                                                                          • 13.107.246.45
                                                                                                          9kNjKSEUym.dllGet hashmaliciousWannacryBrowse
                                                                                                          • 13.107.246.45
                                                                                                          https://telegrams-tw.org/Get hashmaliciousUnknownBrowse
                                                                                                          • 13.107.246.45
                                                                                                          https://6y.tickarmoz.ru/aY57/Get hashmaliciousUnknownBrowse
                                                                                                          • 13.107.246.45
                                                                                                          Eastern Contractors Corporation Contract and submittal document.emlGet hashmaliciousUnknownBrowse
                                                                                                          • 13.107.246.45
                                                                                                          download.exeGet hashmaliciousBabuk, MimikatzBrowse
                                                                                                          • 13.107.246.45
                                                                                                          https://emp.eduyield.com/el?aid=962445be-3c17-11ec-9620-0e45aa61dde5&cid=497&dest=https://google.com/amp/avrancecorp.com/wp-web/Griffinwink/64616b6f74616c796e6e406772696666696e77696e6b2e636f6d/$ZGFrb3&pid=564628&rid=68730789Get hashmaliciousUnknownBrowse
                                                                                                          • 13.107.246.45
                                                                                                          habHh1BC0L.dllGet hashmaliciousWannacryBrowse
                                                                                                          • 13.107.246.45
                                                                                                          19MgUpI9tj.dllGet hashmaliciousWannacryBrowse
                                                                                                          • 13.107.246.45

                                                                                                          ASNs

                                                                                                          No context

                                                                                                          JA3 Fingerprints

                                                                                                          No context

                                                                                                          Dropped Files

                                                                                                          No context

                                                                                                          Created / dropped Files

                                                                                                          C:\Users\user\AppData\Local\Temp\unrosined

                                                                                                          Download File
                                                                                                          Process:C:\Users\user\Desktop\rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.exe
                                                                                                          File Type:data
                                                                                                          Category:dropped
                                                                                                          Size (bytes):189440
                                                                                                          Entropy (8bit):7.862694724867084
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:3072:KcnxQY+/rrKMnz5jQH2zxM5iDhI42tEpDoFDw856nrZOUgp1agVGK/:KjjRQWzxMgDqcYdAOUeV7
                                                                                                          MD5:CFD88F1485EFA915AE9F95C22360AA08
                                                                                                          SHA1:BAAB69386C3A2DDB758542D0857AD4A0E68DA81D
                                                                                                          SHA-256:53B66D115A37B189818E926C6FE328C4BACB4AFAE6D40689B69ED6235A2C203A
                                                                                                          SHA-512:58E46FC499A67D8C0E41856659C56D080AE4A1F4513335EFC7DBBFF3F644FCE40D8D4DD05D34C6AA35F46661B8E4CED9B91A06AC15C9F77FDE3DC2B23E6F24CE
                                                                                                          Malicious:false
                                                                                                          Reputation:low
                                                                                                          Preview:..|..2LB4..@..q.9:...;J...9CF2LB4TGTIMTMYMZ996JG58BHLH9C.2LB:K.ZI.].x.[u.../\Kb8>'^1'_l!U:);=m6(y?/W._$gqw.h!']&h?AH.TGTIMTM.R..,..$.._..2....!.M....<..6...$..!Z+..*.4TGTIMTMYMZ996JGe}BH.I8C.{..4TGTIMTM.MX827@G5.@HLH9CF2LBt.FTI]TMY.X996.G5(BHLJ9CC2MB4TGTLMUMYMZ99.HG5:BHLH9CD2..4TWTI]TMYMJ99&JG58BH\H9CF2LB4TGTIMTMYMZ996JG58BHLH9CF2LB4TGTIMTMYMZ996JG58BHLH9CF2LB4TGTIMTMYMZ996JG58BHLH9CF2LB4TGTIMTMYMZ996JG58BHLH9CF2LB4TGTIMTMYMZ9.B/?A8BH.;CF"LB4.ETI]TMYMZ996JG58BHlH9#F2LB4TGTIMTMYMZ996JG58BHLH9CF2LB4TGTIMTMYMZ996JG58BHLH9CF2LB4TGTIMTMYMZ996JG58BHLH9CF2LB4TGTIMTMYMZ996JG58BHLH9CF2LB4TGTIMTMYMZ996JG58BHLH9CF2LB4TGTIMTMYMZ996JG58BHLH9CF2LB4TGTIMTMYMZ996JG58BHLH9CF2LB4TGTIMTMYMZ996JG58BHLH9CF2LB4TGTIMTMYMZ996JG58BHLH9CF2LB4TGTIMTMYMZ996JG58BHLH9CF2LB4TGTIMTMYMZ996JG58BHLH9CF2LB4TGTIMTMYMZ996JG58BHLH9CF2LB4TGTIMTMYMZ996JG58BHLH9CF2LB4TGTIMTMYMZ996JG58BHLH9CF2LB4TGTIMTMYMZ996JG58BHLH9CF2LB4TGTIMTMYMZ996JG58BHLH9CF2LB4TGTIMTMYMZ996JG58BHLH9CF2LB4TGTIMTMYMZ996JG58BHLH9CF2LB4TGTIMTMYMZ9

                                                                                                          C:\Users\user\AppData\Local\antholite\overrough.exe

                                                                                                          Download File
                                                                                                          Process:C:\Users\user\Desktop\rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.exe
                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                          Category:dropped
                                                                                                          Size (bytes):1464832
                                                                                                          Entropy (8bit):7.342859448877879
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:24576:3qDEvCTbMWu7rQYlBQcBiT6rprG8a1pSsnwcKYQkZrUEI5DafK:3TvC/MTQYxsWR7a1Isn+k6EI
                                                                                                          MD5:289754998D1520E2BEC7190452C464AC
                                                                                                          SHA1:A25755AA21FF2512D7F0B19AF804C7CA81729767
                                                                                                          SHA-256:DD82F88CDD4A62E9E9B5A081CBD3F98B542614EE6B0E33C2385817AF92C704A1
                                                                                                          SHA-512:03E640719EEE50A99CDCFCE411C940339D5F0142BEB4EBA5D081A9AC493059FC44BE9971F1E78750584CFF478941F04C6EA3D61468F8DD903A6636324353AB08
                                                                                                          Malicious:true
                                                                                                          Antivirus:
                                                                                                          • Antivirus: Avira, Detection: 100%
                                                                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                          • Antivirus: ReversingLabs, Detection: 29%
                                                                                                          Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$...................j:......j:..C...j:......@.*...........................n......~............{.......{......{.......z....{......Rich...................PE..L.....g..........".................w.............@......................................@...@.......@.....................d...|....@.......................0...u...........................4..........@............................................text............................... ..`.rdata..............................@..@.data...lp.......H..................@....rsrc........@......................@..@.reloc...u...0...v..................@..B........................................................................................................................................................................................................................................................................

                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\overrough.vbs

                                                                                                          Download File
                                                                                                          Process:C:\Users\user\AppData\Local\antholite\overrough.exe
                                                                                                          File Type:data
                                                                                                          Category:dropped
                                                                                                          Size (bytes):284
                                                                                                          Entropy (8bit):3.3800186686128852
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:6:DMM8lfm3OOQdUfclzXUEZ+lX1ElRyXQKYkAnriIM8lfQVn:DsO+vNlDQ1ElRwMmA2n
                                                                                                          MD5:703674E8B5D1C81370A0A075ADA35E8F
                                                                                                          SHA1:86CC11D2BCB615797B7AEE05C24CA35F576F7BA2
                                                                                                          SHA-256:C7924519E03F636B8D142310A02F5CB62DDD18B2ED1F945640CBB9C3C06875A1
                                                                                                          SHA-512:3B7AE6C5B60BDC05DC8A07B776BBCCFC64AC763090B14CE4B7A53EA8F7CE4E336524B93CAE95A7A7384F67E9A6BABA0B27CBED7E1AA6AC50F0A763C87AA8C55B
                                                                                                          Malicious:true
                                                                                                          Preview:S.e.t. .W.s.h.S.h.e.l.l. .=. .C.r.e.a.t.e.O.b.j.e.c.t.(.".W.S.c.r.i.p.t...S.h.e.l.l.".)...W.s.h.S.h.e.l.l...R.u.n. .".C.:.\.U.s.e.r.s.\.e.n.g.i.n.e.e.r.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.a.n.t.h.o.l.i.t.e.\.o.v.e.r.r.o.u.g.h...e.x.e.".,. .1...S.e.t. .W.s.h.S.h.e.l.l. .=. .N.o.t.h.i.n.g...

                                                                                                          Static File Info

                                                                                                          General

                                                                                                          File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                          Entropy (8bit):7.342859448877879
                                                                                                          TrID:
                                                                                                          • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                          • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                          • DOS Executable Generic (2002/1) 0.02%
                                                                                                          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                          File name:rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.exe
                                                                                                          File size:1'464'832 bytes
                                                                                                          MD5:289754998d1520e2bec7190452c464ac
                                                                                                          SHA1:a25755aa21ff2512d7f0b19af804c7ca81729767
                                                                                                          SHA256:dd82f88cdd4a62e9e9b5a081cbd3f98b542614ee6b0e33c2385817af92c704a1
                                                                                                          SHA512:03e640719eee50a99cdcfce411c940339d5f0142beb4eba5d081a9ac493059fc44be9971f1e78750584cff478941f04c6ea3d61468f8dd903a6636324353ab08
                                                                                                          SSDEEP:24576:3qDEvCTbMWu7rQYlBQcBiT6rprG8a1pSsnwcKYQkZrUEI5DafK:3TvC/MTQYxsWR7a1Isn+k6EI
                                                                                                          TLSH:2765D00273D190A2FFAB91334F56F62156BC6A260123EE1F17980CB9BE70571163E7A7
                                                                                                          File Content Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

                                                                                                          File Icon

                                                                                                          Icon Hash:20ccce86f2c6ced0

                                                                                                          Static PE Info

                                                                                                          General

                                                                                                          Entrypoint:0x420577
                                                                                                          Entrypoint Section:.text
                                                                                                          Digitally signed:false
                                                                                                          Imagebase:0x400000
                                                                                                          Subsystem:windows gui
                                                                                                          Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                                                                                          DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                                                                                          Time Stamp:0x6786F281 [Tue Jan 14 23:25:53 2025 UTC]
                                                                                                          TLS Callbacks:
                                                                                                          CLR (.Net) Version:
                                                                                                          OS Version Major:5
                                                                                                          OS Version Minor:1
                                                                                                          File Version Major:5
                                                                                                          File Version Minor:1
                                                                                                          Subsystem Version Major:5
                                                                                                          Subsystem Version Minor:1
                                                                                                          Import Hash:948cc502fe9226992dce9417f952fce3

                                                                                                          Entrypoint Preview

                                                                                                          Instruction
                                                                                                          call 00007F84C04F66E3h
                                                                                                          jmp 00007F84C04F5FEFh
                                                                                                          push ebp
                                                                                                          mov ebp, esp
                                                                                                          push esi
                                                                                                          push dword ptr [ebp+08h]
                                                                                                          mov esi, ecx
                                                                                                          call 00007F84C04F61CDh
                                                                                                          mov dword ptr [esi], 0049FDF0h
                                                                                                          mov eax, esi
                                                                                                          pop esi
                                                                                                          pop ebp
                                                                                                          retn 0004h
                                                                                                          and dword ptr [ecx+04h], 00000000h
                                                                                                          mov eax, ecx
                                                                                                          and dword ptr [ecx+08h], 00000000h
                                                                                                          mov dword ptr [ecx+04h], 0049FDF8h
                                                                                                          mov dword ptr [ecx], 0049FDF0h
                                                                                                          ret
                                                                                                          push ebp
                                                                                                          mov ebp, esp
                                                                                                          push esi
                                                                                                          push dword ptr [ebp+08h]
                                                                                                          mov esi, ecx
                                                                                                          call 00007F84C04F619Ah
                                                                                                          mov dword ptr [esi], 0049FE0Ch
                                                                                                          mov eax, esi
                                                                                                          pop esi
                                                                                                          pop ebp
                                                                                                          retn 0004h
                                                                                                          and dword ptr [ecx+04h], 00000000h
                                                                                                          mov eax, ecx
                                                                                                          and dword ptr [ecx+08h], 00000000h
                                                                                                          mov dword ptr [ecx+04h], 0049FE14h
                                                                                                          mov dword ptr [ecx], 0049FE0Ch
                                                                                                          ret
                                                                                                          push ebp
                                                                                                          mov ebp, esp
                                                                                                          push esi
                                                                                                          mov esi, ecx
                                                                                                          lea eax, dword ptr [esi+04h]
                                                                                                          mov dword ptr [esi], 0049FDD0h
                                                                                                          and dword ptr [eax], 00000000h
                                                                                                          and dword ptr [eax+04h], 00000000h
                                                                                                          push eax
                                                                                                          mov eax, dword ptr [ebp+08h]
                                                                                                          add eax, 04h
                                                                                                          push eax
                                                                                                          call 00007F84C04F8D8Dh
                                                                                                          pop ecx
                                                                                                          pop ecx
                                                                                                          mov eax, esi
                                                                                                          pop esi
                                                                                                          pop ebp
                                                                                                          retn 0004h
                                                                                                          lea eax, dword ptr [ecx+04h]
                                                                                                          mov dword ptr [ecx], 0049FDD0h
                                                                                                          push eax
                                                                                                          call 00007F84C04F8DD8h
                                                                                                          pop ecx
                                                                                                          ret
                                                                                                          push ebp
                                                                                                          mov ebp, esp
                                                                                                          push esi
                                                                                                          mov esi, ecx
                                                                                                          lea eax, dword ptr [esi+04h]
                                                                                                          mov dword ptr [esi], 0049FDD0h
                                                                                                          push eax
                                                                                                          call 00007F84C04F8DC1h
                                                                                                          test byte ptr [ebp+08h], 00000001h
                                                                                                          pop ecx

                                                                                                          Rich Headers

                                                                                                          Programming Language:
                                                                                                          • [ C ] VS2008 SP1 build 30729
                                                                                                          • [IMP] VS2008 SP1 build 30729

                                                                                                          Data Directories

                                                                                                          NameVirtual AddressVirtual Size Is in Section
                                                                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0xc8e640x17c.rdata
                                                                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0xd40000x8ef14.rsrc
                                                                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x1630000x7594.reloc
                                                                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0xb0ff00x1c.rdata
                                                                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_TLS0xc34000x18.rdata
                                                                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xb10100x40.rdata
                                                                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_IAT0x9c0000x894.rdata
                                                                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                          Sections

                                                                                                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                          .text0x10000x9ab1d0x9ac000a1473f3064dcbc32ef93c5c8a90f3a6False0.565500681542811data6.668273581389308IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                          .rdata0x9c0000x2fb820x2fc00c9cf2468b60bf4f80f136ed54b3989fbFalse0.35289185209424084data5.691811547483722IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                          .data0xcc0000x706c0x480053b9025d545d65e23295e30afdbd16d9False0.04356553819444445DOS executable (block device driver @\273\)0.5846666986982398IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                          .rsrc0xd40000x8ef140x8f000e88a52c86f0770433fc89e1ef187f7b3False0.962226494208916data7.9646954113169475IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                          .reloc0x1630000x75940x7600c68ee8931a32d45eb82dc450ee40efc3False0.7628111758474576data6.7972128181359786IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                          Resources

                                                                                                          NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                          RT_ICON0xd45180x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
                                                                                                          RT_ICON0xd46400x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
                                                                                                          RT_ICON0xd47680x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
                                                                                                          RT_ICON0xd48900x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 2833 x 2833 px/mEnglishGreat Britain0.499113475177305
                                                                                                          RT_ICON0xd4cf80x988Device independent bitmap graphic, 24 x 48 x 32, image size 2304, resolution 2833 x 2833 px/mEnglishGreat Britain0.3454918032786885
                                                                                                          RT_ICON0xd56800x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 2833 x 2833 px/mEnglishGreat Britain0.25609756097560976
                                                                                                          RT_ICON0xd67280x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 2833 x 2833 px/mEnglishGreat Britain0.17603734439834026
                                                                                                          RT_ICON0xd8cd00x3459PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishGreat Britain0.9829117230057458
                                                                                                          RT_MENU0xdc12c0x50dataEnglishGreat Britain0.9
                                                                                                          RT_STRING0xdc17c0x594dataEnglishGreat Britain0.3333333333333333
                                                                                                          RT_STRING0xdc7100x68adataEnglishGreat Britain0.2735961768219833
                                                                                                          RT_STRING0xdcd9c0x490dataEnglishGreat Britain0.3715753424657534
                                                                                                          RT_STRING0xdd22c0x5fcdataEnglishGreat Britain0.3087467362924282
                                                                                                          RT_STRING0xdd8280x65cdataEnglishGreat Britain0.34336609336609336
                                                                                                          RT_STRING0xdde840x466dataEnglishGreat Britain0.3605683836589698
                                                                                                          RT_STRING0xde2ec0x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishGreat Britain0.502906976744186
                                                                                                          RT_RCDATA0xde4440x8457cdata1.0003246777204673
                                                                                                          RT_GROUP_ICON0x1629c00x4cdataEnglishGreat Britain0.8157894736842105
                                                                                                          RT_GROUP_ICON0x162a0c0x14dataEnglishGreat Britain1.25
                                                                                                          RT_GROUP_ICON0x162a200x14dataEnglishGreat Britain1.15
                                                                                                          RT_GROUP_ICON0x162a340x14dataEnglishGreat Britain1.25
                                                                                                          RT_VERSION0x162a480xdcdataEnglishGreat Britain0.6181818181818182
                                                                                                          RT_MANIFEST0x162b240x3efASCII text, with CRLF line terminatorsEnglishGreat Britain0.5074478649453823

                                                                                                          Imports

                                                                                                          DLLImport
                                                                                                          WSOCK32.dllgethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
                                                                                                          VERSION.dllGetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
                                                                                                          WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
                                                                                                          COMCTL32.dllImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
                                                                                                          MPR.dllWNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
                                                                                                          WININET.dllHttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
                                                                                                          PSAPI.DLLGetProcessMemoryInfo
                                                                                                          IPHLPAPI.DLLIcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
                                                                                                          USERENV.dllDestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
                                                                                                          UxTheme.dllIsThemeActive
                                                                                                          KERNEL32.dllDuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
                                                                                                          USER32.dllGetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
                                                                                                          GDI32.dllEndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
                                                                                                          COMDLG32.dllGetSaveFileNameW, GetOpenFileNameW
                                                                                                          ADVAPI32.dllGetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
                                                                                                          SHELL32.dllDragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
                                                                                                          ole32.dllCoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
                                                                                                          OLEAUT32.dllCreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

                                                                                                          Possible Origin

                                                                                                          Language of compilation systemCountry where language is spokenMap
                                                                                                          EnglishGreat Britain

                                                                                                          Network Behavior

                                                                                                          Network Port Distribution

                                                                                                          UDP Packets

                                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                                          Jan 15, 2025 03:05:12.678956032 CET6080053192.168.2.61.1.1.1
                                                                                                          Jan 15, 2025 03:05:12.690722942 CET53608001.1.1.1192.168.2.6
                                                                                                          Jan 15, 2025 03:05:32.693912983 CET4996953192.168.2.61.1.1.1
                                                                                                          Jan 15, 2025 03:05:32.703665972 CET53499691.1.1.1192.168.2.6
                                                                                                          Jan 15, 2025 03:05:53.287980080 CET5464553192.168.2.61.1.1.1
                                                                                                          Jan 15, 2025 03:05:53.300757885 CET53546451.1.1.1192.168.2.6
                                                                                                          Jan 15, 2025 03:06:13.693876982 CET5086453192.168.2.61.1.1.1
                                                                                                          Jan 15, 2025 03:06:13.861911058 CET53508641.1.1.1192.168.2.6
                                                                                                          Jan 15, 2025 03:06:34.115969896 CET5179653192.168.2.61.1.1.1
                                                                                                          Jan 15, 2025 03:06:34.416912079 CET53517961.1.1.1192.168.2.6
                                                                                                          Jan 15, 2025 03:06:54.523597002 CET5626653192.168.2.61.1.1.1
                                                                                                          Jan 15, 2025 03:06:54.535460949 CET53562661.1.1.1192.168.2.6
                                                                                                          Jan 15, 2025 03:07:35.272258997 CET6495553192.168.2.61.1.1.1
                                                                                                          Jan 15, 2025 03:07:35.283207893 CET53649551.1.1.1192.168.2.6
                                                                                                          Jan 15, 2025 03:07:55.663463116 CET5745353192.168.2.61.1.1.1
                                                                                                          Jan 15, 2025 03:07:55.672172070 CET53574531.1.1.1192.168.2.6
                                                                                                          Jan 15, 2025 03:08:16.069499016 CET6077453192.168.2.61.1.1.1
                                                                                                          Jan 15, 2025 03:08:16.081707954 CET53607741.1.1.1192.168.2.6
                                                                                                          Jan 15, 2025 03:08:36.476577997 CET5711153192.168.2.61.1.1.1
                                                                                                          Jan 15, 2025 03:08:36.561650991 CET53571111.1.1.1192.168.2.6
                                                                                                          Jan 15, 2025 03:08:59.695725918 CET6455353192.168.2.61.1.1.1
                                                                                                          Jan 15, 2025 03:08:59.706465006 CET53645531.1.1.1192.168.2.6

                                                                                                          DNS Queries

                                                                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                          Jan 15, 2025 03:05:12.678956032 CET192.168.2.61.1.1.10xca06Standard query (0)www.06ks28.buzzA (IP address)IN (0x0001)false
                                                                                                          Jan 15, 2025 03:05:32.693912983 CET192.168.2.61.1.1.10x473Standard query (0)www.0418.pizzaA (IP address)IN (0x0001)false
                                                                                                          Jan 15, 2025 03:05:53.287980080 CET192.168.2.61.1.1.10x1027Standard query (0)www.odernoob.websiteA (IP address)IN (0x0001)false
                                                                                                          Jan 15, 2025 03:06:13.693876982 CET192.168.2.61.1.1.10xcd96Standard query (0)www.ustjump.xyzA (IP address)IN (0x0001)false
                                                                                                          Jan 15, 2025 03:06:34.115969896 CET192.168.2.61.1.1.10x4590Standard query (0)www.skfa.infoA (IP address)IN (0x0001)false
                                                                                                          Jan 15, 2025 03:06:54.523597002 CET192.168.2.61.1.1.10x6260Standard query (0)www.ehuatang.questA (IP address)IN (0x0001)false
                                                                                                          Jan 15, 2025 03:07:35.272258997 CET192.168.2.61.1.1.10xe3eeStandard query (0)www.oodydigital.techA (IP address)IN (0x0001)false
                                                                                                          Jan 15, 2025 03:07:55.663463116 CET192.168.2.61.1.1.10xe455Standard query (0)www.partments-in-dubai-66339.bondA (IP address)IN (0x0001)false
                                                                                                          Jan 15, 2025 03:08:16.069499016 CET192.168.2.61.1.1.10xa09cStandard query (0)www.ofiveuss.storeA (IP address)IN (0x0001)false
                                                                                                          Jan 15, 2025 03:08:36.476577997 CET192.168.2.61.1.1.10xf948Standard query (0)www.odgersfittedhats.shopA (IP address)IN (0x0001)false
                                                                                                          Jan 15, 2025 03:08:59.695725918 CET192.168.2.61.1.1.10xd582Standard query (0)www.kaislotplay.shopA (IP address)IN (0x0001)false

                                                                                                          DNS Answers

                                                                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                          Jan 15, 2025 03:04:31.896071911 CET1.1.1.1192.168.2.60x2f1No error (0)shed.dual-low.s-part-0017.t-0009.t-msedge.nets-part-0017.t-0009.t-msedge.netCNAME (Canonical name)IN (0x0001)false
                                                                                                          Jan 15, 2025 03:04:31.896071911 CET1.1.1.1192.168.2.60x2f1No error (0)s-part-0017.t-0009.t-msedge.net13.107.246.45A (IP address)IN (0x0001)false
                                                                                                          Jan 15, 2025 03:05:12.690722942 CET1.1.1.1192.168.2.60xca06Name error (3)www.06ks28.buzznonenoneA (IP address)IN (0x0001)false
                                                                                                          Jan 15, 2025 03:05:32.703665972 CET1.1.1.1192.168.2.60x473Name error (3)www.0418.pizzanonenoneA (IP address)IN (0x0001)false
                                                                                                          Jan 15, 2025 03:05:53.300757885 CET1.1.1.1192.168.2.60x1027Name error (3)www.odernoob.websitenonenoneA (IP address)IN (0x0001)false
                                                                                                          Jan 15, 2025 03:06:13.861911058 CET1.1.1.1192.168.2.60xcd96Name error (3)www.ustjump.xyznonenoneA (IP address)IN (0x0001)false
                                                                                                          Jan 15, 2025 03:06:34.416912079 CET1.1.1.1192.168.2.60x4590Name error (3)www.skfa.infononenoneA (IP address)IN (0x0001)false
                                                                                                          Jan 15, 2025 03:06:54.535460949 CET1.1.1.1192.168.2.60x6260Name error (3)www.ehuatang.questnonenoneA (IP address)IN (0x0001)false
                                                                                                          Jan 15, 2025 03:07:35.283207893 CET1.1.1.1192.168.2.60xe3eeName error (3)www.oodydigital.technonenoneA (IP address)IN (0x0001)false
                                                                                                          Jan 15, 2025 03:07:55.672172070 CET1.1.1.1192.168.2.60xe455Name error (3)www.partments-in-dubai-66339.bondnonenoneA (IP address)IN (0x0001)false
                                                                                                          Jan 15, 2025 03:08:16.081707954 CET1.1.1.1192.168.2.60xa09cName error (3)www.ofiveuss.storenonenoneA (IP address)IN (0x0001)false
                                                                                                          Jan 15, 2025 03:08:36.561650991 CET1.1.1.1192.168.2.60xf948Name error (3)www.odgersfittedhats.shopnonenoneA (IP address)IN (0x0001)false
                                                                                                          Jan 15, 2025 03:08:59.706465006 CET1.1.1.1192.168.2.60xd582Name error (3)www.kaislotplay.shopnonenoneA (IP address)IN (0x0001)false

                                                                                                          Statistics

                                                                                                          CPU Usage

                                                                                                          Click to jump to process

                                                                                                          Memory Usage

                                                                                                          Click to jump to process

                                                                                                          High Level Behavior Distribution

                                                                                                          Click to dive into process behavior distribution

                                                                                                          Behavior

                                                                                                          Click to jump to process

                                                                                                          System Behavior

                                                                                                          General

                                                                                                          Target ID:0
                                                                                                          Start time:21:04:33
                                                                                                          Start date:14/01/2025
                                                                                                          Path:C:\Users\user\Desktop\rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.exe
                                                                                                          Wow64 process (32bit):true
                                                                                                          Commandline:"C:\Users\user\Desktop\rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.exe"
                                                                                                          Imagebase:0x360000
                                                                                                          File size:1'464'832 bytes
                                                                                                          MD5 hash:289754998D1520E2BEC7190452C464AC
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Reputation:low
                                                                                                          Has exited:true

                                                                                                          General

                                                                                                          Target ID:2
                                                                                                          Start time:21:04:34
                                                                                                          Start date:14/01/2025
                                                                                                          Path:C:\Users\user\AppData\Local\antholite\overrough.exe
                                                                                                          Wow64 process (32bit):true
                                                                                                          Commandline:"C:\Users\user\Desktop\rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.exe"
                                                                                                          Imagebase:0x7b0000
                                                                                                          File size:1'464'832 bytes
                                                                                                          MD5 hash:289754998D1520E2BEC7190452C464AC
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Yara matches:
                                                                                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.2244853461.0000000001E20000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2244853461.0000000001E20000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.2244853461.0000000001E20000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.2244853461.0000000001E20000.00000004.00001000.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.2244853461.0000000001E20000.00000004.00001000.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                          Antivirus matches:
                                                                                                          • Detection: 100%, Avira
                                                                                                          • Detection: 100%, Joe Sandbox ML
                                                                                                          • Detection: 29%, ReversingLabs
                                                                                                          Reputation:low
                                                                                                          Has exited:true

                                                                                                          General

                                                                                                          Target ID:3
                                                                                                          Start time:21:04:35
                                                                                                          Start date:14/01/2025
                                                                                                          Path:C:\Windows\SysWOW64\svchost.exe
                                                                                                          Wow64 process (32bit):true
                                                                                                          Commandline:"C:\Users\user\Desktop\rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.exe"
                                                                                                          Imagebase:0x30000
                                                                                                          File size:46'504 bytes
                                                                                                          MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Yara matches:
                                                                                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.2312737607.0000000003A80000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.2312737607.0000000003A80000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000003.00000002.2312737607.0000000003A80000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                                                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.2312737607.0000000003A80000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.2312737607.0000000003A80000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.2311984727.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.2311984727.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000003.00000002.2311984727.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                                                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.2311984727.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.2311984727.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.2312788893.0000000003AB0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.2312788893.0000000003AB0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000003.00000002.2312788893.0000000003AB0000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                                                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.2312788893.0000000003AB0000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.2312788893.0000000003AB0000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                          Reputation:high
                                                                                                          Has exited:true

                                                                                                          General

                                                                                                          Target ID:4
                                                                                                          Start time:21:04:36
                                                                                                          Start date:14/01/2025
                                                                                                          Path:C:\Windows\explorer.exe
                                                                                                          Wow64 process (32bit):false
                                                                                                          Commandline:C:\Windows\Explorer.EXE
                                                                                                          Imagebase:0x7ff609140000
                                                                                                          File size:5'141'208 bytes
                                                                                                          MD5 hash:662F4F92FDE3557E86D110526BB578D5
                                                                                                          Has elevated privileges:false
                                                                                                          Has administrator privileges:false
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Reputation:high
                                                                                                          Has exited:false

                                                                                                          General

                                                                                                          Target ID:5
                                                                                                          Start time:21:04:40
                                                                                                          Start date:14/01/2025
                                                                                                          Path:C:\Windows\SysWOW64\WWAHost.exe
                                                                                                          Wow64 process (32bit):true
                                                                                                          Commandline:"C:\Windows\SysWOW64\WWAHost.exe"
                                                                                                          Imagebase:0x8e0000
                                                                                                          File size:886'080 bytes
                                                                                                          MD5 hash:7C7EDAD5BDA9C34FD50C3A58429C90F0
                                                                                                          Has elevated privileges:false
                                                                                                          Has administrator privileges:false
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Yara matches:
                                                                                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.4677557991.0000000003500000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.4677557991.0000000003500000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000005.00000002.4677557991.0000000003500000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.4677557991.0000000003500000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.4677557991.0000000003500000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.4675478414.00000000034D0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.4675478414.00000000034D0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000005.00000002.4675478414.00000000034D0000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                                                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.4675478414.00000000034D0000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.4675478414.00000000034D0000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.4673914516.0000000002EE0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.4673914516.0000000002EE0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000005.00000002.4673914516.0000000002EE0000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                                                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.4673914516.0000000002EE0000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.4673914516.0000000002EE0000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                          Reputation:moderate
                                                                                                          Has exited:false

                                                                                                          General

                                                                                                          Target ID:6
                                                                                                          Start time:21:04:43
                                                                                                          Start date:14/01/2025
                                                                                                          Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                          Wow64 process (32bit):true
                                                                                                          Commandline:/c del "C:\Windows\SysWOW64\svchost.exe"
                                                                                                          Imagebase:0x1c0000
                                                                                                          File size:236'544 bytes
                                                                                                          MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                          Has elevated privileges:false
                                                                                                          Has administrator privileges:false
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Reputation:high
                                                                                                          Has exited:true

                                                                                                          General

                                                                                                          Target ID:7
                                                                                                          Start time:21:04:43
                                                                                                          Start date:14/01/2025
                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                          Wow64 process (32bit):false
                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                          Imagebase:0x7ff66e660000
                                                                                                          File size:862'208 bytes
                                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                          Has elevated privileges:false
                                                                                                          Has administrator privileges:false
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Reputation:high
                                                                                                          Has exited:true

                                                                                                          General

                                                                                                          Target ID:11
                                                                                                          Start time:21:04:47
                                                                                                          Start date:14/01/2025
                                                                                                          Path:C:\Windows\System32\wscript.exe
                                                                                                          Wow64 process (32bit):false
                                                                                                          Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\overrough.vbs"
                                                                                                          Imagebase:0x7ff68de00000
                                                                                                          File size:170'496 bytes
                                                                                                          MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                                                                                          Has elevated privileges:false
                                                                                                          Has administrator privileges:false
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Reputation:high
                                                                                                          Has exited:true

                                                                                                          General

                                                                                                          Target ID:12
                                                                                                          Start time:21:04:47
                                                                                                          Start date:14/01/2025
                                                                                                          Path:C:\Users\user\AppData\Local\antholite\overrough.exe
                                                                                                          Wow64 process (32bit):true
                                                                                                          Commandline:"C:\Users\user\AppData\Local\antholite\overrough.exe"
                                                                                                          Imagebase:0x7b0000
                                                                                                          File size:1'464'832 bytes
                                                                                                          MD5 hash:289754998D1520E2BEC7190452C464AC
                                                                                                          Has elevated privileges:false
                                                                                                          Has administrator privileges:false
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Yara matches:
                                                                                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000C.00000002.2376953472.0000000000780000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000C.00000002.2376953472.0000000000780000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000C.00000002.2376953472.0000000000780000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000C.00000002.2376953472.0000000000780000.00000004.00001000.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000C.00000002.2376953472.0000000000780000.00000004.00001000.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                          Reputation:low
                                                                                                          Has exited:true

                                                                                                          General

                                                                                                          Target ID:13
                                                                                                          Start time:21:04:48
                                                                                                          Start date:14/01/2025
                                                                                                          Path:C:\Windows\SysWOW64\svchost.exe
                                                                                                          Wow64 process (32bit):true
                                                                                                          Commandline:"C:\Users\user\AppData\Local\antholite\overrough.exe"
                                                                                                          Imagebase:0x30000
                                                                                                          File size:46'504 bytes
                                                                                                          MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                                                                                                          Has elevated privileges:false
                                                                                                          Has administrator privileges:false
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Yara matches:
                                                                                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000D.00000002.2412302004.0000000002EB0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000D.00000002.2412302004.0000000002EB0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000D.00000002.2412302004.0000000002EB0000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                                                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000D.00000002.2412302004.0000000002EB0000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000D.00000002.2412302004.0000000002EB0000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000D.00000002.2412264035.0000000002E80000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000D.00000002.2412264035.0000000002E80000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000D.00000002.2412264035.0000000002E80000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                                                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000D.00000002.2412264035.0000000002E80000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000D.00000002.2412264035.0000000002E80000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000D.00000002.2411584179.0000000002661000.00000020.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000D.00000002.2411584179.0000000002661000.00000020.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000D.00000002.2411584179.0000000002661000.00000020.80000000.00040000.00000000.sdmp, Author: unknown
                                                                                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000D.00000002.2411584179.0000000002661000.00000020.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000D.00000002.2411584179.0000000002661000.00000020.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                          Reputation:high
                                                                                                          Has exited:true

                                                                                                          General

                                                                                                          Target ID:14
                                                                                                          Start time:21:04:50
                                                                                                          Start date:14/01/2025
                                                                                                          Path:C:\Windows\SysWOW64\cmmon32.exe
                                                                                                          Wow64 process (32bit):true
                                                                                                          Commandline:"C:\Windows\SysWOW64\cmmon32.exe"
                                                                                                          Imagebase:0xb40000
                                                                                                          File size:36'352 bytes
                                                                                                          MD5 hash:DEC326E5B4D23503EA5176878DDDB683
                                                                                                          Has elevated privileges:false
                                                                                                          Has administrator privileges:false
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Yara matches:
                                                                                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000E.00000002.2419449519.0000000000A50000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000E.00000002.2419449519.0000000000A50000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000E.00000002.2419449519.0000000000A50000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                                                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000E.00000002.2419449519.0000000000A50000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000E.00000002.2419449519.0000000000A50000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                          Reputation:moderate
                                                                                                          Has exited:true

                                                                                                          Disassembly

                                                                                                          Reset < >

                                                                                                            Execution Graph

                                                                                                            Execution Coverage:2.5%
                                                                                                            Dynamic/Decrypted Code Coverage:1.1%
                                                                                                            Signature Coverage:3.5%
                                                                                                            Total number of Nodes:1652
                                                                                                            Total number of Limit Nodes:27
                                                                                                            execution_graph 94925 363156 94928 363170 94925->94928 94929 363187 94928->94929 94930 36318c 94929->94930 94931 3631eb 94929->94931 94968 3631e9 94929->94968 94935 363265 PostQuitMessage 94930->94935 94936 363199 94930->94936 94933 3a2dfb 94931->94933 94934 3631f1 94931->94934 94932 3631d0 DefWindowProcW 94969 36316a 94932->94969 94977 3618e2 10 API calls 94933->94977 94937 36321d SetTimer RegisterWindowMessageW 94934->94937 94938 3631f8 94934->94938 94935->94969 94940 3631a4 94936->94940 94941 3a2e7c 94936->94941 94945 363246 CreatePopupMenu 94937->94945 94937->94969 94942 3a2d9c 94938->94942 94943 363201 KillTimer 94938->94943 94946 3a2e68 94940->94946 94947 3631ae 94940->94947 94992 3cbf30 34 API calls ___scrt_fastfail 94941->94992 94955 3a2da1 94942->94955 94956 3a2dd7 MoveWindow 94942->94956 94973 3630f2 Shell_NotifyIconW ___scrt_fastfail 94943->94973 94944 3a2e1c 94978 37e499 42 API calls 94944->94978 94945->94969 94991 3cc161 27 API calls ___scrt_fastfail 94946->94991 94952 3a2e4d 94947->94952 94953 3631b9 94947->94953 94952->94932 94990 3c0ad7 22 API calls 94952->94990 94961 3631c4 94953->94961 94962 363253 94953->94962 94954 3a2e8e 94954->94932 94954->94969 94957 3a2dc6 SetFocus 94955->94957 94958 3a2da7 94955->94958 94956->94969 94957->94969 94958->94961 94963 3a2db0 94958->94963 94959 363214 94974 363c50 DeleteObject DestroyWindow 94959->94974 94960 363263 94960->94969 94961->94932 94979 3630f2 Shell_NotifyIconW ___scrt_fastfail 94961->94979 94975 36326f 44 API calls ___scrt_fastfail 94962->94975 94976 3618e2 10 API calls 94963->94976 94968->94932 94971 3a2e41 94980 363837 94971->94980 94973->94959 94974->94969 94975->94960 94976->94969 94977->94944 94978->94961 94979->94971 94981 363862 ___scrt_fastfail 94980->94981 94993 364212 94981->94993 94984 3638e8 94986 363906 Shell_NotifyIconW 94984->94986 94987 3a3386 Shell_NotifyIconW 94984->94987 94997 363923 94986->94997 94989 36391c 94989->94968 94990->94968 94991->94960 94992->94954 94994 3638b7 94993->94994 94995 3a35a4 94993->94995 94994->94984 95019 3cc874 42 API calls _strftime 94994->95019 94995->94994 94996 3a35ad DestroyIcon 94995->94996 94996->94994 94998 363a13 94997->94998 94999 36393f 94997->94999 94998->94989 95020 366270 94999->95020 95002 3a3393 LoadStringW 95005 3a33ad 95002->95005 95003 36395a 95025 366b57 95003->95025 95013 363994 ___scrt_fastfail 95005->95013 95046 36a8c7 95005->95046 95006 36396f 95007 3a33c9 95006->95007 95008 36397c 95006->95008 95011 366350 22 API calls 95007->95011 95008->95005 95010 363986 95008->95010 95037 366350 95010->95037 95014 3a33d7 95011->95014 95016 3639f9 Shell_NotifyIconW 95013->95016 95014->95013 95050 3633c6 95014->95050 95016->94998 95017 3a33f9 95018 3633c6 22 API calls 95017->95018 95018->95013 95019->94984 95059 37fe0b 95020->95059 95022 366295 95069 37fddb 95022->95069 95024 36394d 95024->95002 95024->95003 95026 366b67 _wcslen 95025->95026 95027 3a4ba1 95025->95027 95030 366ba2 95026->95030 95031 366b7d 95026->95031 95095 3693b2 95027->95095 95029 3a4baa 95029->95029 95032 37fddb 22 API calls 95030->95032 95094 366f34 22 API calls 95031->95094 95034 366bae 95032->95034 95036 37fe0b 22 API calls 95034->95036 95035 366b85 __fread_nolock 95035->95006 95036->95035 95038 366362 95037->95038 95039 3a4a51 95037->95039 95105 366373 95038->95105 95115 364a88 22 API calls __fread_nolock 95039->95115 95042 36636e 95042->95013 95043 3a4a5b 95044 3a4a67 95043->95044 95045 36a8c7 22 API calls 95043->95045 95045->95044 95047 36a8ea __fread_nolock 95046->95047 95048 36a8db 95046->95048 95047->95013 95048->95047 95049 37fe0b 22 API calls 95048->95049 95049->95047 95051 3a30bb 95050->95051 95052 3633dd 95050->95052 95054 37fddb 22 API calls 95051->95054 95121 3633ee 95052->95121 95056 3a30c5 _wcslen 95054->95056 95055 3633e8 95055->95017 95057 37fe0b 22 API calls 95056->95057 95058 3a30fe __fread_nolock 95057->95058 95061 37fddb 95059->95061 95062 37fdfa 95061->95062 95066 37fdfc 95061->95066 95079 38ea0c 95061->95079 95086 384ead 7 API calls 2 library calls 95061->95086 95062->95022 95064 38066d 95088 3832a4 RaiseException 95064->95088 95066->95064 95087 3832a4 RaiseException 95066->95087 95067 38068a 95067->95022 95071 37fde0 95069->95071 95070 38ea0c ___std_exception_copy 21 API calls 95070->95071 95071->95070 95072 37fdfa 95071->95072 95076 37fdfc 95071->95076 95091 384ead 7 API calls 2 library calls 95071->95091 95072->95024 95074 38066d 95093 3832a4 RaiseException 95074->95093 95076->95074 95092 3832a4 RaiseException 95076->95092 95077 38068a 95077->95024 95084 393820 _abort 95079->95084 95080 39385e 95090 38f2d9 20 API calls _abort 95080->95090 95082 393849 RtlAllocateHeap 95083 39385c 95082->95083 95082->95084 95083->95061 95084->95080 95084->95082 95089 384ead 7 API calls 2 library calls 95084->95089 95086->95061 95087->95064 95088->95067 95089->95084 95090->95083 95091->95071 95092->95074 95093->95077 95094->95035 95096 3693c9 __fread_nolock 95095->95096 95097 3693c0 95095->95097 95096->95029 95097->95096 95099 36aec9 95097->95099 95100 36aedc 95099->95100 95104 36aed9 __fread_nolock 95099->95104 95101 37fddb 22 API calls 95100->95101 95102 36aee7 95101->95102 95103 37fe0b 22 API calls 95102->95103 95103->95104 95104->95096 95106 3663b6 __fread_nolock 95105->95106 95107 366382 95105->95107 95106->95042 95107->95106 95108 3a4a82 95107->95108 95109 3663a9 95107->95109 95111 37fddb 22 API calls 95108->95111 95116 36a587 95109->95116 95112 3a4a91 95111->95112 95113 37fe0b 22 API calls 95112->95113 95114 3a4ac5 __fread_nolock 95113->95114 95115->95043 95117 36a59d 95116->95117 95120 36a598 __fread_nolock 95116->95120 95118 37fe0b 22 API calls 95117->95118 95119 3af80f 95117->95119 95118->95120 95120->95106 95122 3633fe _wcslen 95121->95122 95123 3a311d 95122->95123 95124 363411 95122->95124 95125 37fddb 22 API calls 95123->95125 95126 36a587 22 API calls 95124->95126 95128 3a3127 95125->95128 95127 36341e __fread_nolock 95126->95127 95127->95055 95129 37fe0b 22 API calls 95128->95129 95130 3a3157 __fread_nolock 95129->95130 95131 362e37 95210 36a961 95131->95210 95135 362e6b 95229 363a5a 95135->95229 95137 362e7f 95236 369cb3 95137->95236 95142 3a2cb0 95280 3d2cf9 95142->95280 95143 362ead 95146 36a8c7 22 API calls 95143->95146 95145 3a2cc3 95147 3a2ccf 95145->95147 95306 364f39 95145->95306 95148 362ec3 95146->95148 95151 364f39 68 API calls 95147->95151 95264 366f88 22 API calls 95148->95264 95153 3a2ce5 95151->95153 95152 362ecf 95154 369cb3 22 API calls 95152->95154 95312 363084 22 API calls 95153->95312 95155 362edc 95154->95155 95265 36a81b 41 API calls 95155->95265 95158 362eec 95160 369cb3 22 API calls 95158->95160 95159 3a2d02 95313 363084 22 API calls 95159->95313 95161 362f12 95160->95161 95266 36a81b 41 API calls 95161->95266 95164 3a2d1e 95165 363a5a 24 API calls 95164->95165 95166 3a2d44 95165->95166 95314 363084 22 API calls 95166->95314 95167 362f21 95170 36a961 22 API calls 95167->95170 95169 3a2d50 95171 36a8c7 22 API calls 95169->95171 95172 362f3f 95170->95172 95173 3a2d5e 95171->95173 95267 363084 22 API calls 95172->95267 95315 363084 22 API calls 95173->95315 95176 362f4b 95268 384a28 40 API calls 3 library calls 95176->95268 95177 3a2d6d 95182 36a8c7 22 API calls 95177->95182 95179 362f59 95179->95153 95180 362f63 95179->95180 95269 384a28 40 API calls 3 library calls 95180->95269 95184 3a2d83 95182->95184 95183 362f6e 95183->95159 95185 362f78 95183->95185 95316 363084 22 API calls 95184->95316 95270 384a28 40 API calls 3 library calls 95185->95270 95188 3a2d90 95189 362f83 95189->95164 95190 362f8d 95189->95190 95271 384a28 40 API calls 3 library calls 95190->95271 95192 362f98 95193 362fdc 95192->95193 95272 363084 22 API calls 95192->95272 95193->95177 95194 362fe8 95193->95194 95194->95188 95274 3663eb 22 API calls 95194->95274 95197 362fbf 95199 36a8c7 22 API calls 95197->95199 95198 362ff8 95275 366a50 22 API calls 95198->95275 95201 362fcd 95199->95201 95273 363084 22 API calls 95201->95273 95202 363006 95276 3670b0 23 API calls 95202->95276 95207 363021 95208 363065 95207->95208 95277 366f88 22 API calls 95207->95277 95278 3670b0 23 API calls 95207->95278 95279 363084 22 API calls 95207->95279 95211 37fe0b 22 API calls 95210->95211 95212 36a976 95211->95212 95213 37fddb 22 API calls 95212->95213 95214 362e4d 95213->95214 95215 364ae3 95214->95215 95216 364af0 __wsopen_s 95215->95216 95217 366b57 22 API calls 95216->95217 95218 364b22 95216->95218 95217->95218 95225 364b58 95218->95225 95317 364c6d 95218->95317 95220 369cb3 22 API calls 95222 364c52 95220->95222 95221 369cb3 22 API calls 95221->95225 95224 36515f 22 API calls 95222->95224 95223 364c6d 22 API calls 95223->95225 95227 364c5e 95224->95227 95225->95221 95225->95223 95228 364c29 95225->95228 95320 36515f 95225->95320 95227->95135 95228->95220 95228->95227 95326 3a1f50 95229->95326 95232 369cb3 22 API calls 95233 363a8d 95232->95233 95328 363aa2 95233->95328 95235 363a97 95235->95137 95237 369cc2 _wcslen 95236->95237 95238 37fe0b 22 API calls 95237->95238 95239 369cea __fread_nolock 95238->95239 95240 37fddb 22 API calls 95239->95240 95241 362e8c 95240->95241 95242 364ecb 95241->95242 95348 364e90 LoadLibraryA 95242->95348 95247 364ef6 LoadLibraryExW 95356 364e59 LoadLibraryA 95247->95356 95248 3a3ccf 95249 364f39 68 API calls 95248->95249 95251 3a3cd6 95249->95251 95253 364e59 3 API calls 95251->95253 95256 3a3cde 95253->95256 95255 364f20 95255->95256 95257 364f2c 95255->95257 95378 3650f5 95256->95378 95258 364f39 68 API calls 95257->95258 95260 362ea5 95258->95260 95260->95142 95260->95143 95263 3a3d05 95264->95152 95265->95158 95266->95167 95267->95176 95268->95179 95269->95183 95270->95189 95271->95192 95272->95197 95273->95193 95274->95198 95275->95202 95276->95207 95277->95207 95278->95207 95279->95207 95281 3d2d15 95280->95281 95282 36511f 64 API calls 95281->95282 95283 3d2d29 95282->95283 95528 3d2e66 95283->95528 95286 3650f5 40 API calls 95287 3d2d56 95286->95287 95288 3650f5 40 API calls 95287->95288 95289 3d2d66 95288->95289 95290 3650f5 40 API calls 95289->95290 95291 3d2d81 95290->95291 95292 3650f5 40 API calls 95291->95292 95293 3d2d9c 95292->95293 95294 36511f 64 API calls 95293->95294 95295 3d2db3 95294->95295 95296 38ea0c ___std_exception_copy 21 API calls 95295->95296 95297 3d2dba 95296->95297 95298 38ea0c ___std_exception_copy 21 API calls 95297->95298 95299 3d2dc4 95298->95299 95300 3650f5 40 API calls 95299->95300 95301 3d2dd8 95300->95301 95302 3d28fe 27 API calls 95301->95302 95304 3d2dee 95302->95304 95303 3d2d3f 95303->95145 95304->95303 95534 3d22ce 95304->95534 95307 364f43 95306->95307 95311 364f4a 95306->95311 95308 38e678 67 API calls 95307->95308 95308->95311 95309 364f6a FreeLibrary 95310 364f59 95309->95310 95310->95147 95311->95309 95311->95310 95312->95159 95313->95164 95314->95169 95315->95177 95316->95188 95318 36aec9 22 API calls 95317->95318 95319 364c78 95318->95319 95319->95218 95321 36516e 95320->95321 95325 36518f __fread_nolock 95320->95325 95324 37fe0b 22 API calls 95321->95324 95322 37fddb 22 API calls 95323 3651a2 95322->95323 95323->95225 95324->95325 95325->95322 95327 363a67 GetModuleFileNameW 95326->95327 95327->95232 95329 3a1f50 __wsopen_s 95328->95329 95330 363aaf GetFullPathNameW 95329->95330 95331 363ace 95330->95331 95332 363ae9 95330->95332 95333 366b57 22 API calls 95331->95333 95342 36a6c3 95332->95342 95335 363ada 95333->95335 95338 3637a0 95335->95338 95339 3637ae 95338->95339 95340 3693b2 22 API calls 95339->95340 95341 3637c2 95340->95341 95341->95235 95343 36a6d0 95342->95343 95344 36a6dd 95342->95344 95343->95335 95345 37fddb 22 API calls 95344->95345 95346 36a6e7 95345->95346 95347 37fe0b 22 API calls 95346->95347 95347->95343 95349 364ec6 95348->95349 95350 364ea8 GetProcAddress 95348->95350 95353 38e5eb 95349->95353 95351 364eb8 95350->95351 95351->95349 95352 364ebf FreeLibrary 95351->95352 95352->95349 95386 38e52a 95353->95386 95355 364eea 95355->95247 95355->95248 95357 364e6e GetProcAddress 95356->95357 95358 364e8d 95356->95358 95359 364e7e 95357->95359 95361 364f80 95358->95361 95359->95358 95360 364e86 FreeLibrary 95359->95360 95360->95358 95362 37fe0b 22 API calls 95361->95362 95363 364f95 95362->95363 95454 365722 95363->95454 95365 364fa1 __fread_nolock 95366 3650a5 95365->95366 95367 3a3d1d 95365->95367 95374 364fdc 95365->95374 95457 3642a2 CreateStreamOnHGlobal 95366->95457 95468 3d304d 74 API calls 95367->95468 95370 3a3d22 95372 36511f 64 API calls 95370->95372 95371 3650f5 40 API calls 95371->95374 95373 3a3d45 95372->95373 95375 3650f5 40 API calls 95373->95375 95374->95370 95374->95371 95376 36506e ISource 95374->95376 95463 36511f 95374->95463 95375->95376 95376->95255 95379 365107 95378->95379 95382 3a3d70 95378->95382 95490 38e8c4 95379->95490 95383 3d28fe 95511 3d274e 95383->95511 95385 3d2919 95385->95263 95389 38e536 __FrameHandler3::FrameUnwindToState 95386->95389 95387 38e544 95411 38f2d9 20 API calls _abort 95387->95411 95389->95387 95391 38e574 95389->95391 95390 38e549 95412 3927ec 26 API calls pre_c_initialization 95390->95412 95393 38e579 95391->95393 95394 38e586 95391->95394 95413 38f2d9 20 API calls _abort 95393->95413 95403 398061 95394->95403 95397 38e58f 95399 38e5a2 95397->95399 95400 38e595 95397->95400 95398 38e554 __fread_nolock 95398->95355 95415 38e5d4 LeaveCriticalSection __fread_nolock 95399->95415 95414 38f2d9 20 API calls _abort 95400->95414 95404 39806d __FrameHandler3::FrameUnwindToState 95403->95404 95416 392f5e EnterCriticalSection 95404->95416 95406 39807b 95417 3980fb 95406->95417 95410 3980ac __fread_nolock 95410->95397 95411->95390 95412->95398 95413->95398 95414->95398 95415->95398 95416->95406 95421 39811e 95417->95421 95418 398088 95430 3980b7 95418->95430 95419 398177 95435 394c7d 95419->95435 95421->95418 95421->95419 95433 38918d EnterCriticalSection 95421->95433 95434 3891a1 LeaveCriticalSection 95421->95434 95425 398189 95425->95418 95448 393405 11 API calls 2 library calls 95425->95448 95428 3981a8 95449 38918d EnterCriticalSection 95428->95449 95453 392fa6 LeaveCriticalSection 95430->95453 95432 3980be 95432->95410 95433->95421 95434->95421 95439 394c8a _abort 95435->95439 95436 394cca 95451 38f2d9 20 API calls _abort 95436->95451 95437 394cb5 RtlAllocateHeap 95438 394cc8 95437->95438 95437->95439 95442 3929c8 95438->95442 95439->95436 95439->95437 95450 384ead 7 API calls 2 library calls 95439->95450 95443 3929d3 RtlFreeHeap 95442->95443 95447 3929fc __dosmaperr 95442->95447 95444 3929e8 95443->95444 95443->95447 95452 38f2d9 20 API calls _abort 95444->95452 95446 3929ee GetLastError 95446->95447 95447->95425 95448->95428 95449->95418 95450->95439 95451->95438 95452->95446 95453->95432 95455 37fddb 22 API calls 95454->95455 95456 365734 95455->95456 95456->95365 95458 3642bc FindResourceExW 95457->95458 95459 3642d9 95457->95459 95458->95459 95460 3a35ba LoadResource 95458->95460 95459->95374 95460->95459 95461 3a35cf SizeofResource 95460->95461 95461->95459 95462 3a35e3 LockResource 95461->95462 95462->95459 95464 36512e 95463->95464 95465 3a3d90 95463->95465 95469 38ece3 95464->95469 95468->95370 95472 38eaaa 95469->95472 95471 36513c 95471->95374 95476 38eab6 __FrameHandler3::FrameUnwindToState 95472->95476 95473 38eac2 95485 38f2d9 20 API calls _abort 95473->95485 95475 38eae8 95487 38918d EnterCriticalSection 95475->95487 95476->95473 95476->95475 95478 38eac7 95486 3927ec 26 API calls pre_c_initialization 95478->95486 95479 38eaf4 95488 38ec0a 62 API calls 2 library calls 95479->95488 95482 38eb08 95489 38eb27 LeaveCriticalSection __fread_nolock 95482->95489 95484 38ead2 __fread_nolock 95484->95471 95485->95478 95486->95484 95487->95479 95488->95482 95489->95484 95493 38e8e1 95490->95493 95492 365118 95492->95383 95494 38e8ed __FrameHandler3::FrameUnwindToState 95493->95494 95495 38e92d 95494->95495 95496 38e900 ___scrt_fastfail 95494->95496 95497 38e925 __fread_nolock 95494->95497 95508 38918d EnterCriticalSection 95495->95508 95506 38f2d9 20 API calls _abort 95496->95506 95497->95492 95499 38e937 95509 38e6f8 38 API calls 4 library calls 95499->95509 95502 38e91a 95507 3927ec 26 API calls pre_c_initialization 95502->95507 95503 38e94e 95510 38e96c LeaveCriticalSection __fread_nolock 95503->95510 95506->95502 95507->95497 95508->95499 95509->95503 95510->95497 95514 38e4e8 95511->95514 95513 3d275d 95513->95385 95517 38e469 95514->95517 95516 38e505 95516->95513 95518 38e478 95517->95518 95519 38e48c 95517->95519 95525 38f2d9 20 API calls _abort 95518->95525 95524 38e488 __alldvrm 95519->95524 95527 39333f 11 API calls 2 library calls 95519->95527 95522 38e47d 95526 3927ec 26 API calls pre_c_initialization 95522->95526 95524->95516 95525->95522 95526->95524 95527->95524 95533 3d2e7a 95528->95533 95529 3650f5 40 API calls 95529->95533 95530 3d2d3b 95530->95286 95530->95303 95531 3d28fe 27 API calls 95531->95533 95532 36511f 64 API calls 95532->95533 95533->95529 95533->95530 95533->95531 95533->95532 95535 3d22d9 95534->95535 95536 3d22e7 95534->95536 95537 38e5eb 29 API calls 95535->95537 95538 3d232c 95536->95538 95539 38e5eb 29 API calls 95536->95539 95562 3d22f0 95536->95562 95537->95536 95563 3d2557 40 API calls __fread_nolock 95538->95563 95541 3d2311 95539->95541 95541->95538 95543 3d231a 95541->95543 95542 3d2370 95544 3d2395 95542->95544 95545 3d2374 95542->95545 95543->95562 95571 38e678 95543->95571 95564 3d2171 95544->95564 95548 38e678 67 API calls 95545->95548 95549 3d2381 95545->95549 95548->95549 95551 38e678 67 API calls 95549->95551 95549->95562 95550 3d239d 95552 3d23c3 95550->95552 95553 3d23a3 95550->95553 95551->95562 95584 3d23f3 74 API calls 95552->95584 95554 3d23b0 95553->95554 95556 38e678 67 API calls 95553->95556 95557 38e678 67 API calls 95554->95557 95554->95562 95556->95554 95557->95562 95558 3d23de 95561 38e678 67 API calls 95558->95561 95558->95562 95559 3d23ca 95559->95558 95560 38e678 67 API calls 95559->95560 95560->95558 95561->95562 95562->95303 95563->95542 95565 38ea0c ___std_exception_copy 21 API calls 95564->95565 95566 3d217f 95565->95566 95567 38ea0c ___std_exception_copy 21 API calls 95566->95567 95568 3d2190 95567->95568 95569 38ea0c ___std_exception_copy 21 API calls 95568->95569 95570 3d219c 95569->95570 95570->95550 95572 38e684 __FrameHandler3::FrameUnwindToState 95571->95572 95573 38e6aa 95572->95573 95574 38e695 95572->95574 95580 38e6a5 __fread_nolock 95573->95580 95585 38918d EnterCriticalSection 95573->95585 95602 38f2d9 20 API calls _abort 95574->95602 95577 38e69a 95603 3927ec 26 API calls pre_c_initialization 95577->95603 95578 38e6c6 95586 38e602 95578->95586 95580->95562 95582 38e6d1 95604 38e6ee LeaveCriticalSection __fread_nolock 95582->95604 95584->95559 95585->95578 95587 38e60f 95586->95587 95589 38e624 95586->95589 95637 38f2d9 20 API calls _abort 95587->95637 95594 38e61f 95589->95594 95605 38dc0b 95589->95605 95591 38e614 95638 3927ec 26 API calls pre_c_initialization 95591->95638 95594->95582 95598 38e646 95622 39862f 95598->95622 95601 3929c8 _free 20 API calls 95601->95594 95602->95577 95603->95580 95604->95580 95606 38dc23 95605->95606 95610 38dc1f 95605->95610 95607 38d955 __fread_nolock 26 API calls 95606->95607 95606->95610 95608 38dc43 95607->95608 95639 3959be 62 API calls 5 library calls 95608->95639 95611 394d7a 95610->95611 95612 394d90 95611->95612 95613 38e640 95611->95613 95612->95613 95614 3929c8 _free 20 API calls 95612->95614 95615 38d955 95613->95615 95614->95613 95616 38d961 95615->95616 95617 38d976 95615->95617 95640 38f2d9 20 API calls _abort 95616->95640 95617->95598 95619 38d966 95641 3927ec 26 API calls pre_c_initialization 95619->95641 95621 38d971 95621->95598 95623 39863e 95622->95623 95624 398653 95622->95624 95645 38f2c6 20 API calls _abort 95623->95645 95626 39868e 95624->95626 95629 39867a 95624->95629 95647 38f2c6 20 API calls _abort 95626->95647 95628 398643 95646 38f2d9 20 API calls _abort 95628->95646 95642 398607 95629->95642 95630 398693 95648 38f2d9 20 API calls _abort 95630->95648 95634 38e64c 95634->95594 95634->95601 95635 39869b 95649 3927ec 26 API calls pre_c_initialization 95635->95649 95637->95591 95638->95594 95639->95610 95640->95619 95641->95621 95650 398585 95642->95650 95644 39862b 95644->95634 95645->95628 95646->95634 95647->95630 95648->95635 95649->95634 95651 398591 __FrameHandler3::FrameUnwindToState 95650->95651 95661 395147 EnterCriticalSection 95651->95661 95653 39859f 95654 3985d1 95653->95654 95655 3985c6 95653->95655 95677 38f2d9 20 API calls _abort 95654->95677 95662 3986ae 95655->95662 95658 3985cc 95678 3985fb LeaveCriticalSection __wsopen_s 95658->95678 95660 3985ee __fread_nolock 95660->95644 95661->95653 95679 3953c4 95662->95679 95664 3986c4 95692 395333 21 API calls 2 library calls 95664->95692 95666 3986be 95666->95664 95669 3953c4 __wsopen_s 26 API calls 95666->95669 95676 3986f6 95666->95676 95667 3953c4 __wsopen_s 26 API calls 95670 398702 CloseHandle 95667->95670 95668 39871c 95675 39873e 95668->95675 95693 38f2a3 20 API calls __dosmaperr 95668->95693 95671 3986ed 95669->95671 95670->95664 95672 39870e GetLastError 95670->95672 95674 3953c4 __wsopen_s 26 API calls 95671->95674 95672->95664 95674->95676 95675->95658 95676->95664 95676->95667 95677->95658 95678->95660 95680 3953d1 95679->95680 95681 3953e6 95679->95681 95694 38f2c6 20 API calls _abort 95680->95694 95686 39540b 95681->95686 95696 38f2c6 20 API calls _abort 95681->95696 95683 3953d6 95695 38f2d9 20 API calls _abort 95683->95695 95686->95666 95687 395416 95697 38f2d9 20 API calls _abort 95687->95697 95689 39541e 95698 3927ec 26 API calls pre_c_initialization 95689->95698 95690 3953de 95690->95666 95692->95668 95693->95675 95694->95683 95695->95690 95696->95687 95697->95689 95698->95690 95699 3803fb 95700 380407 __FrameHandler3::FrameUnwindToState 95699->95700 95728 37feb1 95700->95728 95702 38040e 95703 380561 95702->95703 95706 380438 95702->95706 95755 38083f IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_fastfail 95703->95755 95705 380568 95756 384e52 28 API calls _abort 95705->95756 95717 380477 ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 95706->95717 95739 39247d 95706->95739 95708 38056e 95757 384e04 28 API calls _abort 95708->95757 95712 380576 95713 380457 95715 3804d8 95747 380959 95715->95747 95717->95715 95751 384e1a 38 API calls 2 library calls 95717->95751 95719 3804de 95720 3804f3 95719->95720 95752 380992 GetModuleHandleW 95720->95752 95722 3804fa 95722->95705 95723 3804fe 95722->95723 95724 380507 95723->95724 95753 384df5 28 API calls _abort 95723->95753 95754 380040 13 API calls 2 library calls 95724->95754 95727 38050f 95727->95713 95729 37feba 95728->95729 95758 380698 IsProcessorFeaturePresent 95729->95758 95731 37fec6 95759 382c94 10 API calls 3 library calls 95731->95759 95733 37fecb 95738 37fecf 95733->95738 95760 392317 95733->95760 95736 37fee6 95736->95702 95738->95702 95742 392494 95739->95742 95740 380a8c __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 95741 380451 95740->95741 95741->95713 95743 392421 95741->95743 95742->95740 95744 392450 95743->95744 95745 380a8c __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 95744->95745 95746 392479 95745->95746 95746->95717 95819 382340 95747->95819 95750 38097f 95750->95719 95751->95715 95752->95722 95753->95724 95754->95727 95755->95705 95756->95708 95757->95712 95758->95731 95759->95733 95764 39d1f6 95760->95764 95763 382cbd 8 API calls 3 library calls 95763->95738 95766 39d20f 95764->95766 95768 39d213 95764->95768 95782 380a8c 95766->95782 95767 37fed8 95767->95736 95767->95763 95768->95766 95770 394bfb 95768->95770 95771 394c07 __FrameHandler3::FrameUnwindToState 95770->95771 95789 392f5e EnterCriticalSection 95771->95789 95773 394c0e 95790 3950af 95773->95790 95775 394c1d 95776 394c2c 95775->95776 95803 394a8f 29 API calls 95775->95803 95805 394c48 LeaveCriticalSection _abort 95776->95805 95779 394c3d __fread_nolock 95779->95768 95780 394c27 95804 394b45 GetStdHandle GetFileType 95780->95804 95783 380a95 95782->95783 95784 380a97 IsProcessorFeaturePresent 95782->95784 95783->95767 95786 380c5d 95784->95786 95818 380c21 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 95786->95818 95788 380d40 95788->95767 95789->95773 95791 3950bb __FrameHandler3::FrameUnwindToState 95790->95791 95792 3950c8 95791->95792 95793 3950df 95791->95793 95814 38f2d9 20 API calls _abort 95792->95814 95806 392f5e EnterCriticalSection 95793->95806 95796 3950cd 95815 3927ec 26 API calls pre_c_initialization 95796->95815 95798 395117 95816 39513e LeaveCriticalSection _abort 95798->95816 95799 3950d7 __fread_nolock 95799->95775 95800 3950eb 95800->95798 95807 395000 95800->95807 95803->95780 95804->95776 95805->95779 95806->95800 95808 394c7d _abort 20 API calls 95807->95808 95809 395012 95808->95809 95813 39501f 95809->95813 95817 393405 11 API calls 2 library calls 95809->95817 95810 3929c8 _free 20 API calls 95812 395071 95810->95812 95812->95800 95813->95810 95814->95796 95815->95799 95816->95799 95817->95809 95818->95788 95820 38096c GetStartupInfoW 95819->95820 95820->95750 95821 361033 95826 364c91 95821->95826 95825 361042 95827 36a961 22 API calls 95826->95827 95828 364cff 95827->95828 95834 363af0 95828->95834 95830 364d9c 95831 361038 95830->95831 95837 3651f7 22 API calls __fread_nolock 95830->95837 95833 3800a3 29 API calls __onexit 95831->95833 95833->95825 95838 363b1c 95834->95838 95837->95830 95839 363b0f 95838->95839 95840 363b29 95838->95840 95839->95830 95840->95839 95841 363b30 RegOpenKeyExW 95840->95841 95841->95839 95842 363b4a RegQueryValueExW 95841->95842 95843 363b80 RegCloseKey 95842->95843 95844 363b6b 95842->95844 95843->95839 95844->95843 95845 36f7bf 95846 36fcb6 95845->95846 95847 36f7d3 95845->95847 95938 36aceb 23 API calls ISource 95846->95938 95849 36fcc2 95847->95849 95850 37fddb 22 API calls 95847->95850 95939 36aceb 23 API calls ISource 95849->95939 95852 36f7e5 95850->95852 95852->95849 95853 36fd3d 95852->95853 95854 36f83e 95852->95854 95940 3d1155 22 API calls 95853->95940 95878 36ed9d ISource 95854->95878 95880 371310 95854->95880 95857 37fddb 22 API calls 95877 36ec76 ISource 95857->95877 95858 36fef7 95866 36a8c7 22 API calls 95858->95866 95858->95878 95861 3b4b0b 95942 3d359c 82 API calls __wsopen_s 95861->95942 95862 36a8c7 22 API calls 95862->95877 95863 3b4600 95868 36a8c7 22 API calls 95863->95868 95863->95878 95866->95878 95868->95878 95869 36fbe3 95871 3b4bdc 95869->95871 95869->95878 95879 36f3ae ISource 95869->95879 95870 36a961 22 API calls 95870->95877 95943 3d359c 82 API calls __wsopen_s 95871->95943 95872 3800a3 29 API calls pre_c_initialization 95872->95877 95873 380242 EnterCriticalSection LeaveCriticalSection LeaveCriticalSection WaitForSingleObjectEx EnterCriticalSection 95873->95877 95875 3b4beb 95944 3d359c 82 API calls __wsopen_s 95875->95944 95876 3801f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent __Init_thread_footer 95876->95877 95877->95857 95877->95858 95877->95861 95877->95862 95877->95863 95877->95869 95877->95870 95877->95872 95877->95873 95877->95875 95877->95876 95877->95878 95877->95879 95936 3701e0 207 API calls 2 library calls 95877->95936 95937 3706a0 41 API calls ISource 95877->95937 95879->95878 95941 3d359c 82 API calls __wsopen_s 95879->95941 95881 371376 95880->95881 95882 3717b0 95880->95882 95883 371390 95881->95883 95884 3b6331 95881->95884 96136 380242 5 API calls __Init_thread_wait 95882->96136 95886 371940 9 API calls 95883->95886 96071 3e709c 95884->96071 95889 3713a0 95886->95889 95888 3717ba 95892 369cb3 22 API calls 95888->95892 95902 3717fb 95888->95902 95891 371940 9 API calls 95889->95891 95890 3b633d 95890->95877 95893 3713b6 95891->95893 95900 3717d4 95892->95900 95895 3713ec 95893->95895 95893->95902 95894 3b6346 96141 3d359c 82 API calls __wsopen_s 95894->96141 95895->95894 95920 371408 __fread_nolock 95895->95920 95896 37182c 96138 36aceb 23 API calls ISource 95896->96138 95899 371839 96139 37d217 207 API calls 95899->96139 96137 3801f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 95900->96137 95902->95894 95902->95896 95904 3b636e 96142 3d359c 82 API calls __wsopen_s 95904->96142 95906 37152f 95907 3b63d1 95906->95907 95908 37153c 95906->95908 96144 3e5745 54 API calls _wcslen 95907->96144 95909 371940 9 API calls 95908->95909 95911 371549 95909->95911 95917 371940 9 API calls 95911->95917 95927 3715c7 ISource 95911->95927 95912 37fddb 22 API calls 95912->95920 95913 371872 96140 37faeb 23 API calls 95913->96140 95914 37fe0b 22 API calls 95914->95920 95916 37171d 95916->95877 95922 371563 95917->95922 95920->95899 95920->95904 95920->95906 95920->95912 95920->95914 95923 3b63b2 95920->95923 95920->95927 96111 36ec40 95920->96111 95922->95927 95928 36a8c7 22 API calls 95922->95928 96143 3d359c 82 API calls __wsopen_s 95923->96143 95925 37167b ISource 95925->95916 96135 37ce17 22 API calls ISource 95925->96135 95927->95913 95927->95925 95945 371940 95927->95945 95955 366216 95927->95955 95960 3df0ec 95927->95960 95969 366246 95927->95969 95973 3d744a 95927->95973 96029 3e958b 95927->96029 96032 3ee204 95927->96032 96068 3d83da 95927->96068 96145 3d359c 82 API calls __wsopen_s 95927->96145 95928->95927 95936->95877 95937->95877 95938->95849 95939->95853 95940->95878 95941->95878 95942->95878 95943->95875 95944->95878 95946 371981 95945->95946 95947 37195d 95945->95947 96146 380242 5 API calls __Init_thread_wait 95946->96146 95954 37196e 95947->95954 96148 380242 5 API calls __Init_thread_wait 95947->96148 95949 37198b 95949->95947 96147 3801f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 95949->96147 95951 378727 95951->95954 96149 3801f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 95951->96149 95954->95927 95956 366246 CloseHandle 95955->95956 95957 36621e 95956->95957 95958 366246 CloseHandle 95957->95958 95959 36622d ISource 95958->95959 95959->95927 96150 367510 95960->96150 95964 3df136 95965 3df15b 95964->95965 95966 36ec40 207 API calls 95964->95966 95968 3df15f 95965->95968 96201 369c6e 22 API calls 95965->96201 95966->95965 95968->95927 95970 366250 95969->95970 95971 36625f 95969->95971 95970->95927 95971->95970 95972 366264 CloseHandle 95971->95972 95972->95970 95974 3d7469 95973->95974 95975 3d7474 95973->95975 96229 36b567 39 API calls 95974->96229 95978 36a961 22 API calls 95975->95978 96006 3d7554 95975->96006 95977 37fddb 22 API calls 95979 3d7587 95977->95979 95980 3d7495 95978->95980 95981 37fe0b 22 API calls 95979->95981 95982 36a961 22 API calls 95980->95982 95983 3d7598 95981->95983 95984 3d749e 95982->95984 95985 366246 CloseHandle 95983->95985 95986 367510 53 API calls 95984->95986 95987 3d75a3 95985->95987 95988 3d74aa 95986->95988 95989 36a961 22 API calls 95987->95989 96230 36525f 22 API calls 95988->96230 95991 3d75ab 95989->95991 95993 366246 CloseHandle 95991->95993 95992 3d74bf 95995 366350 22 API calls 95992->95995 95994 3d75b2 95993->95994 95996 367510 53 API calls 95994->95996 95997 3d74f2 95995->95997 95998 3d75be 95996->95998 95999 3d754a 95997->95999 96231 3cd4ce lstrlenW GetFileAttributesW FindFirstFileW FindClose 95997->96231 96000 366246 CloseHandle 95998->96000 96233 36b567 39 API calls 95999->96233 96002 3d75c8 96000->96002 96221 365745 96002->96221 96004 3d7502 96004->95999 96005 3d7506 96004->96005 96007 369cb3 22 API calls 96005->96007 96006->95977 96027 3d76a4 96006->96027 96009 3d7513 96007->96009 96232 3cd2c1 26 API calls 96009->96232 96012 3d76de GetLastError 96014 3d76f7 96012->96014 96013 3d75ea 96234 3653de 27 API calls ISource 96013->96234 96016 366216 CloseHandle 96014->96016 96016->96027 96017 3d751c 96017->95999 96018 3d75f8 96235 3653c7 SetFilePointerEx SetFilePointerEx SetFilePointerEx 96018->96235 96020 3d7645 96022 37fddb 22 API calls 96020->96022 96021 3d75ff 96021->96020 96236 3cccff 96021->96236 96023 3d7679 96022->96023 96024 36a961 22 API calls 96023->96024 96026 3d7686 96024->96026 96026->96027 96240 3c417d 22 API calls __fread_nolock 96026->96240 96027->95927 96243 3e7f59 96029->96243 96031 3e959b 96031->95927 96033 36a961 22 API calls 96032->96033 96034 3ee21b 96033->96034 96035 367510 53 API calls 96034->96035 96036 3ee22a 96035->96036 96037 366270 22 API calls 96036->96037 96038 3ee23d 96037->96038 96039 367510 53 API calls 96038->96039 96040 3ee24a 96039->96040 96041 3ee2c7 96040->96041 96042 3ee262 96040->96042 96043 367510 53 API calls 96041->96043 96355 36b567 39 API calls 96042->96355 96045 3ee2cc 96043->96045 96047 3ee2d9 96045->96047 96048 3ee314 96045->96048 96046 3ee267 96046->96047 96050 3ee280 96046->96050 96358 369c6e 22 API calls 96047->96358 96052 3ee32c 96048->96052 96359 36b567 39 API calls 96048->96359 96356 366d25 22 API calls __fread_nolock 96050->96356 96053 3ee345 96052->96053 96360 36b567 39 API calls 96052->96360 96057 36a8c7 22 API calls 96053->96057 96055 3ee28d 96058 366350 22 API calls 96055->96058 96059 3ee35f 96057->96059 96060 3ee29b 96058->96060 96336 3c92c8 96059->96336 96357 366d25 22 API calls __fread_nolock 96060->96357 96063 3ee2b4 96064 366350 22 API calls 96063->96064 96067 3ee2c2 96064->96067 96065 3ee2e6 96065->95927 96361 3662b5 22 API calls 96067->96361 96365 3d98e3 96068->96365 96070 3d83ea 96070->95927 96072 3e70db 96071->96072 96073 3e70f5 96071->96073 96437 3d359c 82 API calls __wsopen_s 96072->96437 96426 3e5689 96073->96426 96077 36ec40 206 API calls 96078 3e7164 96077->96078 96079 3e71ff 96078->96079 96082 3e71a6 96078->96082 96104 3e70ed 96078->96104 96080 3e7205 96079->96080 96081 3e7253 96079->96081 96438 3d1119 22 API calls 96080->96438 96083 367510 53 API calls 96081->96083 96081->96104 96087 3d0acc 22 API calls 96082->96087 96084 3e7265 96083->96084 96088 36aec9 22 API calls 96084->96088 96086 3e7228 96439 36a673 22 API calls 96086->96439 96090 3e71de 96087->96090 96091 3e7289 CharUpperBuffW 96088->96091 96093 371310 206 API calls 96090->96093 96094 3e72a3 96091->96094 96092 3e7230 96440 36bf40 207 API calls 2 library calls 96092->96440 96093->96104 96095 3e72aa 96094->96095 96096 3e72f6 96094->96096 96433 3d0acc 96095->96433 96098 367510 53 API calls 96096->96098 96099 3e72fe 96098->96099 96441 37e300 23 API calls 96099->96441 96103 371310 206 API calls 96103->96104 96104->95890 96105 3e7308 96105->96104 96106 367510 53 API calls 96105->96106 96107 3e7323 96106->96107 96442 36a673 22 API calls 96107->96442 96109 3e7333 96443 36bf40 207 API calls 2 library calls 96109->96443 96132 36ec76 ISource 96111->96132 96112 37fddb 22 API calls 96112->96132 96113 36fef7 96121 36a8c7 22 API calls 96113->96121 96127 36ed9d ISource 96113->96127 96116 3b4b0b 96448 3d359c 82 API calls __wsopen_s 96116->96448 96117 36a8c7 22 API calls 96117->96132 96118 3b4600 96123 36a8c7 22 API calls 96118->96123 96118->96127 96121->96127 96123->96127 96124 380242 EnterCriticalSection LeaveCriticalSection LeaveCriticalSection WaitForSingleObjectEx EnterCriticalSection 96124->96132 96125 36fbe3 96125->96127 96128 3b4bdc 96125->96128 96134 36f3ae ISource 96125->96134 96126 36a961 22 API calls 96126->96132 96127->95920 96449 3d359c 82 API calls __wsopen_s 96128->96449 96129 3800a3 29 API calls pre_c_initialization 96129->96132 96131 3b4beb 96450 3d359c 82 API calls __wsopen_s 96131->96450 96132->96112 96132->96113 96132->96116 96132->96117 96132->96118 96132->96124 96132->96125 96132->96126 96132->96127 96132->96129 96132->96131 96133 3801f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent __Init_thread_footer 96132->96133 96132->96134 96445 3701e0 207 API calls 2 library calls 96132->96445 96446 3706a0 41 API calls ISource 96132->96446 96133->96132 96134->96127 96447 3d359c 82 API calls __wsopen_s 96134->96447 96135->95925 96136->95888 96137->95902 96138->95899 96139->95913 96140->95913 96141->95927 96142->95927 96143->95927 96144->95922 96145->95927 96146->95949 96147->95947 96148->95951 96149->95954 96151 367525 96150->96151 96152 367522 96150->96152 96153 36752d 96151->96153 96154 36755b 96151->96154 96173 369e90 96152->96173 96202 3851c6 26 API calls 96153->96202 96156 3a50f6 96154->96156 96159 36756d 96154->96159 96164 3a500f 96154->96164 96205 385183 26 API calls 96156->96205 96157 36753d 96163 37fddb 22 API calls 96157->96163 96203 37fb21 51 API calls 96159->96203 96160 3a510e 96160->96160 96165 367547 96163->96165 96167 37fe0b 22 API calls 96164->96167 96169 3a5088 96164->96169 96166 369cb3 22 API calls 96165->96166 96166->96152 96168 3a5058 96167->96168 96170 37fddb 22 API calls 96168->96170 96204 37fb21 51 API calls 96169->96204 96171 3a507f 96170->96171 96172 369cb3 22 API calls 96171->96172 96172->96169 96174 366270 22 API calls 96173->96174 96196 369eb5 96174->96196 96175 369fd2 96207 36a4a1 96175->96207 96177 369fec 96177->95964 96180 36a12c __fread_nolock 96181 3af7c4 96180->96181 96184 36a405 96180->96184 96219 3c96e2 84 API calls __wsopen_s 96181->96219 96182 3af699 96189 37fddb 22 API calls 96182->96189 96184->96177 96220 3c96e2 84 API calls __wsopen_s 96184->96220 96187 36a6c3 22 API calls 96187->96196 96188 3af7d2 96190 36a4a1 22 API calls 96188->96190 96191 3af754 96189->96191 96192 3af7e8 96190->96192 96193 37fe0b 22 API calls 96191->96193 96192->96177 96193->96180 96195 36a587 22 API calls 96195->96196 96196->96175 96196->96180 96196->96181 96196->96182 96196->96184 96196->96187 96196->96195 96197 36aec9 22 API calls 96196->96197 96200 36a4a1 22 API calls 96196->96200 96206 364573 41 API calls _wcslen 96196->96206 96216 3648c8 23 API calls 96196->96216 96217 3649bd 22 API calls __fread_nolock 96196->96217 96218 36a673 22 API calls 96196->96218 96198 36a0db CharUpperBuffW 96197->96198 96215 36a673 22 API calls 96198->96215 96200->96196 96201->95968 96202->96157 96203->96157 96204->96156 96205->96160 96206->96196 96209 36a52b 96207->96209 96214 36a4b1 __fread_nolock 96207->96214 96208 37fddb 22 API calls 96211 36a4b8 96208->96211 96210 37fe0b 22 API calls 96209->96210 96210->96214 96212 37fddb 22 API calls 96211->96212 96213 36a4d6 96211->96213 96212->96213 96213->96177 96214->96208 96215->96196 96216->96196 96217->96196 96218->96196 96219->96188 96220->96177 96222 36575c CreateFileW 96221->96222 96223 3a4035 96221->96223 96225 36577b 96222->96225 96224 3a403b CreateFileW 96223->96224 96223->96225 96224->96225 96226 3a4063 96224->96226 96225->96012 96225->96013 96241 3654c6 SetFilePointerEx SetFilePointerEx SetFilePointerEx 96226->96241 96228 3a406e 96228->96225 96229->95975 96230->95992 96231->96004 96232->96017 96233->96006 96234->96018 96235->96021 96237 3ccd0e 96236->96237 96238 3ccd19 WriteFile 96236->96238 96242 3ccc37 SetFilePointerEx SetFilePointerEx SetFilePointerEx 96237->96242 96238->96020 96240->96027 96241->96228 96242->96238 96244 367510 53 API calls 96243->96244 96245 3e7f90 96244->96245 96267 3e7fd5 ISource 96245->96267 96281 3e8cd3 96245->96281 96247 3e8281 96248 3e844f 96247->96248 96253 3e828f 96247->96253 96322 3e8ee4 60 API calls 96248->96322 96251 3e845e 96252 3e846a 96251->96252 96251->96253 96252->96267 96294 3e7e86 96253->96294 96254 367510 53 API calls 96271 3e8049 96254->96271 96259 3e82c8 96309 37fc70 96259->96309 96262 3e82e8 96315 3d359c 82 API calls __wsopen_s 96262->96315 96263 3e8302 96316 3663eb 22 API calls 96263->96316 96266 3e82f3 GetCurrentProcess TerminateProcess 96266->96263 96267->96031 96268 3e8311 96317 366a50 22 API calls 96268->96317 96270 3e832a 96280 3e8352 96270->96280 96318 3704f0 22 API calls 96270->96318 96271->96247 96271->96254 96271->96267 96313 3c417d 22 API calls __fread_nolock 96271->96313 96314 3e851d 42 API calls _strftime 96271->96314 96273 3e84c5 96273->96267 96277 3e84d9 FreeLibrary 96273->96277 96274 3e8341 96319 3e8b7b 75 API calls 96274->96319 96277->96267 96280->96273 96320 3704f0 22 API calls 96280->96320 96321 36aceb 23 API calls ISource 96280->96321 96323 3e8b7b 75 API calls 96280->96323 96282 36aec9 22 API calls 96281->96282 96283 3e8cee CharLowerBuffW 96282->96283 96324 3c8e54 96283->96324 96287 36a961 22 API calls 96288 3e8d2a 96287->96288 96331 366d25 22 API calls __fread_nolock 96288->96331 96290 3e8d3e 96291 3693b2 22 API calls 96290->96291 96293 3e8d48 _wcslen 96291->96293 96292 3e8e5e _wcslen 96292->96271 96293->96292 96332 3e851d 42 API calls _strftime 96293->96332 96295 3e7ea1 96294->96295 96299 3e7eec 96294->96299 96296 37fe0b 22 API calls 96295->96296 96297 3e7ec3 96296->96297 96298 37fddb 22 API calls 96297->96298 96297->96299 96298->96297 96300 3e9096 96299->96300 96301 3e92ab ISource 96300->96301 96306 3e90ba _strcat _wcslen 96300->96306 96301->96259 96302 36b567 39 API calls 96302->96306 96303 36b38f 39 API calls 96303->96306 96304 36b6b5 39 API calls 96304->96306 96305 367510 53 API calls 96305->96306 96306->96301 96306->96302 96306->96303 96306->96304 96306->96305 96307 38ea0c 21 API calls ___std_exception_copy 96306->96307 96335 3cefae 24 API calls _wcslen 96306->96335 96307->96306 96310 37fc85 96309->96310 96311 37fd1d VirtualProtect 96310->96311 96312 37fceb 96310->96312 96311->96312 96312->96262 96312->96263 96313->96271 96314->96271 96315->96266 96316->96268 96317->96270 96318->96274 96319->96280 96320->96280 96321->96280 96322->96251 96323->96280 96326 3c8e74 _wcslen 96324->96326 96325 3c8f63 96325->96287 96325->96293 96326->96325 96327 3c8f68 96326->96327 96328 3c8ea9 96326->96328 96327->96325 96334 37ce60 41 API calls 96327->96334 96328->96325 96333 37ce60 41 API calls 96328->96333 96331->96290 96332->96292 96333->96328 96334->96327 96335->96306 96337 36a961 22 API calls 96336->96337 96338 3c92de 96337->96338 96339 366270 22 API calls 96338->96339 96340 3c92f2 96339->96340 96341 3c8e54 41 API calls 96340->96341 96344 3c9314 96340->96344 96343 3c930e 96341->96343 96342 3c8e54 41 API calls 96342->96344 96343->96344 96362 366d25 22 API calls __fread_nolock 96343->96362 96344->96342 96347 3c93b3 96344->96347 96348 366350 22 API calls 96344->96348 96351 3c9397 96344->96351 96363 366d25 22 API calls __fread_nolock 96344->96363 96349 36a8c7 22 API calls 96347->96349 96350 3c93c2 96347->96350 96348->96344 96349->96350 96350->96067 96364 366d25 22 API calls __fread_nolock 96351->96364 96353 3c93a7 96354 366350 22 API calls 96353->96354 96354->96347 96355->96046 96356->96055 96357->96063 96358->96065 96359->96052 96360->96053 96361->96065 96362->96344 96363->96344 96364->96353 96366 3d99e8 96365->96366 96367 3d9902 96365->96367 96422 3d9caa 39 API calls 96366->96422 96368 37fddb 22 API calls 96367->96368 96370 3d9909 96368->96370 96371 37fe0b 22 API calls 96370->96371 96373 3d991a 96371->96373 96372 3d99ca 96372->96070 96374 366246 CloseHandle 96373->96374 96376 3d9925 96374->96376 96375 3d9ac5 96416 3d1e96 96375->96416 96379 36a961 22 API calls 96376->96379 96378 3d99a2 96378->96372 96378->96375 96381 3d9a33 96378->96381 96382 3d992d 96379->96382 96380 3d9acc 96385 3cccff 4 API calls 96380->96385 96383 367510 53 API calls 96381->96383 96384 366246 CloseHandle 96382->96384 96402 3d9a3a 96383->96402 96386 3d9934 96384->96386 96410 3d9aa8 96385->96410 96388 367510 53 API calls 96386->96388 96387 3d9abb 96424 3ccd57 30 API calls 96387->96424 96390 3d9940 96388->96390 96392 366246 CloseHandle 96390->96392 96391 366270 22 API calls 96394 3d9a7e 96391->96394 96395 3d994a 96392->96395 96393 366246 CloseHandle 96398 3d9b1e 96393->96398 96396 3d9a8e 96394->96396 96399 36a8c7 22 API calls 96394->96399 96397 365745 5 API calls 96395->96397 96401 3633c6 22 API calls 96396->96401 96400 3d9959 96397->96400 96403 366216 CloseHandle 96398->96403 96399->96396 96404 3d995d 96400->96404 96405 3d99c2 96400->96405 96406 3d9a9c 96401->96406 96402->96387 96409 3d9a6e 96402->96409 96403->96372 96420 3653de 27 API calls ISource 96404->96420 96407 366216 CloseHandle 96405->96407 96423 3ccd57 30 API calls 96406->96423 96407->96372 96409->96391 96410->96372 96410->96393 96412 3d996b 96421 3653c7 SetFilePointerEx SetFilePointerEx SetFilePointerEx 96412->96421 96414 3d9972 96414->96378 96415 3cccff 4 API calls 96414->96415 96415->96378 96417 3d1e9f 96416->96417 96418 3d1ea4 96416->96418 96425 3d0f67 24 API calls __fread_nolock 96417->96425 96418->96380 96420->96412 96421->96414 96422->96378 96423->96410 96424->96410 96425->96418 96427 3e56a4 96426->96427 96432 3e56f2 96426->96432 96428 37fe0b 22 API calls 96427->96428 96430 3e56c6 96428->96430 96429 37fddb 22 API calls 96429->96430 96430->96429 96430->96432 96444 3d0a59 22 API calls 96430->96444 96432->96077 96434 3d0b13 96433->96434 96435 3d0ada 96433->96435 96434->96103 96435->96434 96436 37fddb 22 API calls 96435->96436 96436->96434 96437->96104 96438->96086 96439->96092 96440->96104 96441->96105 96442->96109 96443->96104 96444->96430 96445->96132 96446->96132 96447->96127 96448->96127 96449->96131 96450->96127 96451 36105b 96456 36344d 96451->96456 96453 36106a 96487 3800a3 29 API calls __onexit 96453->96487 96455 361074 96457 36345d __wsopen_s 96456->96457 96458 36a961 22 API calls 96457->96458 96459 363513 96458->96459 96460 363a5a 24 API calls 96459->96460 96461 36351c 96460->96461 96488 363357 96461->96488 96464 3633c6 22 API calls 96465 363535 96464->96465 96466 36515f 22 API calls 96465->96466 96467 363544 96466->96467 96468 36a961 22 API calls 96467->96468 96469 36354d 96468->96469 96470 36a6c3 22 API calls 96469->96470 96471 363556 RegOpenKeyExW 96470->96471 96472 3a3176 RegQueryValueExW 96471->96472 96476 363578 96471->96476 96473 3a320c RegCloseKey 96472->96473 96474 3a3193 96472->96474 96473->96476 96486 3a321e _wcslen 96473->96486 96475 37fe0b 22 API calls 96474->96475 96477 3a31ac 96475->96477 96476->96453 96478 365722 22 API calls 96477->96478 96479 3a31b7 RegQueryValueExW 96478->96479 96480 3a31d4 96479->96480 96483 3a31ee ISource 96479->96483 96481 366b57 22 API calls 96480->96481 96481->96483 96482 364c6d 22 API calls 96482->96486 96483->96473 96484 369cb3 22 API calls 96484->96486 96485 36515f 22 API calls 96485->96486 96486->96476 96486->96482 96486->96484 96486->96485 96487->96455 96489 3a1f50 __wsopen_s 96488->96489 96490 363364 GetFullPathNameW 96489->96490 96491 363386 96490->96491 96492 366b57 22 API calls 96491->96492 96493 3633a4 96492->96493 96493->96464 96494 361098 96499 3642de 96494->96499 96498 3610a7 96500 36a961 22 API calls 96499->96500 96501 3642f5 GetVersionExW 96500->96501 96502 366b57 22 API calls 96501->96502 96503 364342 96502->96503 96504 3693b2 22 API calls 96503->96504 96509 364378 96503->96509 96505 36436c 96504->96505 96507 3637a0 22 API calls 96505->96507 96506 36441b GetCurrentProcess IsWow64Process 96508 364437 96506->96508 96507->96509 96510 36444f LoadLibraryA 96508->96510 96511 3a3824 GetSystemInfo 96508->96511 96509->96506 96514 3a37df 96509->96514 96512 364460 GetProcAddress 96510->96512 96513 36449c GetSystemInfo 96510->96513 96512->96513 96515 364470 GetNativeSystemInfo 96512->96515 96516 364476 96513->96516 96515->96516 96517 36109d 96516->96517 96518 36447a FreeLibrary 96516->96518 96519 3800a3 29 API calls __onexit 96517->96519 96518->96517 96519->96498 96520 361044 96525 3610f3 96520->96525 96522 36104a 96561 3800a3 29 API calls __onexit 96522->96561 96524 361054 96562 361398 96525->96562 96529 36116a 96530 36a961 22 API calls 96529->96530 96531 361174 96530->96531 96532 36a961 22 API calls 96531->96532 96533 36117e 96532->96533 96534 36a961 22 API calls 96533->96534 96535 361188 96534->96535 96536 36a961 22 API calls 96535->96536 96537 3611c6 96536->96537 96538 36a961 22 API calls 96537->96538 96539 361292 96538->96539 96572 36171c 96539->96572 96543 3612c4 96544 36a961 22 API calls 96543->96544 96545 3612ce 96544->96545 96546 371940 9 API calls 96545->96546 96547 3612f9 96546->96547 96593 361aab 96547->96593 96549 361315 96550 361325 GetStdHandle 96549->96550 96551 36137a 96550->96551 96552 3a2485 96550->96552 96555 361387 OleInitialize 96551->96555 96552->96551 96553 3a248e 96552->96553 96554 37fddb 22 API calls 96553->96554 96556 3a2495 96554->96556 96555->96522 96600 3d011d InitializeCriticalSectionAndSpinCount InterlockedExchange GetCurrentProcess GetCurrentProcess DuplicateHandle 96556->96600 96558 3a249e 96601 3d0944 CreateThread 96558->96601 96560 3a24aa CloseHandle 96560->96551 96561->96524 96602 3613f1 96562->96602 96565 3613f1 22 API calls 96566 3613d0 96565->96566 96567 36a961 22 API calls 96566->96567 96568 3613dc 96567->96568 96569 366b57 22 API calls 96568->96569 96570 361129 96569->96570 96571 361bc3 6 API calls 96570->96571 96571->96529 96573 36a961 22 API calls 96572->96573 96574 36172c 96573->96574 96575 36a961 22 API calls 96574->96575 96576 361734 96575->96576 96577 36a961 22 API calls 96576->96577 96578 36174f 96577->96578 96579 37fddb 22 API calls 96578->96579 96580 36129c 96579->96580 96581 361b4a 96580->96581 96582 361b58 96581->96582 96583 36a961 22 API calls 96582->96583 96584 361b63 96583->96584 96585 36a961 22 API calls 96584->96585 96586 361b6e 96585->96586 96587 36a961 22 API calls 96586->96587 96588 361b79 96587->96588 96589 36a961 22 API calls 96588->96589 96590 361b84 96589->96590 96591 37fddb 22 API calls 96590->96591 96592 361b96 RegisterWindowMessageW 96591->96592 96592->96543 96594 3a272d 96593->96594 96595 361abb 96593->96595 96609 3d3209 23 API calls 96594->96609 96596 37fddb 22 API calls 96595->96596 96598 361ac3 96596->96598 96598->96549 96599 3a2738 96600->96558 96601->96560 96610 3d092a 28 API calls 96601->96610 96603 36a961 22 API calls 96602->96603 96604 3613fc 96603->96604 96605 36a961 22 API calls 96604->96605 96606 361404 96605->96606 96607 36a961 22 API calls 96606->96607 96608 3613c6 96607->96608 96608->96565 96609->96599 96611 36dee5 96614 36b710 96611->96614 96615 36b72b 96614->96615 96616 3b00f8 96615->96616 96617 3b0146 96615->96617 96644 36b750 96615->96644 96620 3b0102 96616->96620 96623 3b010f 96616->96623 96616->96644 96656 3e58a2 207 API calls 2 library calls 96617->96656 96654 3e5d33 207 API calls 96620->96654 96640 36ba20 96623->96640 96655 3e61d0 207 API calls 2 library calls 96623->96655 96626 3b03d9 96626->96626 96627 37d336 40 API calls 96627->96644 96631 36ba4e 96632 3b0322 96659 3e5c0c 82 API calls 96632->96659 96639 36bbe0 40 API calls 96639->96644 96640->96631 96660 3d359c 82 API calls __wsopen_s 96640->96660 96641 36ec40 207 API calls 96641->96644 96642 36a8c7 22 API calls 96642->96644 96644->96627 96644->96631 96644->96632 96644->96639 96644->96640 96644->96641 96644->96642 96645 36a81b 41 API calls 96644->96645 96646 37d2f0 40 API calls 96644->96646 96647 37a01b 207 API calls 96644->96647 96648 380242 5 API calls __Init_thread_wait 96644->96648 96649 37edcd 22 API calls 96644->96649 96650 3800a3 29 API calls __onexit 96644->96650 96651 3801f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 96644->96651 96652 37ee53 82 API calls 96644->96652 96653 37e5ca 207 API calls 96644->96653 96657 36aceb 23 API calls ISource 96644->96657 96658 3bf6bf 23 API calls 96644->96658 96645->96644 96646->96644 96647->96644 96648->96644 96649->96644 96650->96644 96651->96644 96652->96644 96653->96644 96654->96623 96655->96640 96656->96644 96657->96644 96658->96644 96659->96640 96660->96626 96661 19b34e8 96675 19b1108 96661->96675 96663 19b35cd 96678 19b33d8 96663->96678 96665 19b35f6 CreateFileW 96667 19b364a 96665->96667 96674 19b3645 96665->96674 96668 19b3661 VirtualAlloc 96667->96668 96667->96674 96669 19b3682 ReadFile 96668->96669 96668->96674 96670 19b369d 96669->96670 96669->96674 96671 19b2178 12 API calls 96670->96671 96672 19b36b7 96671->96672 96673 19b23d8 GetPEB GetPEB 96672->96673 96673->96674 96681 19b4618 GetPEB 96675->96681 96677 19b1793 96677->96663 96679 19b33e1 Sleep 96678->96679 96680 19b33ef 96679->96680 96682 19b4642 96681->96682 96682->96677 96683 362de3 96684 362df0 __wsopen_s 96683->96684 96685 3a2c2b ___scrt_fastfail 96684->96685 96686 362e09 96684->96686 96688 3a2c47 GetOpenFileNameW 96685->96688 96687 363aa2 23 API calls 96686->96687 96689 362e12 96687->96689 96690 3a2c96 96688->96690 96699 362da5 96689->96699 96692 366b57 22 API calls 96690->96692 96694 3a2cab 96692->96694 96694->96694 96696 362e27 96717 3644a8 96696->96717 96700 3a1f50 __wsopen_s 96699->96700 96701 362db2 GetLongPathNameW 96700->96701 96702 366b57 22 API calls 96701->96702 96703 362dda 96702->96703 96704 363598 96703->96704 96705 36a961 22 API calls 96704->96705 96706 3635aa 96705->96706 96707 363aa2 23 API calls 96706->96707 96708 3635b5 96707->96708 96709 3a32eb 96708->96709 96710 3635c0 96708->96710 96714 3a330d 96709->96714 96753 37ce60 41 API calls 96709->96753 96712 36515f 22 API calls 96710->96712 96713 3635cc 96712->96713 96747 3635f3 96713->96747 96716 3635df 96716->96696 96718 364ecb 94 API calls 96717->96718 96719 3644cd 96718->96719 96720 3a3833 96719->96720 96721 364ecb 94 API calls 96719->96721 96722 3d2cf9 80 API calls 96720->96722 96723 3644e1 96721->96723 96724 3a3848 96722->96724 96723->96720 96725 3644e9 96723->96725 96726 3a3869 96724->96726 96727 3a384c 96724->96727 96729 3644f5 96725->96729 96730 3a3854 96725->96730 96728 37fe0b 22 API calls 96726->96728 96731 364f39 68 API calls 96727->96731 96736 3a38ae 96728->96736 96769 36940c 136 API calls 2 library calls 96729->96769 96770 3cda5a 82 API calls 96730->96770 96731->96730 96734 3a3862 96734->96726 96735 362e31 96737 3a3a5f 96736->96737 96739 36a4a1 22 API calls 96736->96739 96743 369cb3 22 API calls 96736->96743 96744 3a3a67 96736->96744 96754 3c967e 96736->96754 96757 3d0b5a 96736->96757 96763 363ff7 96736->96763 96771 3c95ad 42 API calls _wcslen 96736->96771 96737->96744 96738 364f39 68 API calls 96738->96744 96739->96736 96743->96736 96744->96738 96772 3c989b 82 API calls __wsopen_s 96744->96772 96748 363605 96747->96748 96752 363624 __fread_nolock 96747->96752 96750 37fe0b 22 API calls 96748->96750 96749 37fddb 22 API calls 96751 36363b 96749->96751 96750->96752 96751->96716 96752->96749 96753->96709 96755 37fe0b 22 API calls 96754->96755 96756 3c96ae __fread_nolock 96755->96756 96756->96736 96758 3d0b65 96757->96758 96759 37fddb 22 API calls 96758->96759 96760 3d0b7c 96759->96760 96761 369cb3 22 API calls 96760->96761 96762 3d0b87 96761->96762 96762->96736 96764 36400a 96763->96764 96766 3640ae 96763->96766 96765 37fe0b 22 API calls 96764->96765 96768 36403c 96764->96768 96765->96768 96766->96736 96767 37fddb 22 API calls 96767->96768 96768->96766 96768->96767 96769->96735 96770->96734 96771->96736 96772->96744 96773 3b3a41 96777 3d10c0 96773->96777 96775 3b3a4c 96776 3d10c0 53 API calls 96775->96776 96776->96775 96778 3d10fa 96777->96778 96782 3d10cd 96777->96782 96778->96775 96779 3d10fc 96789 37fa11 53 API calls 96779->96789 96780 3d1101 96783 367510 53 API calls 96780->96783 96782->96778 96782->96779 96782->96780 96786 3d10f4 96782->96786 96784 3d1108 96783->96784 96785 366350 22 API calls 96784->96785 96785->96778 96788 36b270 39 API calls 96786->96788 96788->96778 96789->96780 96790 3b2a00 96805 36d7b0 ISource 96790->96805 96791 36db11 PeekMessageW 96791->96805 96792 36d807 GetInputState 96792->96791 96792->96805 96794 3b1cbe TranslateAcceleratorW 96794->96805 96795 36da04 timeGetTime 96795->96805 96796 36db73 TranslateMessage DispatchMessageW 96797 36db8f PeekMessageW 96796->96797 96797->96805 96798 36dbaf Sleep 96813 36dbc0 96798->96813 96799 3b2b74 Sleep 96799->96813 96800 37e551 timeGetTime 96800->96813 96801 3b1dda timeGetTime 96854 37e300 23 API calls 96801->96854 96804 3b2c0b GetExitCodeProcess 96808 3b2c21 WaitForSingleObject 96804->96808 96809 3b2c37 CloseHandle 96804->96809 96805->96791 96805->96792 96805->96794 96805->96795 96805->96796 96805->96797 96805->96798 96805->96799 96805->96801 96811 36d9d5 96805->96811 96818 36ec40 207 API calls 96805->96818 96819 371310 207 API calls 96805->96819 96822 36dd50 96805->96822 96829 36dfd0 96805->96829 96852 36bf40 207 API calls 2 library calls 96805->96852 96853 37edf6 IsDialogMessageW GetClassLongW 96805->96853 96855 3d3a2a 23 API calls 96805->96855 96856 3d359c 82 API calls __wsopen_s 96805->96856 96806 3f29bf GetForegroundWindow 96806->96813 96808->96805 96808->96809 96809->96813 96810 3b2a31 96810->96811 96812 3b2ca9 Sleep 96812->96805 96813->96800 96813->96804 96813->96805 96813->96806 96813->96810 96813->96811 96813->96812 96857 3e5658 23 API calls 96813->96857 96858 3ce97b QueryPerformanceCounter QueryPerformanceFrequency Sleep QueryPerformanceCounter Sleep 96813->96858 96859 3cd4dc 47 API calls 96813->96859 96818->96805 96819->96805 96823 36dd83 96822->96823 96824 36dd6f 96822->96824 96861 3d359c 82 API calls __wsopen_s 96823->96861 96860 36d260 207 API calls 2 library calls 96824->96860 96826 36dd7a 96826->96805 96828 3b2f75 96828->96828 96830 36e010 96829->96830 96847 36e0dc ISource 96830->96847 96864 380242 5 API calls __Init_thread_wait 96830->96864 96833 3b2fca 96835 36a961 22 API calls 96833->96835 96833->96847 96834 36a961 22 API calls 96834->96847 96838 3b2fe4 96835->96838 96865 3800a3 29 API calls __onexit 96838->96865 96840 3b2fee 96866 3801f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 96840->96866 96844 36ec40 207 API calls 96844->96847 96845 36a8c7 22 API calls 96845->96847 96846 3704f0 22 API calls 96846->96847 96847->96834 96847->96844 96847->96845 96847->96846 96848 36e3e1 96847->96848 96850 3d359c 82 API calls 96847->96850 96862 36a81b 41 API calls 96847->96862 96863 37a308 207 API calls 96847->96863 96867 380242 5 API calls __Init_thread_wait 96847->96867 96868 3800a3 29 API calls __onexit 96847->96868 96869 3801f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 96847->96869 96870 3e47d4 207 API calls 96847->96870 96871 3e68c1 207 API calls 96847->96871 96848->96805 96850->96847 96852->96805 96853->96805 96854->96805 96855->96805 96856->96805 96857->96813 96858->96813 96859->96813 96860->96826 96861->96828 96862->96847 96863->96847 96864->96833 96865->96840 96866->96847 96867->96847 96868->96847 96869->96847 96870->96847 96871->96847 96872 398402 96877 3981be 96872->96877 96875 39842a 96878 3981ef try_get_first_available_module 96877->96878 96888 398338 96878->96888 96892 388e0b 40 API calls 2 library calls 96878->96892 96880 3983ee 96896 3927ec 26 API calls pre_c_initialization 96880->96896 96882 398343 96882->96875 96889 3a0984 96882->96889 96884 39838c 96884->96888 96893 388e0b 40 API calls 2 library calls 96884->96893 96886 3983ab 96886->96888 96894 388e0b 40 API calls 2 library calls 96886->96894 96888->96882 96895 38f2d9 20 API calls _abort 96888->96895 96897 3a0081 96889->96897 96891 3a099f 96891->96875 96892->96884 96893->96886 96894->96888 96895->96880 96896->96882 96900 3a008d __FrameHandler3::FrameUnwindToState 96897->96900 96898 3a009b 96955 38f2d9 20 API calls _abort 96898->96955 96900->96898 96902 3a00d4 96900->96902 96901 3a00a0 96956 3927ec 26 API calls pre_c_initialization 96901->96956 96908 3a065b 96902->96908 96907 3a00aa __fread_nolock 96907->96891 96958 3a042f 96908->96958 96911 3a068d 96990 38f2c6 20 API calls _abort 96911->96990 96912 3a06a6 96976 395221 96912->96976 96915 3a06ab 96917 3a06cb 96915->96917 96918 3a06b4 96915->96918 96916 3a0692 96991 38f2d9 20 API calls _abort 96916->96991 96989 3a039a CreateFileW 96917->96989 96992 38f2c6 20 API calls _abort 96918->96992 96922 3a06b9 96993 38f2d9 20 API calls _abort 96922->96993 96924 3a0781 GetFileType 96925 3a078c GetLastError 96924->96925 96926 3a07d3 96924->96926 96996 38f2a3 20 API calls __dosmaperr 96925->96996 96998 39516a 21 API calls 2 library calls 96926->96998 96927 3a0756 GetLastError 96995 38f2a3 20 API calls __dosmaperr 96927->96995 96930 3a0704 96930->96924 96930->96927 96994 3a039a CreateFileW 96930->96994 96931 3a079a CloseHandle 96931->96916 96935 3a07c3 96931->96935 96934 3a0749 96934->96924 96934->96927 96997 38f2d9 20 API calls _abort 96935->96997 96936 3a07f4 96938 3a0840 96936->96938 96999 3a05ab 72 API calls 3 library calls 96936->96999 96943 3a086d 96938->96943 97000 3a014d 72 API calls 4 library calls 96938->97000 96939 3a07c8 96939->96916 96942 3a0866 96942->96943 96945 3a087e 96942->96945 96944 3986ae __wsopen_s 29 API calls 96943->96944 96946 3a00f8 96944->96946 96945->96946 96947 3a08fc CloseHandle 96945->96947 96957 3a0121 LeaveCriticalSection __wsopen_s 96946->96957 97001 3a039a CreateFileW 96947->97001 96949 3a0927 96950 3a095d 96949->96950 96951 3a0931 GetLastError 96949->96951 96950->96946 97002 38f2a3 20 API calls __dosmaperr 96951->97002 96953 3a093d 97003 395333 21 API calls 2 library calls 96953->97003 96955->96901 96956->96907 96957->96907 96959 3a0450 96958->96959 96960 3a046a 96958->96960 96959->96960 97011 38f2d9 20 API calls _abort 96959->97011 97004 3a03bf 96960->97004 96963 3a045f 97012 3927ec 26 API calls pre_c_initialization 96963->97012 96965 3a04a2 96966 3a04d1 96965->96966 97013 38f2d9 20 API calls _abort 96965->97013 96974 3a0524 96966->96974 97015 38d70d 26 API calls 2 library calls 96966->97015 96969 3a051f 96971 3a059e 96969->96971 96969->96974 96970 3a04c6 97014 3927ec 26 API calls pre_c_initialization 96970->97014 97016 3927fc 11 API calls _abort 96971->97016 96974->96911 96974->96912 96975 3a05aa 96977 39522d __FrameHandler3::FrameUnwindToState 96976->96977 97019 392f5e EnterCriticalSection 96977->97019 96979 39527b 97020 39532a 96979->97020 96980 395259 96983 395000 __wsopen_s 21 API calls 96980->96983 96981 395234 96981->96979 96981->96980 96986 3952c7 EnterCriticalSection 96981->96986 96985 39525e 96983->96985 96984 3952a4 __fread_nolock 96984->96915 96985->96979 97023 395147 EnterCriticalSection 96985->97023 96986->96979 96987 3952d4 LeaveCriticalSection 96986->96987 96987->96981 96989->96930 96990->96916 96991->96946 96992->96922 96993->96916 96994->96934 96995->96916 96996->96931 96997->96939 96998->96936 96999->96938 97000->96942 97001->96949 97002->96953 97003->96950 97006 3a03d7 97004->97006 97005 3a03f2 97005->96965 97006->97005 97017 38f2d9 20 API calls _abort 97006->97017 97008 3a0416 97018 3927ec 26 API calls pre_c_initialization 97008->97018 97010 3a0421 97010->96965 97011->96963 97012->96960 97013->96970 97014->96966 97015->96969 97016->96975 97017->97008 97018->97010 97019->96981 97024 392fa6 LeaveCriticalSection 97020->97024 97022 395331 97022->96984 97023->96979 97024->97022 97025 361cad SystemParametersInfoW 97026 3a2ba5 97027 362b25 97026->97027 97028 3a2baf 97026->97028 97054 362b83 7 API calls 97027->97054 97030 363a5a 24 API calls 97028->97030 97032 3a2bb8 97030->97032 97034 369cb3 22 API calls 97032->97034 97036 3a2bc6 97034->97036 97035 362b2f 97041 363837 49 API calls 97035->97041 97042 362b44 97035->97042 97037 3a2bce 97036->97037 97038 3a2bf5 97036->97038 97040 3633c6 22 API calls 97037->97040 97039 3633c6 22 API calls 97038->97039 97043 3a2bf1 GetForegroundWindow ShellExecuteW 97039->97043 97044 3a2bd9 97040->97044 97041->97042 97047 362b5f 97042->97047 97058 3630f2 Shell_NotifyIconW ___scrt_fastfail 97042->97058 97049 3a2c26 97043->97049 97046 366350 22 API calls 97044->97046 97050 3a2be7 97046->97050 97051 362b66 SetCurrentDirectoryW 97047->97051 97049->97047 97052 3633c6 22 API calls 97050->97052 97053 362b7a 97051->97053 97052->97043 97059 362cd4 7 API calls 97054->97059 97056 362b2a 97057 362c63 CreateWindowExW CreateWindowExW ShowWindow ShowWindow 97056->97057 97057->97035 97058->97047 97059->97056

                                                                                                            Executed Functions

                                                                                                            Function 003642DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235libraryloaderCOMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 234 3642de-36434d call 36a961 GetVersionExW call 366b57 239 364353 234->239 240 3a3617-3a362a 234->240 241 364355-364357 239->241 242 3a362b-3a362f 240->242 243 36435d-3643bc call 3693b2 call 3637a0 241->243 244 3a3656 241->244 245 3a3632-3a363e 242->245 246 3a3631 242->246 263 3643c2-3643c4 243->263 264 3a37df-3a37e6 243->264 250 3a365d-3a3660 244->250 245->242 248 3a3640-3a3642 245->248 246->245 248->241 249 3a3648-3a364f 248->249 249->240 252 3a3651 249->252 253 3a3666-3a36a8 250->253 254 36441b-364435 GetCurrentProcess IsWow64Process 250->254 252->244 253->254 258 3a36ae-3a36b1 253->258 256 364437 254->256 257 364494-36449a 254->257 260 36443d-364449 256->260 257->260 261 3a36db-3a36e5 258->261 262 3a36b3-3a36bd 258->262 265 36444f-36445e LoadLibraryA 260->265 266 3a3824-3a3828 GetSystemInfo 260->266 270 3a36f8-3a3702 261->270 271 3a36e7-3a36f3 261->271 267 3a36ca-3a36d6 262->267 268 3a36bf-3a36c5 262->268 263->250 269 3643ca-3643dd 263->269 272 3a37e8 264->272 273 3a3806-3a3809 264->273 276 364460-36446e GetProcAddress 265->276 277 36449c-3644a6 GetSystemInfo 265->277 267->254 268->254 278 3643e3-3643e5 269->278 279 3a3726-3a372f 269->279 281 3a3704-3a3710 270->281 282 3a3715-3a3721 270->282 271->254 280 3a37ee 272->280 274 3a380b-3a381a 273->274 275 3a37f4-3a37fc 273->275 274->280 285 3a381c-3a3822 274->285 275->273 276->277 286 364470-364474 GetNativeSystemInfo 276->286 287 364476-364478 277->287 288 3a374d-3a3762 278->288 289 3643eb-3643ee 278->289 283 3a373c-3a3748 279->283 284 3a3731-3a3737 279->284 280->275 281->254 282->254 283->254 284->254 285->275 286->287 292 364481-364493 287->292 293 36447a-36447b FreeLibrary 287->293 290 3a376f-3a377b 288->290 291 3a3764-3a376a 288->291 294 3643f4-36440f 289->294 295 3a3791-3a3794 289->295 290->254 291->254 293->292 297 364415 294->297 298 3a3780-3a378c 294->298 295->254 296 3a379a-3a37c1 295->296 299 3a37ce-3a37da 296->299 300 3a37c3-3a37c9 296->300 297->254 298->254 299->254 300->254
                                                                                                            APIs
                                                                                                            • GetVersionExW.KERNEL32(?), ref: 0036430D
                                                                                                              • Part of subcall function 00366B57: _wcslen.LIBCMT ref: 00366B6A
                                                                                                            • GetCurrentProcess.KERNEL32(?,003FCB64,00000000,?,?), ref: 00364422
                                                                                                            • IsWow64Process.KERNEL32(00000000,?,?), ref: 00364429
                                                                                                            • LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00364454
                                                                                                            • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00364466
                                                                                                            • GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 00364474
                                                                                                            • FreeLibrary.KERNEL32(00000000,?,?), ref: 0036447B
                                                                                                            • GetSystemInfo.KERNEL32(?,?,?), ref: 003644A0
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
                                                                                                            • String ID: GetNativeSystemInfo$kernel32.dll$|O
                                                                                                            • API String ID: 3290436268-3101561225
                                                                                                            • Opcode ID: eb6f5074950cd74e97ae582a44d50765b3587d84be2bdb6c1beaf38e6b71fa23
                                                                                                            • Instruction ID: a89d78b9a6416c4ce077921186fab36a91b4ce93340c4aa36b4c8c2e00044240
                                                                                                            • Opcode Fuzzy Hash: eb6f5074950cd74e97ae582a44d50765b3587d84be2bdb6c1beaf38e6b71fa23
                                                                                                            • Instruction Fuzzy Hash: 69A1B665D1A2C0DFE713C77A7C815E57FA8AB26340F18B8B9E88193B75D6304918CB29
                                                                                                            Function 003642A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 1246 3642a2-3642ba CreateStreamOnHGlobal 1247 3642bc-3642d3 FindResourceExW 1246->1247 1248 3642da-3642dd 1246->1248 1249 3a35ba-3a35c9 LoadResource 1247->1249 1250 3642d9 1247->1250 1249->1250 1251 3a35cf-3a35dd SizeofResource 1249->1251 1250->1248 1251->1250 1252 3a35e3-3a35ee LockResource 1251->1252 1252->1250 1253 3a35f4-3a35fc 1252->1253 1254 3a3600-3a3612 1253->1254 1254->1250
                                                                                                            APIs
                                                                                                            • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,003650AA,?,?,00000000,00000000), ref: 003642B2
                                                                                                            • FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,003650AA,?,?,00000000,00000000), ref: 003642C9
                                                                                                            • LoadResource.KERNEL32(?,00000000,?,?,003650AA,?,?,00000000,00000000,?,?,?,?,?,?,00364F20), ref: 003A35BE
                                                                                                            • SizeofResource.KERNEL32(?,00000000,?,?,003650AA,?,?,00000000,00000000,?,?,?,?,?,?,00364F20), ref: 003A35D3
                                                                                                            • LockResource.KERNEL32(003650AA,?,?,003650AA,?,?,00000000,00000000,?,?,?,?,?,?,00364F20,?), ref: 003A35E6
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Resource$CreateFindGlobalLoadLockSizeofStream
                                                                                                            • String ID: SCRIPT
                                                                                                            • API String ID: 3051347437-3967369404
                                                                                                            • Opcode ID: f868c4692f47114f1cc7a5143809f683374c6480947e45f79a0be7d15170a443
                                                                                                            • Instruction ID: 96f290eb4c2bff57b50e116329ed8126384dadcffc79a28d0051f16fd23c3f2d
                                                                                                            • Opcode Fuzzy Hash: f868c4692f47114f1cc7a5143809f683374c6480947e45f79a0be7d15170a443
                                                                                                            • Instruction Fuzzy Hash: 74117C70640704BFDB228B65DD58F677BBDEBC5B51F208969F402D6250DB71DC10C620
                                                                                                            Function 003A2BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62COMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            APIs
                                                                                                            • SetCurrentDirectoryW.KERNEL32(?), ref: 00362B6B
                                                                                                              • Part of subcall function 00363A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00431418,?,00362E7F,?,?,?,00000000), ref: 00363A78
                                                                                                              • Part of subcall function 00369CB3: _wcslen.LIBCMT ref: 00369CBD
                                                                                                            • GetForegroundWindow.USER32(runas,?,?,?,?,?,00422224), ref: 003A2C10
                                                                                                            • ShellExecuteW.SHELL32(00000000,?,?,00422224), ref: 003A2C17
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
                                                                                                            • String ID: runas
                                                                                                            • API String ID: 448630720-4000483414
                                                                                                            • Opcode ID: f522c60c2957c801f4c9604630505c96b5533ed13c34419e8e9bef1f2dd40be4
                                                                                                            • Instruction ID: 67258c3b92a6029f251ea6f91195173bca4589ad2c7e578ece22aee3d8b79854
                                                                                                            • Opcode Fuzzy Hash: f522c60c2957c801f4c9604630505c96b5533ed13c34419e8e9bef1f2dd40be4
                                                                                                            • Instruction Fuzzy Hash: 23110631208345AAC707FF60D851ABEB7A8DFA5340F54D42EF0825B0BACF348549D712
                                                                                                            Function 0036D730 Relevance: 21.6, APIs: 14, Instructions: 624windowsleeptimeCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetInputState.USER32 ref: 0036D807
                                                                                                            • timeGetTime.WINMM ref: 0036DA07
                                                                                                            • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0036DB28
                                                                                                            • TranslateMessage.USER32(?), ref: 0036DB7B
                                                                                                            • DispatchMessageW.USER32(?), ref: 0036DB89
                                                                                                            • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0036DB9F
                                                                                                            • Sleep.KERNEL32(0000000A), ref: 0036DBB1
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
                                                                                                            • String ID:
                                                                                                            • API String ID: 2189390790-0
                                                                                                            • Opcode ID: c1c1eaa2c6be0d48800d0526766b074e48112be31142aec7bbb6d6f0837874ff
                                                                                                            • Instruction ID: cbe154b782ecf34ed5000b6ca63e25459450538defed02ea11c2f86333ccef79
                                                                                                            • Opcode Fuzzy Hash: c1c1eaa2c6be0d48800d0526766b074e48112be31142aec7bbb6d6f0837874ff
                                                                                                            • Instruction Fuzzy Hash: 8342E230B08341DFD72BCF24C894BAABBE4BF46308F15866DE5958B695D770E844CB92
                                                                                                            Function 00362CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53windowregistryCOMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            APIs
                                                                                                            • GetSysColorBrush.USER32(0000000F), ref: 00362D07
                                                                                                            • RegisterClassExW.USER32(00000030), ref: 00362D31
                                                                                                            • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00362D42
                                                                                                            • InitCommonControlsEx.COMCTL32(?), ref: 00362D5F
                                                                                                            • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00362D6F
                                                                                                            • LoadIconW.USER32(000000A9), ref: 00362D85
                                                                                                            • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00362D94
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                                                                                            • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                                                                            • API String ID: 2914291525-1005189915
                                                                                                            • Opcode ID: 414b20d2e5ab6e942aece04b90ccf3072a6411c2b20e26d5fb5b7910769d2f68
                                                                                                            • Instruction ID: 7672abbddd947b211a075fd044a0cfb9e83744f18e12d999c3f17a533ed278f8
                                                                                                            • Opcode Fuzzy Hash: 414b20d2e5ab6e942aece04b90ccf3072a6411c2b20e26d5fb5b7910769d2f68
                                                                                                            • Instruction Fuzzy Hash: 1021E5B595120CEFDB01DFA4ED49BEDBBB8FB08700F00512AF611A62A0D7B15544CF94
                                                                                                            Function 003A065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 302 3a065b-3a068b call 3a042f 305 3a068d-3a0698 call 38f2c6 302->305 306 3a06a6-3a06b2 call 395221 302->306 313 3a069a-3a06a1 call 38f2d9 305->313 311 3a06cb-3a0714 call 3a039a 306->311 312 3a06b4-3a06c9 call 38f2c6 call 38f2d9 306->312 322 3a0781-3a078a GetFileType 311->322 323 3a0716-3a071f 311->323 312->313 320 3a097d-3a0983 313->320 324 3a078c-3a07bd GetLastError call 38f2a3 CloseHandle 322->324 325 3a07d3-3a07d6 322->325 327 3a0721-3a0725 323->327 328 3a0756-3a077c GetLastError call 38f2a3 323->328 324->313 341 3a07c3-3a07ce call 38f2d9 324->341 331 3a07d8-3a07dd 325->331 332 3a07df-3a07e5 325->332 327->328 333 3a0727-3a0754 call 3a039a 327->333 328->313 336 3a07e9-3a0837 call 39516a 331->336 332->336 337 3a07e7 332->337 333->322 333->328 344 3a0839-3a0845 call 3a05ab 336->344 345 3a0847-3a086b call 3a014d 336->345 337->336 341->313 344->345 351 3a086f-3a0879 call 3986ae 344->351 352 3a087e-3a08c1 345->352 353 3a086d 345->353 351->320 355 3a08e2-3a08f0 352->355 356 3a08c3-3a08c7 352->356 353->351 357 3a097b 355->357 358 3a08f6-3a08fa 355->358 356->355 360 3a08c9-3a08dd 356->360 357->320 358->357 361 3a08fc-3a092f CloseHandle call 3a039a 358->361 360->355 364 3a0963-3a0977 361->364 365 3a0931-3a095d GetLastError call 38f2a3 call 395333 361->365 364->357 365->364
                                                                                                            APIs
                                                                                                              • Part of subcall function 003A039A: CreateFileW.KERNELBASE(00000000,00000000,?,003A0704,?,?,00000000,?,003A0704,00000000,0000000C), ref: 003A03B7
                                                                                                            • GetLastError.KERNEL32 ref: 003A076F
                                                                                                            • __dosmaperr.LIBCMT ref: 003A0776
                                                                                                            • GetFileType.KERNELBASE(00000000), ref: 003A0782
                                                                                                            • GetLastError.KERNEL32 ref: 003A078C
                                                                                                            • __dosmaperr.LIBCMT ref: 003A0795
                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 003A07B5
                                                                                                            • CloseHandle.KERNEL32(?), ref: 003A08FF
                                                                                                            • GetLastError.KERNEL32 ref: 003A0931
                                                                                                            • __dosmaperr.LIBCMT ref: 003A0938
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                                                                                            • String ID: H
                                                                                                            • API String ID: 4237864984-2852464175
                                                                                                            • Opcode ID: afd3c96b0d8f1becc66da52b025b14ca63f1cb738f8135a041c10c032e3b1f28
                                                                                                            • Instruction ID: f61508c85816ca136e1b569a0fcabfc25357f7486ecadc1adcf49ba99afacdf9
                                                                                                            • Opcode Fuzzy Hash: afd3c96b0d8f1becc66da52b025b14ca63f1cb738f8135a041c10c032e3b1f28
                                                                                                            • Instruction Fuzzy Hash: ECA12436A101088FDF1EAF68D851BAE7BA4EB07320F14025DF8159F2A1D7359C12CB91
                                                                                                            Function 0036344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201registryCOMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            APIs
                                                                                                              • Part of subcall function 00363A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00431418,?,00362E7F,?,?,?,00000000), ref: 00363A78
                                                                                                              • Part of subcall function 00363357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00363379
                                                                                                            • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 0036356A
                                                                                                            • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 003A318D
                                                                                                            • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 003A31CE
                                                                                                            • RegCloseKey.ADVAPI32(?), ref: 003A3210
                                                                                                            • _wcslen.LIBCMT ref: 003A3277
                                                                                                            • _wcslen.LIBCMT ref: 003A3286
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
                                                                                                            • String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
                                                                                                            • API String ID: 98802146-2727554177
                                                                                                            • Opcode ID: b95098f616a8c7eef08c93e7c29b00b63e175524862d9338dc0f15fd8bfc641b
                                                                                                            • Instruction ID: 84ea54f57289b5d9433ffc9cf47ce6a6af43d9bd440fe2c1ace0ce029e733c35
                                                                                                            • Opcode Fuzzy Hash: b95098f616a8c7eef08c93e7c29b00b63e175524862d9338dc0f15fd8bfc641b
                                                                                                            • Instruction Fuzzy Hash: 4971D1714043059EC316EF35ED819ABBBE8FF89340F50583EF945871A0EBB49A48CB66
                                                                                                            Function 00362B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63windowregistryCOMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            APIs
                                                                                                            • GetSysColorBrush.USER32(0000000F), ref: 00362B8E
                                                                                                            • LoadCursorW.USER32(00000000,00007F00), ref: 00362B9D
                                                                                                            • LoadIconW.USER32(00000063), ref: 00362BB3
                                                                                                            • LoadIconW.USER32(000000A4), ref: 00362BC5
                                                                                                            • LoadIconW.USER32(000000A2), ref: 00362BD7
                                                                                                            • LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00362BEF
                                                                                                            • RegisterClassExW.USER32(?), ref: 00362C40
                                                                                                              • Part of subcall function 00362CD4: GetSysColorBrush.USER32(0000000F), ref: 00362D07
                                                                                                              • Part of subcall function 00362CD4: RegisterClassExW.USER32(00000030), ref: 00362D31
                                                                                                              • Part of subcall function 00362CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00362D42
                                                                                                              • Part of subcall function 00362CD4: InitCommonControlsEx.COMCTL32(?), ref: 00362D5F
                                                                                                              • Part of subcall function 00362CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00362D6F
                                                                                                              • Part of subcall function 00362CD4: LoadIconW.USER32(000000A9), ref: 00362D85
                                                                                                              • Part of subcall function 00362CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00362D94
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                                                                                                            • String ID: #$0$AutoIt v3
                                                                                                            • API String ID: 423443420-4155596026
                                                                                                            • Opcode ID: 68dbf8354c1042b888cb0f3a838b6afe765115c14a924876f002b9685dfdf376
                                                                                                            • Instruction ID: a10a91c75e52536678f81aa2ab749ecc232e5c937272fcefa654613969c39585
                                                                                                            • Opcode Fuzzy Hash: 68dbf8354c1042b888cb0f3a838b6afe765115c14a924876f002b9685dfdf376
                                                                                                            • Instruction Fuzzy Hash: C7214F75E50318AFEB119F96ED85AA97FB4FB08B50F00503AE901A66B0D3B10544CF98
                                                                                                            Function 0036B710 Relevance: 16.3, APIs: 1, Strings: 8, Instructions: 587COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • __Init_thread_footer.LIBCMT ref: 0036BB4E
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Init_thread_footer
                                                                                                            • String ID: p#C$p#C$p#C$p#C$p%C$p%C$x#C$x#C
                                                                                                            • API String ID: 1385522511-2144582880
                                                                                                            • Opcode ID: 5785e85c6d9150dc85e459ee26e429ea98e4c69e52488943e53aa1db3abae9d6
                                                                                                            • Instruction ID: 999a26a3444be969759a4729fe9533b4600f14eaa42e6a1658f379ffa7827345
                                                                                                            • Opcode Fuzzy Hash: 5785e85c6d9150dc85e459ee26e429ea98e4c69e52488943e53aa1db3abae9d6
                                                                                                            • Instruction Fuzzy Hash: CA32BC34A00209DFDB2ACF58C898ABEB7F9EF44304F16C059EA05AB665D774AD81CF51
                                                                                                            Function 00363170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145windowtimeregistryCOMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 650 363170-363185 651 363187-36318a 650->651 652 3631e5-3631e7 650->652 653 36318c-363193 651->653 654 3631eb 651->654 652->651 655 3631e9 652->655 659 363265-36326d PostQuitMessage 653->659 660 363199-36319e 653->660 657 3a2dfb-3a2e23 call 3618e2 call 37e499 654->657 658 3631f1-3631f6 654->658 656 3631d0-3631d8 DefWindowProcW 655->656 666 3631de-3631e4 656->666 696 3a2e28-3a2e2f 657->696 661 36321d-363244 SetTimer RegisterWindowMessageW 658->661 662 3631f8-3631fb 658->662 667 363219-36321b 659->667 664 3631a4-3631a8 660->664 665 3a2e7c-3a2e90 call 3cbf30 660->665 661->667 671 363246-363251 CreatePopupMenu 661->671 668 3a2d9c-3a2d9f 662->668 669 363201-363214 KillTimer call 3630f2 call 363c50 662->669 672 3a2e68-3a2e77 call 3cc161 664->672 673 3631ae-3631b3 664->673 665->667 691 3a2e96 665->691 667->666 681 3a2da1-3a2da5 668->681 682 3a2dd7-3a2df6 MoveWindow 668->682 669->667 671->667 672->667 678 3a2e4d-3a2e54 673->678 679 3631b9-3631be 673->679 678->656 685 3a2e5a-3a2e63 call 3c0ad7 678->685 689 3631c4-3631ca 679->689 690 363253-363263 call 36326f 679->690 683 3a2dc6-3a2dd2 SetFocus 681->683 684 3a2da7-3a2daa 681->684 682->667 683->667 684->689 692 3a2db0-3a2dc1 call 3618e2 684->692 685->656 689->656 689->696 690->667 691->656 692->667 696->656 700 3a2e35-3a2e48 call 3630f2 call 363837 696->700 700->656
                                                                                                            APIs
                                                                                                            • DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,0036316A,?,?), ref: 003631D8
                                                                                                            • KillTimer.USER32(?,00000001,?,?,?,?,?,0036316A,?,?), ref: 00363204
                                                                                                            • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00363227
                                                                                                            • RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,0036316A,?,?), ref: 00363232
                                                                                                            • CreatePopupMenu.USER32 ref: 00363246
                                                                                                            • PostQuitMessage.USER32(00000000), ref: 00363267
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
                                                                                                            • String ID: TaskbarCreated
                                                                                                            • API String ID: 129472671-2362178303
                                                                                                            • Opcode ID: feff04e2e47c3558942817743344d9adaf9f3fd0f2fdfb87da7d53918c117baf
                                                                                                            • Instruction ID: 14fbb328b912db7cf63e8e4335c03214bf2e80f7af4afb44d678a8328bb2a22a
                                                                                                            • Opcode Fuzzy Hash: feff04e2e47c3558942817743344d9adaf9f3fd0f2fdfb87da7d53918c117baf
                                                                                                            • Instruction Fuzzy Hash: D7415931250204ABEB172B78DD1DB7A3A1DEB06300F05E526FA02CA5B9C775DE44C765
                                                                                                            Function 0036DFD0 Relevance: 15.4, APIs: 2, Strings: 6, Instructions: 1414COMMON
                                                                                                            Download Yara Rule
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: D%C$D%C$D%C$D%C$D%CD%C$Variable must be of type 'Object'.
                                                                                                            • API String ID: 0-2647875386
                                                                                                            • Opcode ID: 63a3bee666b78464319fa0dda701ae513c4dbc32550f9a8c08872e5fd76a1906
                                                                                                            • Instruction ID: 88e6b41ba199197729aba01686b3a6887d798a8a93ca9fd0d7b8e16f1533c09f
                                                                                                            • Opcode Fuzzy Hash: 63a3bee666b78464319fa0dda701ae513c4dbc32550f9a8c08872e5fd76a1906
                                                                                                            • Instruction Fuzzy Hash: CCC2AC79A00214CFCB26CF58C880AADB7F5BF09304F25C569E906AB399D375ED49CB91
                                                                                                            Function 019B1A28 Relevance: 10.7, APIs: 7, Instructions: 151fileCOMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 1216 19b1a28-19b1a7a call 19b1928 CreateFileW 1219 19b1a7c-19b1a7e 1216->1219 1220 19b1a83-19b1a90 1216->1220 1221 19b1bdc-19b1be0 1219->1221 1223 19b1aa3-19b1aba VirtualAlloc 1220->1223 1224 19b1a92-19b1a9e 1220->1224 1225 19b1abc-19b1abe 1223->1225 1226 19b1ac3-19b1ae9 CreateFileW 1223->1226 1224->1221 1225->1221 1227 19b1aeb-19b1b08 1226->1227 1228 19b1b0d-19b1b27 ReadFile 1226->1228 1227->1221 1230 19b1b4b-19b1b4f 1228->1230 1231 19b1b29-19b1b46 1228->1231 1233 19b1b51-19b1b6e 1230->1233 1234 19b1b70-19b1b87 WriteFile 1230->1234 1231->1221 1233->1221 1235 19b1b89-19b1bb0 1234->1235 1236 19b1bb2-19b1bd7 CloseHandle VirtualFree 1234->1236 1235->1221 1236->1221
                                                                                                            APIs
                                                                                                            • CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 019B1A6D
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2228816640.00000000019B1000.00000040.00000020.00020000.00000000.sdmp, Offset: 019B1000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_19b1000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CreateFile
                                                                                                            • String ID:
                                                                                                            • API String ID: 823142352-0
                                                                                                            • Opcode ID: eb584f4a57c68eb24893e8662cdde2a6850f072ba7aa360e4ef334368506de38
                                                                                                            • Instruction ID: 1d64d70424b7a9178a0b4601e2229feb48f9cd1e409d65d5807b3409e6e05570
                                                                                                            • Opcode Fuzzy Hash: eb584f4a57c68eb24893e8662cdde2a6850f072ba7aa360e4ef334368506de38
                                                                                                            • Instruction Fuzzy Hash: 0A510B75A50208FFEF24DFA4DD99FDE77B8AF48701F108958F60AEA180DA7496448B60
                                                                                                            Function 00362C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 1256 362c63-362cd3 CreateWindowExW * 2 ShowWindow * 2
                                                                                                            APIs
                                                                                                            • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00362C91
                                                                                                            • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00362CB2
                                                                                                            • ShowWindow.USER32(00000000,?,?,?,?,?,?,00361CAD,?), ref: 00362CC6
                                                                                                            • ShowWindow.USER32(00000000,?,?,?,?,?,?,00361CAD,?), ref: 00362CCF
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Window$CreateShow
                                                                                                            • String ID: AutoIt v3$edit
                                                                                                            • API String ID: 1584632944-3779509399
                                                                                                            • Opcode ID: d64da83dfb80e0fe04282454262255b2edaf41d581eac61ccf122bce0aadef75
                                                                                                            • Instruction ID: 4c3ba6383a696c86a6c11baeca5faec4e235c56e310f0715a7d36dc6b373750c
                                                                                                            • Opcode Fuzzy Hash: d64da83dfb80e0fe04282454262255b2edaf41d581eac61ccf122bce0aadef75
                                                                                                            • Instruction Fuzzy Hash: 81F0DA755902987AFB311717AC08EB76EBDD7C6F50F00206AFE00A35B0C6611858DEB8
                                                                                                            Function 019B34E8 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 162fileCOMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 1645 19b34e8-19b3643 call 19b1108 call 19b33d8 CreateFileW 1652 19b364a-19b365a 1645->1652 1653 19b3645 1645->1653 1656 19b365c 1652->1656 1657 19b3661-19b367b VirtualAlloc 1652->1657 1654 19b3717-19b371c 1653->1654 1656->1654 1658 19b367d 1657->1658 1659 19b3682-19b3699 ReadFile 1657->1659 1658->1654 1660 19b369b 1659->1660 1661 19b369d-19b36b2 call 19b2178 1659->1661 1660->1654 1663 19b36b7-19b36f1 call 19b3418 call 19b23d8 1661->1663 1668 19b370d-19b3715 1663->1668 1669 19b36f3-19b3708 call 19b3468 1663->1669 1668->1654 1669->1668
                                                                                                            APIs
                                                                                                              • Part of subcall function 019B33D8: Sleep.KERNELBASE(000001F4), ref: 019B33E9
                                                                                                            • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 019B3639
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2228816640.00000000019B1000.00000040.00000020.00020000.00000000.sdmp, Offset: 019B1000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_19b1000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CreateFileSleep
                                                                                                            • String ID: LH9CF2LB4TGTIMTMYMZ996JG58BH
                                                                                                            • API String ID: 2694422964-1790796044
                                                                                                            • Opcode ID: c8d4eedd8cfa5a5c9b09a34ff9164d3d00f6348ae5ef96c2d36648a40a4d0a0c
                                                                                                            • Instruction ID: db4328685e46d19107b43ba5f6d3458d90ec2dee85094267075fd803c7af5a85
                                                                                                            • Opcode Fuzzy Hash: c8d4eedd8cfa5a5c9b09a34ff9164d3d00f6348ae5ef96c2d36648a40a4d0a0c
                                                                                                            • Instruction Fuzzy Hash: 3C61A370D04288DAEF11DBF4C984BEEBBB9AF15304F004599E2487B2C1C7B91B49CB66
                                                                                                            Function 00363B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58registryCOMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 1708 363b1c-363b27 1709 363b99-363b9b 1708->1709 1710 363b29-363b2e 1708->1710 1712 363b8c-363b8f 1709->1712 1710->1709 1711 363b30-363b48 RegOpenKeyExW 1710->1711 1711->1709 1713 363b4a-363b69 RegQueryValueExW 1711->1713 1714 363b80-363b8b RegCloseKey 1713->1714 1715 363b6b-363b76 1713->1715 1714->1712 1716 363b90-363b97 1715->1716 1717 363b78-363b7a 1715->1717 1718 363b7e 1716->1718 1717->1718 1718->1714
                                                                                                            APIs
                                                                                                            • RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00363B0F,SwapMouseButtons,00000004,?), ref: 00363B40
                                                                                                            • RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00363B0F,SwapMouseButtons,00000004,?), ref: 00363B61
                                                                                                            • RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,00363B0F,SwapMouseButtons,00000004,?), ref: 00363B83
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CloseOpenQueryValue
                                                                                                            • String ID: Control Panel\Mouse
                                                                                                            • API String ID: 3677997916-824357125
                                                                                                            • Opcode ID: 4387d53af111eabf0adc34f1982dcc458be910186e06d156445d98ad066b0d20
                                                                                                            • Instruction ID: 7013b3fa637f89fc5905e3b5ba55a52e5d218572f7ea74d66308d8313bd5cc59
                                                                                                            • Opcode Fuzzy Hash: 4387d53af111eabf0adc34f1982dcc458be910186e06d156445d98ad066b0d20
                                                                                                            • Instruction Fuzzy Hash: B2115AB1520208FFDB228FA4DC44EEEB7BCEF01740B108459A801D7114D631DE409760
                                                                                                            Function 00363923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 1719 363923-363939 1720 363a13-363a17 1719->1720 1721 36393f-363954 call 366270 1719->1721 1724 3a3393-3a33a2 LoadStringW 1721->1724 1725 36395a-363976 call 366b57 1721->1725 1727 3a33ad-3a33b6 1724->1727 1731 3a33c9-3a33e5 call 366350 call 363fcf 1725->1731 1732 36397c-363980 1725->1732 1729 363994-363a0e call 382340 call 363a18 call 384983 Shell_NotifyIconW call 36988f 1727->1729 1730 3a33bc-3a33c4 call 36a8c7 1727->1730 1729->1720 1730->1729 1731->1729 1745 3a33eb-3a3409 call 3633c6 call 363fcf call 3633c6 1731->1745 1732->1727 1734 363986-36398f call 366350 1732->1734 1734->1729 1745->1729
                                                                                                            APIs
                                                                                                            • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 003A33A2
                                                                                                              • Part of subcall function 00366B57: _wcslen.LIBCMT ref: 00366B6A
                                                                                                            • Shell_NotifyIconW.SHELL32(00000001,?), ref: 00363A04
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: IconLoadNotifyShell_String_wcslen
                                                                                                            • String ID: Line:
                                                                                                            • API String ID: 2289894680-1585850449
                                                                                                            • Opcode ID: 86f76a39a93812fb624cb3e0ba9435efb5ffea06ac0ba871737fefde41ca2c5f
                                                                                                            • Instruction ID: 497449455c24d6f918a0e8107cd09f45ed5b7560dc0847402554fe3d7d6f1459
                                                                                                            • Opcode Fuzzy Hash: 86f76a39a93812fb624cb3e0ba9435efb5ffea06ac0ba871737fefde41ca2c5f
                                                                                                            • Instruction Fuzzy Hash: AD310471508304AAD723EB20DC46BEBB7ECAF45710F10992AF499871E5DB709A48CBC6
                                                                                                            Function 00362DE3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64COMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 1755 362de3-362e03 call 3a1f50 1758 3a2c2b-3a2c94 call 382340 GetOpenFileNameW 1755->1758 1759 362e09-362e2c call 363aa2 call 362da5 call 363598 call 3644a8 1755->1759 1764 3a2c9d-3a2ca6 call 366b57 1758->1764 1765 3a2c96 1758->1765 1773 362e31-362e34 1759->1773 1769 3a2cab 1764->1769 1765->1764 1769->1769
                                                                                                            APIs
                                                                                                            • GetOpenFileNameW.COMDLG32(?), ref: 003A2C8C
                                                                                                              • Part of subcall function 00363AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00363A97,?,?,00362E7F,?,?,?,00000000), ref: 00363AC2
                                                                                                              • Part of subcall function 00362DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00362DC4
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Name$Path$FileFullLongOpen
                                                                                                            • String ID: X$`eB
                                                                                                            • API String ID: 779396738-698236672
                                                                                                            • Opcode ID: cfb222c9a7d93ed794c6e6f2d702b655fdec07abc5c83f07c608ce6e52d183ed
                                                                                                            • Instruction ID: f1953ed6d6cd529d1bd78af17f840c1e4d3deeaad12cc885b0983b7ceb123572
                                                                                                            • Opcode Fuzzy Hash: cfb222c9a7d93ed794c6e6f2d702b655fdec07abc5c83f07c608ce6e52d183ed
                                                                                                            • Instruction Fuzzy Hash: 4E21A871A002989FDB02EF94D845BEE7BFC9F49314F00C05AE405EB245DBF896898F65
                                                                                                            Function 0037FDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • __CxxThrowException@8.LIBVCRUNTIME ref: 00380668
                                                                                                              • Part of subcall function 003832A4: RaiseException.KERNEL32(?,?,?,0038068A,?,00431444,?,?,?,?,?,?,0038068A,00361129,00428738,00361129), ref: 00383304
                                                                                                            • __CxxThrowException@8.LIBVCRUNTIME ref: 00380685
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Exception@8Throw$ExceptionRaise
                                                                                                            • String ID: Unknown exception
                                                                                                            • API String ID: 3476068407-410509341
                                                                                                            • Opcode ID: 20958607e6305567d29ba3ab382797ec1059601ebb33c82763b7a00fc5a685d6
                                                                                                            • Instruction ID: 039db7a6eaab029b890e174b9e34b45da779b710241cccb917dbdec37774790a
                                                                                                            • Opcode Fuzzy Hash: 20958607e6305567d29ba3ab382797ec1059601ebb33c82763b7a00fc5a685d6
                                                                                                            • Instruction Fuzzy Hash: EFF0283490030DBBCB16B664E846D5D776CAE00310B7084B1B82889995EF30DA19C780
                                                                                                            Function 019B2108 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41processCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • CreateProcessW.KERNELBASE(?,00000000), ref: 019B214D
                                                                                                            • ExitProcess.KERNEL32(00000000), ref: 019B216C
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2228816640.00000000019B1000.00000040.00000020.00020000.00000000.sdmp, Offset: 019B1000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_19b1000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Process$CreateExit
                                                                                                            • String ID: D
                                                                                                            • API String ID: 126409537-2746444292
                                                                                                            • Opcode ID: eaefe38700dea64172a30051a10e55a487822181055063bbb51e2642d874e9cd
                                                                                                            • Instruction ID: 41611b9b6743eb3f609ef30e4713025c682438a986a722e8e70c55cae29b9762
                                                                                                            • Opcode Fuzzy Hash: eaefe38700dea64172a30051a10e55a487822181055063bbb51e2642d874e9cd
                                                                                                            • Instruction Fuzzy Hash: B6F0F4B554024CABDB60DFE0CD89FEE777CBF44701F408508FB0A9A144DA7496088751
                                                                                                            Function 003E7F59 Relevance: 4.9, APIs: 3, Instructions: 430COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetCurrentProcess.KERNEL32(00000000,00000067,000000FF,?,?,?), ref: 003E82F5
                                                                                                            • TerminateProcess.KERNEL32(00000000), ref: 003E82FC
                                                                                                            • FreeLibrary.KERNEL32(?,?,?,?), ref: 003E84DD
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Process$CurrentFreeLibraryTerminate
                                                                                                            • String ID:
                                                                                                            • API String ID: 146820519-0
                                                                                                            • Opcode ID: d7594c0612620cc8f7e0c858bdad3e48c9dc20dd7587dfa9ae8c6cebe779a825
                                                                                                            • Instruction ID: 0d187771f684d53957f7620a002adf8a0a7fed109ec48aa1dc70a448260e68f1
                                                                                                            • Opcode Fuzzy Hash: d7594c0612620cc8f7e0c858bdad3e48c9dc20dd7587dfa9ae8c6cebe779a825
                                                                                                            • Instruction Fuzzy Hash: E8127A719083519FC725DF29C480B2ABBE5FF85314F058A5DE8898B292CB31ED45CF92
                                                                                                            Function 003610F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 00361BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00361BF4
                                                                                                              • Part of subcall function 00361BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 00361BFC
                                                                                                              • Part of subcall function 00361BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00361C07
                                                                                                              • Part of subcall function 00361BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00361C12
                                                                                                              • Part of subcall function 00361BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 00361C1A
                                                                                                              • Part of subcall function 00361BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 00361C22
                                                                                                              • Part of subcall function 00361B4A: RegisterWindowMessageW.USER32(00000004,?,003612C4), ref: 00361BA2
                                                                                                            • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0036136A
                                                                                                            • OleInitialize.OLE32 ref: 00361388
                                                                                                            • CloseHandle.KERNEL32(00000000,00000000), ref: 003A24AB
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
                                                                                                            • String ID:
                                                                                                            • API String ID: 1986988660-0
                                                                                                            • Opcode ID: 9748c32646a6c171c0bf79442e5eb17de6aba1151f8874e531be87c79ff882d9
                                                                                                            • Instruction ID: 93826e8985e58c8db445144ab00f26c8c1e8f6baa9ceb88d9f7ca710c72f0034
                                                                                                            • Opcode Fuzzy Hash: 9748c32646a6c171c0bf79442e5eb17de6aba1151f8874e531be87c79ff882d9
                                                                                                            • Instruction Fuzzy Hash: FA71DCB9911204AFD389EF7AAD456A53AE4FB98340718B63AD10ACB371EB704401CF5C
                                                                                                            Function 003986AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • CloseHandle.KERNELBASE(00000000,00000000,?,?,003985CC,?,00428CC8,0000000C), ref: 00398704
                                                                                                            • GetLastError.KERNEL32(?,003985CC,?,00428CC8,0000000C), ref: 0039870E
                                                                                                            • __dosmaperr.LIBCMT ref: 00398739
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CloseErrorHandleLast__dosmaperr
                                                                                                            • String ID:
                                                                                                            • API String ID: 2583163307-0
                                                                                                            • Opcode ID: 6831d576c0b44b10b70228488d035c323d54b9c81ddd75fbf89fced0780c9230
                                                                                                            • Instruction ID: 278649fb3bca6fe76bda895aee8c27925655bc209ff7b7ffa6bdc5daeddf66a2
                                                                                                            • Opcode Fuzzy Hash: 6831d576c0b44b10b70228488d035c323d54b9c81ddd75fbf89fced0780c9230
                                                                                                            • Instruction Fuzzy Hash: A2012637A056202ADE676374A885B7E6B594BC3778F3A0219FA149F1D2DEB48CC1C290
                                                                                                            Function 00371310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • __Init_thread_footer.LIBCMT ref: 003717F6
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Init_thread_footer
                                                                                                            • String ID: CALL
                                                                                                            • API String ID: 1385522511-4196123274
                                                                                                            • Opcode ID: 5d5b596a363d1d1e6ad63494ed87ad2ea07b080ff7926d3e9cb2f5d5f333cd2f
                                                                                                            • Instruction ID: 0bd93ef05dfbadcb562fcc6bfd74dc9361eb1baa1e9e315737b108c9f2b99080
                                                                                                            • Opcode Fuzzy Hash: 5d5b596a363d1d1e6ad63494ed87ad2ea07b080ff7926d3e9cb2f5d5f333cd2f
                                                                                                            • Instruction Fuzzy Hash: 1D22AB716083019FC726DF18C481B2ABBF5BF89314F14892DF58A8B762D779E945CB82
                                                                                                            Function 00363837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • Shell_NotifyIconW.SHELL32(00000000,?), ref: 00363908
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: IconNotifyShell_
                                                                                                            • String ID:
                                                                                                            • API String ID: 1144537725-0
                                                                                                            • Opcode ID: a0a15900addd73c9b0a5caeaa694915c043952dc1956d6571b702a563067b1b4
                                                                                                            • Instruction ID: f37c865ec692d89048cdad2c083fedceb75bd685f0cc52b9cfdc6a417bb409a3
                                                                                                            • Opcode Fuzzy Hash: a0a15900addd73c9b0a5caeaa694915c043952dc1956d6571b702a563067b1b4
                                                                                                            • Instruction Fuzzy Hash: 333182715047019FE722DF24D8957D7BBE8FB49708F00092EF99A87290E7B1AA48CB56
                                                                                                            Function 00365745 Relevance: 3.1, APIs: 2, Instructions: 56fileCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,0036949C,?,00008000), ref: 00365773
                                                                                                            • CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,?,?,?,0036949C,?,00008000), ref: 003A4052
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CreateFile
                                                                                                            • String ID:
                                                                                                            • API String ID: 823142352-0
                                                                                                            • Opcode ID: 38576ec25a3144c6ec172013f5a0129a76413058bcdaeae6fc8a6596b59710f1
                                                                                                            • Instruction ID: ede6b73b02ce82501b391c8eb0dd229eb0f8bab89f752feeed2b0484c1c45b11
                                                                                                            • Opcode Fuzzy Hash: 38576ec25a3144c6ec172013f5a0129a76413058bcdaeae6fc8a6596b59710f1
                                                                                                            • Instruction Fuzzy Hash: 01015231185625B6E3324A2ADD0EF977F98EF427B0F15C310BA9C6A1E0CBB45864DB90
                                                                                                            Function 003E709C Relevance: 1.8, APIs: 1, Instructions: 326COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: LoadString
                                                                                                            • String ID:
                                                                                                            • API String ID: 2948472770-0
                                                                                                            • Opcode ID: 937e0d78cdbdae12c9b3e54c48bda1d36498bbda5902cb4a3820df49c73a5279
                                                                                                            • Instruction ID: 563df007eef89d0425b9b276e84b2c22d3d4b72071c00682b5c957a615835960
                                                                                                            • Opcode Fuzzy Hash: 937e0d78cdbdae12c9b3e54c48bda1d36498bbda5902cb4a3820df49c73a5279
                                                                                                            • Instruction Fuzzy Hash: A9D16E35A04259EFCF16EF99C8819ADBBB5FF48310F15815AE905AB391E730AD81CF90
                                                                                                            Function 019B2178 Relevance: 1.7, APIs: 1, Instructions: 167COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 019B19E8: GetFileAttributesW.KERNELBASE(?), ref: 019B19F3
                                                                                                            • CreateDirectoryW.KERNELBASE(?,00000000), ref: 019B22D4
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2228816640.00000000019B1000.00000040.00000020.00020000.00000000.sdmp, Offset: 019B1000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_19b1000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: AttributesCreateDirectoryFile
                                                                                                            • String ID:
                                                                                                            • API String ID: 3401506121-0
                                                                                                            • Opcode ID: 3970321641f940a9b6cec2f2276bb45af7415e1bbda5a4ea8cd295c931ba0d80
                                                                                                            • Instruction ID: eb2da0e8ffc55dff4cf5b4d813cfdd28e3e88b9f010657f375a1723a6ee78008
                                                                                                            • Opcode Fuzzy Hash: 3970321641f940a9b6cec2f2276bb45af7415e1bbda5a4ea8cd295c931ba0d80
                                                                                                            • Instruction Fuzzy Hash: FA519331A1120997EF14EFA4D984BEF733AEF98700F108568A60DF7280EB399B45C765
                                                                                                            Function 0037FC70 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ProtectVirtual
                                                                                                            • String ID:
                                                                                                            • API String ID: 544645111-0
                                                                                                            • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                                                                            • Instruction ID: 3937a2bbce3084c45564aebd16bb02a812d24cef27797b2825cfddef3648bdfa
                                                                                                            • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                                                                            • Instruction Fuzzy Hash: 01311274A0010ADFC72ACF59D480969FBA6FF49300B25C2A5E809CB65AD735EDC1CBC0
                                                                                                            Function 00364ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 00364E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00364EDD,?,00431418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00364E9C
                                                                                                              • Part of subcall function 00364E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00364EAE
                                                                                                              • Part of subcall function 00364E90: FreeLibrary.KERNEL32(00000000,?,?,00364EDD,?,00431418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00364EC0
                                                                                                            • LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00431418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00364EFD
                                                                                                              • Part of subcall function 00364E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,003A3CDE,?,00431418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00364E62
                                                                                                              • Part of subcall function 00364E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00364E74
                                                                                                              • Part of subcall function 00364E59: FreeLibrary.KERNEL32(00000000,?,?,003A3CDE,?,00431418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00364E87
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Library$Load$AddressFreeProc
                                                                                                            • String ID:
                                                                                                            • API String ID: 2632591731-0
                                                                                                            • Opcode ID: f0ee0c96205e9c64371233721cb5b2c1cd48aecf6348f0a342b7322a9228ebdd
                                                                                                            • Instruction ID: 0c791e32d429d3501300f1b1dd30e28aa900e63e913dc64de7ec852985feda0e
                                                                                                            • Opcode Fuzzy Hash: f0ee0c96205e9c64371233721cb5b2c1cd48aecf6348f0a342b7322a9228ebdd
                                                                                                            • Instruction Fuzzy Hash: 1811E332A10305AACF17BB60DC02FAD77A5AF40B10F20C42EF542AE1C9EE71DA059790
                                                                                                            Function 00398402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: __wsopen_s
                                                                                                            • String ID:
                                                                                                            • API String ID: 3347428461-0
                                                                                                            • Opcode ID: 03505c41af0204792d5422ca0a1cc4bc23221c5ba81cf4cbfbbb4ab647e5c975
                                                                                                            • Instruction ID: f62fb0c6fe4114497abc7ce7ca4d6ee8877d0fe393d08499d58916a3e823a16a
                                                                                                            • Opcode Fuzzy Hash: 03505c41af0204792d5422ca0a1cc4bc23221c5ba81cf4cbfbbb4ab647e5c975
                                                                                                            • Instruction Fuzzy Hash: 9411187590410AAFCF06DF59E94199A7BF9EF49314F114069F808AB312DB31EA11CBA5
                                                                                                            Function 00395000 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 00394C7D: RtlAllocateHeap.NTDLL(00000008,00361129,00000000,?,00392E29,00000001,00000364,?,?,?,0038F2DE,00393863,00431444,?,0037FDF5,?), ref: 00394CBE
                                                                                                            • _free.LIBCMT ref: 0039506C
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: AllocateHeap_free
                                                                                                            • String ID:
                                                                                                            • API String ID: 614378929-0
                                                                                                            • Opcode ID: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
                                                                                                            • Instruction ID: 0e060a7fcfa7eaff785f443ed4597cd1ea73908b9524fac4a64515659619f227
                                                                                                            • Opcode Fuzzy Hash: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
                                                                                                            • Instruction Fuzzy Hash: 50012B722047056BE7238E55984195AFBECFB85370F25061DE18487280E6306845C7B4
                                                                                                            Function 0038E602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
                                                                                                            • Instruction ID: c3d6da13e8ef872a5272794805642aa71777c3ded9fc298b743e0c4802110ec3
                                                                                                            • Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
                                                                                                            • Instruction Fuzzy Hash: EFF02832510F14AADB333A799C05B5B339C9F92330F150795F4249B2E2EB74D80287A5
                                                                                                            Function 00369CB3 Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: _wcslen
                                                                                                            • String ID:
                                                                                                            • API String ID: 176396367-0
                                                                                                            • Opcode ID: b66f2ccc6a42f866386a2c3f527481c72d49d8aa6e16cad6a22e3b4c4ac6860b
                                                                                                            • Instruction ID: 272ef891e368811225f3761e4c3170b3862f4626ad218ba0cfbf507f7bc6ab6d
                                                                                                            • Opcode Fuzzy Hash: b66f2ccc6a42f866386a2c3f527481c72d49d8aa6e16cad6a22e3b4c4ac6860b
                                                                                                            • Instruction Fuzzy Hash: 8AF0A4B26007056ED7269F28D806B67BB98EB44760F10C52AF619CF5D5DB31E51487A0
                                                                                                            Function 00394C7D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • RtlAllocateHeap.NTDLL(00000008,00361129,00000000,?,00392E29,00000001,00000364,?,?,?,0038F2DE,00393863,00431444,?,0037FDF5,?), ref: 00394CBE
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: AllocateHeap
                                                                                                            • String ID:
                                                                                                            • API String ID: 1279760036-0
                                                                                                            • Opcode ID: d8af52f4b5c3dc5c05de4a3546ef77e0d8bafa397aaf4dab7bff3e1b87958447
                                                                                                            • Instruction ID: e43b81b25566b6e19fc57f0e617ef7a1a5fb7c022d2e83db07a6497e5e87af2c
                                                                                                            • Opcode Fuzzy Hash: d8af52f4b5c3dc5c05de4a3546ef77e0d8bafa397aaf4dab7bff3e1b87958447
                                                                                                            • Instruction Fuzzy Hash: 83F0E9316422257FDF236F629C05F5A378CBF41BA1B168625BC15EA590CB30EC028FE0
                                                                                                            Function 00393820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • RtlAllocateHeap.NTDLL(00000000,?,00431444,?,0037FDF5,?,?,0036A976,00000010,00431440,003613FC,?,003613C6,?,00361129), ref: 00393852
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: AllocateHeap
                                                                                                            • String ID:
                                                                                                            • API String ID: 1279760036-0
                                                                                                            • Opcode ID: 1072c40c0f0058aa23dd8de5be2ac91bdeff59c6a34aef54b243f15ce97b470a
                                                                                                            • Instruction ID: 8464070b1badfb29d4036a9433d62f48d65b1f11cf316ef1996290caffa234aa
                                                                                                            • Opcode Fuzzy Hash: 1072c40c0f0058aa23dd8de5be2ac91bdeff59c6a34aef54b243f15ce97b470a
                                                                                                            • Instruction Fuzzy Hash: 4FE0E57110822956EE2336679C04B9A364DAF427B0F160061BC0596C90CB10DD0593E1
                                                                                                            Function 00364F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • FreeLibrary.KERNEL32(?,?,00431418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00364F6D
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: FreeLibrary
                                                                                                            • String ID:
                                                                                                            • API String ID: 3664257935-0
                                                                                                            • Opcode ID: b573f66cb686f937e0da664a5f979812d9f66853b5b2cdb7ba98b9f4e19eed2b
                                                                                                            • Instruction ID: da2921433cb42a918da3fb89455d568324307885c7b719104969f565d4dcc6ec
                                                                                                            • Opcode Fuzzy Hash: b573f66cb686f937e0da664a5f979812d9f66853b5b2cdb7ba98b9f4e19eed2b
                                                                                                            • Instruction Fuzzy Hash: D4F03071905751CFDB3A9F64D490822B7E4AF14319311C97EE1DA8A915C7319854DF10
                                                                                                            Function 003CCCFF Relevance: 1.5, APIs: 1, Instructions: 26fileCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • WriteFile.KERNELBASE(?,?,?,00000000,00000000,?,?,?,?,003AEE51,00423630,00000002), ref: 003CCD26
                                                                                                              • Part of subcall function 003CCC37: SetFilePointerEx.KERNEL32(?,00000000,00000000,?,00000001,00000000,?,00000000,?,?,?,003CCD19,?,?,?), ref: 003CCC59
                                                                                                              • Part of subcall function 003CCC37: SetFilePointerEx.KERNEL32(?,?,00000000,00000000,00000001,?,003CCD19,?,?,?,?,003AEE51,00423630,00000002), ref: 003CCC6E
                                                                                                              • Part of subcall function 003CCC37: SetFilePointerEx.KERNEL32(?,00000000,00000000,?,00000001,?,003CCD19,?,?,?,?,003AEE51,00423630,00000002), ref: 003CCC7A
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: File$Pointer$Write
                                                                                                            • String ID:
                                                                                                            • API String ID: 3847668363-0
                                                                                                            • Opcode ID: 57e8ec65dc602b6d5bbc450a29d06a5208e80ff7bf482bcf8a3c39c6f204601d
                                                                                                            • Instruction ID: d174ce0424f773318e031ff1f1c5e4487917b7d7ca19cd9691ec84ba86c49df1
                                                                                                            • Opcode Fuzzy Hash: 57e8ec65dc602b6d5bbc450a29d06a5208e80ff7bf482bcf8a3c39c6f204601d
                                                                                                            • Instruction Fuzzy Hash: 50E03076400604EFC7219F46D940CAABBF8FF84360710852FE956C2110D375AE14DB60
                                                                                                            Function 00362DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00362DC4
                                                                                                              • Part of subcall function 00366B57: _wcslen.LIBCMT ref: 00366B6A
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: LongNamePath_wcslen
                                                                                                            • String ID:
                                                                                                            • API String ID: 541455249-0
                                                                                                            • Opcode ID: 35ce6e9d20d7a7b2a5fc95324997878694964fbae5ee9139fb74e0826c4753e0
                                                                                                            • Instruction ID: b410e53aeb991297df1f1b06b1b76f8a093622d7cf769271ce892a8b04c3505e
                                                                                                            • Opcode Fuzzy Hash: 35ce6e9d20d7a7b2a5fc95324997878694964fbae5ee9139fb74e0826c4753e0
                                                                                                            • Instruction Fuzzy Hash: FAE0CD766001245BCB1196589C06FEA77DDDFC87D0F044171FD09D725CD960AD80C550
                                                                                                            Function 00362B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 00363837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00363908
                                                                                                              • Part of subcall function 0036D730: GetInputState.USER32 ref: 0036D807
                                                                                                            • SetCurrentDirectoryW.KERNEL32(?), ref: 00362B6B
                                                                                                              • Part of subcall function 003630F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 0036314E
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: IconNotifyShell_$CurrentDirectoryInputState
                                                                                                            • String ID:
                                                                                                            • API String ID: 3667716007-0
                                                                                                            • Opcode ID: 9292b66b4ac8ae292d1cb829b6a41b340818055aef509f9e4e45dcac05effdb1
                                                                                                            • Instruction ID: 47f4acea18356176c118cc26d2336d71dc20beb93f767e32eea445394280030d
                                                                                                            • Opcode Fuzzy Hash: 9292b66b4ac8ae292d1cb829b6a41b340818055aef509f9e4e45dcac05effdb1
                                                                                                            • Instruction Fuzzy Hash: D3E0262130024406C60ABB70A8125BDA749CBE1351F00A43FF0424B1A7CF2445498212
                                                                                                            Function 019B19E8 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetFileAttributesW.KERNELBASE(?), ref: 019B19F3
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2228816640.00000000019B1000.00000040.00000020.00020000.00000000.sdmp, Offset: 019B1000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_19b1000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: AttributesFile
                                                                                                            • String ID:
                                                                                                            • API String ID: 3188754299-0
                                                                                                            • Opcode ID: 195c23eedc4a89e51baf60bc3cc3d10d01908f8b29aed20e491e172ce03d4d2a
                                                                                                            • Instruction ID: b645b9ad6a744750b3fbed9b76bc2ac39a07fcd1158c3844f18290d5a12ccf08
                                                                                                            • Opcode Fuzzy Hash: 195c23eedc4a89e51baf60bc3cc3d10d01908f8b29aed20e491e172ce03d4d2a
                                                                                                            • Instruction Fuzzy Hash: F1E08630505108DBDB14CAACAA58AE973ECEB05311F104A65A509D3180D630AA10D654
                                                                                                            Function 019B19B8 Relevance: 1.5, APIs: 1, Instructions: 15COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetFileAttributesW.KERNELBASE(?), ref: 019B19C3
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2228816640.00000000019B1000.00000040.00000020.00020000.00000000.sdmp, Offset: 019B1000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_19b1000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: AttributesFile
                                                                                                            • String ID:
                                                                                                            • API String ID: 3188754299-0
                                                                                                            • Opcode ID: 63700976fb5b8646ca9f82f7877e0f33cef2a649cb81b4b88ad66ba6039b9afc
                                                                                                            • Instruction ID: eb38dec64406daa9aebbacef456d9b1340f20708327719f2b3bb8ab82ea786db
                                                                                                            • Opcode Fuzzy Hash: 63700976fb5b8646ca9f82f7877e0f33cef2a649cb81b4b88ad66ba6039b9afc
                                                                                                            • Instruction Fuzzy Hash: 72D05E7190524CABCB10CAA9AA049DE73A89705322F104765E91983281D5319A009750
                                                                                                            Function 003A039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • CreateFileW.KERNELBASE(00000000,00000000,?,003A0704,?,?,00000000,?,003A0704,00000000,0000000C), ref: 003A03B7
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CreateFile
                                                                                                            • String ID:
                                                                                                            • API String ID: 823142352-0
                                                                                                            • Opcode ID: f0022221709512f58e7b620942236fc571c2d526d082d50379a76bb6ba8d4653
                                                                                                            • Instruction ID: 893b26d0551176ee799651ce4bb0d8e5814d15367a67d8c8dce6dcd30ee8f486
                                                                                                            • Opcode Fuzzy Hash: f0022221709512f58e7b620942236fc571c2d526d082d50379a76bb6ba8d4653
                                                                                                            • Instruction Fuzzy Hash: 91D06C3205010DBBDF028F84DD06EDA3BAAFB48714F014000BE1856020C732E831EB90
                                                                                                            Function 00361CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 00361CBC
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: InfoParametersSystem
                                                                                                            • String ID:
                                                                                                            • API String ID: 3098949447-0
                                                                                                            • Opcode ID: 02b5691f4b46b4089afa23e2230d1726c9c0a83a749f880298d3f8708d93082c
                                                                                                            • Instruction ID: 1cd11c4bfaed9a0c04dc216165fd38f6f40b923a038c06a4ae0e74d86f74b537
                                                                                                            • Opcode Fuzzy Hash: 02b5691f4b46b4089afa23e2230d1726c9c0a83a749f880298d3f8708d93082c
                                                                                                            • Instruction Fuzzy Hash: 55C09B352C0304AFF2154780BD4AF107754A348B01F045011F60D555F3C3E11414DA54
                                                                                                            Function 003D744A Relevance: 1.5, APIs: 1, Instructions: 220COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 00365745: CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,0036949C,?,00008000), ref: 00365773
                                                                                                            • GetLastError.KERNEL32(00000002,00000000), ref: 003D76DE
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CreateErrorFileLast
                                                                                                            • String ID:
                                                                                                            • API String ID: 1214770103-0
                                                                                                            • Opcode ID: 75faae6a391e2c4ee4c3ea6a25c6cc614534b04bab86ea6ffd0bdbb834271a20
                                                                                                            • Instruction ID: ad62286ee486c2e050294df37da65cfeea60bb191107d5ad464c1a6d1ec91f36
                                                                                                            • Opcode Fuzzy Hash: 75faae6a391e2c4ee4c3ea6a25c6cc614534b04bab86ea6ffd0bdbb834271a20
                                                                                                            • Instruction Fuzzy Hash: 5381B0312087019FC716EF28D491B69B7E5AF89314F04852EF8865B396EB34ED45CB52
                                                                                                            Function 019B33D4 Relevance: 1.3, APIs: 1, Instructions: 21sleepCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • Sleep.KERNELBASE(000001F4), ref: 019B33E9
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2228816640.00000000019B1000.00000040.00000020.00020000.00000000.sdmp, Offset: 019B1000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_19b1000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Sleep
                                                                                                            • String ID:
                                                                                                            • API String ID: 3472027048-0
                                                                                                            • Opcode ID: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
                                                                                                            • Instruction ID: 108e1e743c3c912c33a137c74fa66a6e99ad12c19f19cd5d144facf897d644db
                                                                                                            • Opcode Fuzzy Hash: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
                                                                                                            • Instruction Fuzzy Hash: 6BE0BF7498010EEFDB01DFA4D6496ED7BB4FF04711F1045A1FD05D7681DB309E548A62
                                                                                                            Function 00366246 Relevance: 1.3, APIs: 1, Instructions: 19COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • CloseHandle.KERNELBASE(?,?,00000000,003A24E0), ref: 00366266
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CloseHandle
                                                                                                            • String ID:
                                                                                                            • API String ID: 2962429428-0
                                                                                                            • Opcode ID: 8cbbe6347af6e2b04d8075e3408507f32cf03d22a0a4fe6cf69e07650ff0008b
                                                                                                            • Instruction ID: c632c9279c375c911e1e5b4c62142c1565d80626477a325983aab7731318b7b4
                                                                                                            • Opcode Fuzzy Hash: 8cbbe6347af6e2b04d8075e3408507f32cf03d22a0a4fe6cf69e07650ff0008b
                                                                                                            • Instruction Fuzzy Hash: A9E09275400B01CEC3324F1AE825412FBE9FEE13A13218E2ED0E592664D3B058869B90
                                                                                                            Function 019B33D8 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • Sleep.KERNELBASE(000001F4), ref: 019B33E9
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2228816640.00000000019B1000.00000040.00000020.00020000.00000000.sdmp, Offset: 019B1000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_19b1000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Sleep
                                                                                                            • String ID:
                                                                                                            • API String ID: 3472027048-0
                                                                                                            • Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                                                                            • Instruction ID: c5adc85643a6170c173db79782773ec085a72fc63f6e65825aa5ef9f097f0744
                                                                                                            • Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                                                                            • Instruction Fuzzy Hash: 5CE0E67498010EEFDB00DFB4D6496ED7FB4FF04701F104561FD05D2281D6309E508A62

                                                                                                            Non-executed Functions

                                                                                                            Function 003F9576 Relevance: 74.1, APIs: 39, Strings: 3, Instructions: 625windowkeyboardCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 00379BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00379BB2
                                                                                                            • DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 003F961A
                                                                                                            • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 003F965B
                                                                                                            • GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 003F969F
                                                                                                            • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 003F96C9
                                                                                                            • SendMessageW.USER32 ref: 003F96F2
                                                                                                            • GetKeyState.USER32(00000011), ref: 003F978B
                                                                                                            • GetKeyState.USER32(00000009), ref: 003F9798
                                                                                                            • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 003F97AE
                                                                                                            • GetKeyState.USER32(00000010), ref: 003F97B8
                                                                                                            • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 003F97E9
                                                                                                            • SendMessageW.USER32 ref: 003F9810
                                                                                                            • SendMessageW.USER32(?,00001030,?,003F7E95), ref: 003F9918
                                                                                                            • ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 003F992E
                                                                                                            • ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 003F9941
                                                                                                            • SetCapture.USER32(?), ref: 003F994A
                                                                                                            • ClientToScreen.USER32(?,?), ref: 003F99AF
                                                                                                            • ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 003F99BC
                                                                                                            • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 003F99D6
                                                                                                            • ReleaseCapture.USER32 ref: 003F99E1
                                                                                                            • GetCursorPos.USER32(?), ref: 003F9A19
                                                                                                            • ScreenToClient.USER32(?,?), ref: 003F9A26
                                                                                                            • SendMessageW.USER32(?,00001012,00000000,?), ref: 003F9A80
                                                                                                            • SendMessageW.USER32 ref: 003F9AAE
                                                                                                            • SendMessageW.USER32(?,00001111,00000000,?), ref: 003F9AEB
                                                                                                            • SendMessageW.USER32 ref: 003F9B1A
                                                                                                            • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 003F9B3B
                                                                                                            • SendMessageW.USER32(?,0000110B,00000009,?), ref: 003F9B4A
                                                                                                            • GetCursorPos.USER32(?), ref: 003F9B68
                                                                                                            • ScreenToClient.USER32(?,?), ref: 003F9B75
                                                                                                            • GetParent.USER32(?), ref: 003F9B93
                                                                                                            • SendMessageW.USER32(?,00001012,00000000,?), ref: 003F9BFA
                                                                                                            • SendMessageW.USER32 ref: 003F9C2B
                                                                                                            • ClientToScreen.USER32(?,?), ref: 003F9C84
                                                                                                            • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 003F9CB4
                                                                                                            • SendMessageW.USER32(?,00001111,00000000,?), ref: 003F9CDE
                                                                                                            • SendMessageW.USER32 ref: 003F9D01
                                                                                                            • ClientToScreen.USER32(?,?), ref: 003F9D4E
                                                                                                            • TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 003F9D82
                                                                                                              • Part of subcall function 00379944: GetWindowLongW.USER32(?,000000EB), ref: 00379952
                                                                                                            • GetWindowLongW.USER32(?,000000F0), ref: 003F9E05
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
                                                                                                            • String ID: @GUI_DRAGID$F$p#C
                                                                                                            • API String ID: 3429851547-81565095
                                                                                                            • Opcode ID: e7cdb39e35221ba676f72cd26306cf838a34601320714226ec459af92a6a85ac
                                                                                                            • Instruction ID: accda1fd46c8e205b55fdb812c092a06103eaa444718ca605d44abfc4b8116d5
                                                                                                            • Opcode Fuzzy Hash: e7cdb39e35221ba676f72cd26306cf838a34601320714226ec459af92a6a85ac
                                                                                                            • Instruction Fuzzy Hash: E9428C70208208AFD726DF24CD44BBABBE9FF49720F15461AF699CB2A1D731A854CF51
                                                                                                            Function 003F4873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 003F48F3
                                                                                                            • SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 003F4908
                                                                                                            • SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 003F4927
                                                                                                            • SendMessageW.USER32(?,00000148,00000000,00000000), ref: 003F494B
                                                                                                            • SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 003F495C
                                                                                                            • SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 003F497B
                                                                                                            • SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 003F49AE
                                                                                                            • SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 003F49D4
                                                                                                            • SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 003F4A0F
                                                                                                            • SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 003F4A56
                                                                                                            • SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 003F4A7E
                                                                                                            • IsMenu.USER32(?), ref: 003F4A97
                                                                                                            • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 003F4AF2
                                                                                                            • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 003F4B20
                                                                                                            • GetWindowLongW.USER32(?,000000F0), ref: 003F4B94
                                                                                                            • SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 003F4BE3
                                                                                                            • SendMessageW.USER32(00000000,00001001,00000000,?), ref: 003F4C82
                                                                                                            • wsprintfW.USER32 ref: 003F4CAE
                                                                                                            • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 003F4CC9
                                                                                                            • GetWindowTextW.USER32(?,00000000,00000001), ref: 003F4CF1
                                                                                                            • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 003F4D13
                                                                                                            • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 003F4D33
                                                                                                            • GetWindowTextW.USER32(?,00000000,00000001), ref: 003F4D5A
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
                                                                                                            • String ID: %d/%02d/%02d
                                                                                                            • API String ID: 4054740463-328681919
                                                                                                            • Opcode ID: d2d0d6e73fb06181f38277508c9baae5d929fed783f87480f5da325ddabf79c7
                                                                                                            • Instruction ID: c5deeed65e8966b7143bb6a6969b82f9a4b1756007e00e60fa43645e619aa823
                                                                                                            • Opcode Fuzzy Hash: d2d0d6e73fb06181f38277508c9baae5d929fed783f87480f5da325ddabf79c7
                                                                                                            • Instruction Fuzzy Hash: EF12D07164035CABEB268F28CD49FBFBBF8AF45310F144129FA19DA2A1DB749940CB50
                                                                                                            Function 0037F98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 0037F998
                                                                                                            • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 003BF474
                                                                                                            • IsIconic.USER32(00000000), ref: 003BF47D
                                                                                                            • ShowWindow.USER32(00000000,00000009), ref: 003BF48A
                                                                                                            • SetForegroundWindow.USER32(00000000), ref: 003BF494
                                                                                                            • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 003BF4AA
                                                                                                            • GetCurrentThreadId.KERNEL32 ref: 003BF4B1
                                                                                                            • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 003BF4BD
                                                                                                            • AttachThreadInput.USER32(?,00000000,00000001), ref: 003BF4CE
                                                                                                            • AttachThreadInput.USER32(?,00000000,00000001), ref: 003BF4D6
                                                                                                            • AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 003BF4DE
                                                                                                            • SetForegroundWindow.USER32(00000000), ref: 003BF4E1
                                                                                                            • MapVirtualKeyW.USER32(00000012,00000000), ref: 003BF4F6
                                                                                                            • keybd_event.USER32(00000012,00000000), ref: 003BF501
                                                                                                            • MapVirtualKeyW.USER32(00000012,00000000), ref: 003BF50B
                                                                                                            • keybd_event.USER32(00000012,00000000), ref: 003BF510
                                                                                                            • MapVirtualKeyW.USER32(00000012,00000000), ref: 003BF519
                                                                                                            • keybd_event.USER32(00000012,00000000), ref: 003BF51E
                                                                                                            • MapVirtualKeyW.USER32(00000012,00000000), ref: 003BF528
                                                                                                            • keybd_event.USER32(00000012,00000000), ref: 003BF52D
                                                                                                            • SetForegroundWindow.USER32(00000000), ref: 003BF530
                                                                                                            • AttachThreadInput.USER32(?,000000FF,00000000), ref: 003BF557
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
                                                                                                            • String ID: Shell_TrayWnd
                                                                                                            • API String ID: 4125248594-2988720461
                                                                                                            • Opcode ID: 827b0c5b65836b138e63bbce880e35719f600f70000de17da55fdb24548d67b8
                                                                                                            • Instruction ID: 417550ff3ecdd70a34f23cc2e44bb7ec2426d0b671e8ad66b472977edcd87b9e
                                                                                                            • Opcode Fuzzy Hash: 827b0c5b65836b138e63bbce880e35719f600f70000de17da55fdb24548d67b8
                                                                                                            • Instruction Fuzzy Hash: 0D316171A9021CBFEB226BB65D4AFBF7E6CEB45B50F111066FB04E61D1C6B05D00EA60
                                                                                                            Function 003C1201 Relevance: 40.5, APIs: 19, Strings: 4, Instructions: 241COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 003C16C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 003C170D
                                                                                                              • Part of subcall function 003C16C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 003C173A
                                                                                                              • Part of subcall function 003C16C3: GetLastError.KERNEL32 ref: 003C174A
                                                                                                            • LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 003C1286
                                                                                                            • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 003C12A8
                                                                                                            • CloseHandle.KERNEL32(?), ref: 003C12B9
                                                                                                            • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 003C12D1
                                                                                                            • GetProcessWindowStation.USER32 ref: 003C12EA
                                                                                                            • SetProcessWindowStation.USER32(00000000), ref: 003C12F4
                                                                                                            • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 003C1310
                                                                                                              • Part of subcall function 003C10BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,003C11FC), ref: 003C10D4
                                                                                                              • Part of subcall function 003C10BF: CloseHandle.KERNEL32(?,?,003C11FC), ref: 003C10E9
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
                                                                                                            • String ID: $default$winsta0$ZB
                                                                                                            • API String ID: 22674027-1796749088
                                                                                                            • Opcode ID: 61c866662b00e7c7071783ed225861bf8ebe5c6389139f873205535f6dba32d7
                                                                                                            • Instruction ID: c05734b35b694d2fd1cdc768129602b1eda6d547f59df219b156f20b45be5ea1
                                                                                                            • Opcode Fuzzy Hash: 61c866662b00e7c7071783ed225861bf8ebe5c6389139f873205535f6dba32d7
                                                                                                            • Instruction Fuzzy Hash: B181A871A00209AFDF269FA5DD49FEE7BB9EF05704F184169F910E62A2D7348D44EB20
                                                                                                            Function 003C0B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 003C10F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 003C1114
                                                                                                              • Part of subcall function 003C10F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,003C0B9B,?,?,?), ref: 003C1120
                                                                                                              • Part of subcall function 003C10F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,003C0B9B,?,?,?), ref: 003C112F
                                                                                                              • Part of subcall function 003C10F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,003C0B9B,?,?,?), ref: 003C1136
                                                                                                              • Part of subcall function 003C10F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 003C114D
                                                                                                            • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 003C0BCC
                                                                                                            • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 003C0C00
                                                                                                            • GetLengthSid.ADVAPI32(?), ref: 003C0C17
                                                                                                            • GetAce.ADVAPI32(?,00000000,?), ref: 003C0C51
                                                                                                            • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 003C0C6D
                                                                                                            • GetLengthSid.ADVAPI32(?), ref: 003C0C84
                                                                                                            • GetProcessHeap.KERNEL32(00000008,00000008), ref: 003C0C8C
                                                                                                            • HeapAlloc.KERNEL32(00000000), ref: 003C0C93
                                                                                                            • GetLengthSid.ADVAPI32(?,00000008,?), ref: 003C0CB4
                                                                                                            • CopySid.ADVAPI32(00000000), ref: 003C0CBB
                                                                                                            • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 003C0CEA
                                                                                                            • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 003C0D0C
                                                                                                            • SetUserObjectSecurity.USER32(?,00000004,?), ref: 003C0D1E
                                                                                                            • GetProcessHeap.KERNEL32(00000000,00000000), ref: 003C0D45
                                                                                                            • HeapFree.KERNEL32(00000000), ref: 003C0D4C
                                                                                                            • GetProcessHeap.KERNEL32(00000000,00000000), ref: 003C0D55
                                                                                                            • HeapFree.KERNEL32(00000000), ref: 003C0D5C
                                                                                                            • GetProcessHeap.KERNEL32(00000000,00000000), ref: 003C0D65
                                                                                                            • HeapFree.KERNEL32(00000000), ref: 003C0D6C
                                                                                                            • GetProcessHeap.KERNEL32(00000000,?), ref: 003C0D78
                                                                                                            • HeapFree.KERNEL32(00000000), ref: 003C0D7F
                                                                                                              • Part of subcall function 003C1193: GetProcessHeap.KERNEL32(00000008,003C0BB1,?,00000000,?,003C0BB1,?), ref: 003C11A1
                                                                                                              • Part of subcall function 003C1193: HeapAlloc.KERNEL32(00000000,?,00000000,?,003C0BB1,?), ref: 003C11A8
                                                                                                              • Part of subcall function 003C1193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,003C0BB1,?), ref: 003C11B7
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
                                                                                                            • String ID:
                                                                                                            • API String ID: 4175595110-0
                                                                                                            • Opcode ID: 9c42084c3711c91014e69ae1edbe4f1438e653218f18ff3eba34446b0913618f
                                                                                                            • Instruction ID: dde2ef646f26aa8eba84b21fc45ebb9cc22486bc75130146cf0d12313d155272
                                                                                                            • Opcode Fuzzy Hash: 9c42084c3711c91014e69ae1edbe4f1438e653218f18ff3eba34446b0913618f
                                                                                                            • Instruction Fuzzy Hash: 9F715BB290024AEBDF16DFA4DD48FAEBBBCBF04700F058619E915E6191D771AD05CB60
                                                                                                            Function 003DEAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • OpenClipboard.USER32(003FCC08), ref: 003DEB29
                                                                                                            • IsClipboardFormatAvailable.USER32(0000000D), ref: 003DEB37
                                                                                                            • GetClipboardData.USER32(0000000D), ref: 003DEB43
                                                                                                            • CloseClipboard.USER32 ref: 003DEB4F
                                                                                                            • GlobalLock.KERNEL32(00000000), ref: 003DEB87
                                                                                                            • CloseClipboard.USER32 ref: 003DEB91
                                                                                                            • GlobalUnlock.KERNEL32(00000000), ref: 003DEBBC
                                                                                                            • IsClipboardFormatAvailable.USER32(00000001), ref: 003DEBC9
                                                                                                            • GetClipboardData.USER32(00000001), ref: 003DEBD1
                                                                                                            • GlobalLock.KERNEL32(00000000), ref: 003DEBE2
                                                                                                            • GlobalUnlock.KERNEL32(00000000), ref: 003DEC22
                                                                                                            • IsClipboardFormatAvailable.USER32(0000000F), ref: 003DEC38
                                                                                                            • GetClipboardData.USER32(0000000F), ref: 003DEC44
                                                                                                            • GlobalLock.KERNEL32(00000000), ref: 003DEC55
                                                                                                            • DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 003DEC77
                                                                                                            • DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 003DEC94
                                                                                                            • DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 003DECD2
                                                                                                            • GlobalUnlock.KERNEL32(00000000), ref: 003DECF3
                                                                                                            • CountClipboardFormats.USER32 ref: 003DED14
                                                                                                            • CloseClipboard.USER32 ref: 003DED59
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
                                                                                                            • String ID:
                                                                                                            • API String ID: 420908878-0
                                                                                                            • Opcode ID: 602dcdfe866037ed5e23e3ecd99549138d2a75e0d013493da756b9c341931f66
                                                                                                            • Instruction ID: a45f50b32ea70bdfc2b630886074abe2c22ecad123e5772102160505c31b0ddf
                                                                                                            • Opcode Fuzzy Hash: 602dcdfe866037ed5e23e3ecd99549138d2a75e0d013493da756b9c341931f66
                                                                                                            • Instruction Fuzzy Hash: 6261C136248205AFD302EF20E995F3A7BA8EF84704F19555EF456DB3A1CB31E905CB62
                                                                                                            Function 003D698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • FindFirstFileW.KERNEL32(?,?), ref: 003D69BE
                                                                                                            • FindClose.KERNEL32(00000000), ref: 003D6A12
                                                                                                            • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 003D6A4E
                                                                                                            • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 003D6A75
                                                                                                              • Part of subcall function 00369CB3: _wcslen.LIBCMT ref: 00369CBD
                                                                                                            • FileTimeToSystemTime.KERNEL32(?,?), ref: 003D6AB2
                                                                                                            • FileTimeToSystemTime.KERNEL32(?,?), ref: 003D6ADF
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
                                                                                                            • String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
                                                                                                            • API String ID: 3830820486-3289030164
                                                                                                            • Opcode ID: 4bc40949f55934cb4336b42f6cbb8e4059c6369c9d4b92385862d06c48a85c6c
                                                                                                            • Instruction ID: 25b21756a40075a7c6fa2c9ede518919c30d037b52cd2fe72a7244b821793798
                                                                                                            • Opcode Fuzzy Hash: 4bc40949f55934cb4336b42f6cbb8e4059c6369c9d4b92385862d06c48a85c6c
                                                                                                            • Instruction Fuzzy Hash: E0D16272508340AFC711DBA4D982EABB7FCAF88704F44491EF595CB251EB74DA44CB62
                                                                                                            Function 003D9642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • FindFirstFileW.KERNEL32(?,?,76228FB0,?,00000000), ref: 003D9663
                                                                                                            • GetFileAttributesW.KERNEL32(?), ref: 003D96A1
                                                                                                            • SetFileAttributesW.KERNEL32(?,?), ref: 003D96BB
                                                                                                            • FindNextFileW.KERNEL32(00000000,?), ref: 003D96D3
                                                                                                            • FindClose.KERNEL32(00000000), ref: 003D96DE
                                                                                                            • FindFirstFileW.KERNEL32(*.*,?), ref: 003D96FA
                                                                                                            • SetCurrentDirectoryW.KERNEL32(?), ref: 003D974A
                                                                                                            • SetCurrentDirectoryW.KERNEL32(00426B7C), ref: 003D9768
                                                                                                            • FindNextFileW.KERNEL32(00000000,00000010), ref: 003D9772
                                                                                                            • FindClose.KERNEL32(00000000), ref: 003D977F
                                                                                                            • FindClose.KERNEL32(00000000), ref: 003D978F
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
                                                                                                            • String ID: *.*
                                                                                                            • API String ID: 1409584000-438819550
                                                                                                            • Opcode ID: abc83a414697c2bbafdbc15ece971fd556a2754791c620aa4a684688ea978215
                                                                                                            • Instruction ID: c3b54d3f8303c2b0b036a9aa25077a9976de0152169c1264fbe99980ae12eba3
                                                                                                            • Opcode Fuzzy Hash: abc83a414697c2bbafdbc15ece971fd556a2754791c620aa4a684688ea978215
                                                                                                            • Instruction Fuzzy Hash: BA31B03368021D6ADF16AFB4ED08BEE77AC9F49320F114597F805E22A0DB34D944CB14
                                                                                                            Function 003D979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • FindFirstFileW.KERNEL32(?,?,76228FB0,?,00000000), ref: 003D97BE
                                                                                                            • FindNextFileW.KERNEL32(00000000,?), ref: 003D9819
                                                                                                            • FindClose.KERNEL32(00000000), ref: 003D9824
                                                                                                            • FindFirstFileW.KERNEL32(*.*,?), ref: 003D9840
                                                                                                            • SetCurrentDirectoryW.KERNEL32(?), ref: 003D9890
                                                                                                            • SetCurrentDirectoryW.KERNEL32(00426B7C), ref: 003D98AE
                                                                                                            • FindNextFileW.KERNEL32(00000000,00000010), ref: 003D98B8
                                                                                                            • FindClose.KERNEL32(00000000), ref: 003D98C5
                                                                                                            • FindClose.KERNEL32(00000000), ref: 003D98D5
                                                                                                              • Part of subcall function 003CDAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 003CDB00
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
                                                                                                            • String ID: *.*
                                                                                                            • API String ID: 2640511053-438819550
                                                                                                            • Opcode ID: e6fe7914ab0dce1e18dbb5f60c578d7c9dcdb168d766604c1351cad96b30a681
                                                                                                            • Instruction ID: cf1b5786f5a158b99ed4df39fe4d9bdad8973986671cf1834522eb06a62e3698
                                                                                                            • Opcode Fuzzy Hash: e6fe7914ab0dce1e18dbb5f60c578d7c9dcdb168d766604c1351cad96b30a681
                                                                                                            • Instruction Fuzzy Hash: 2E31B23354021D6ADF12AFA4FC48BEE77AC9F46720F154597F810A22A0DB34DA45DB24
                                                                                                            Function 003D8195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetLocalTime.KERNEL32(?), ref: 003D8257
                                                                                                            • SystemTimeToFileTime.KERNEL32(?,?), ref: 003D8267
                                                                                                            • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 003D8273
                                                                                                            • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 003D8310
                                                                                                            • SetCurrentDirectoryW.KERNEL32(?), ref: 003D8324
                                                                                                            • SetCurrentDirectoryW.KERNEL32(?), ref: 003D8356
                                                                                                            • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 003D838C
                                                                                                            • SetCurrentDirectoryW.KERNEL32(?), ref: 003D8395
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CurrentDirectoryTime$File$Local$System
                                                                                                            • String ID: *.*
                                                                                                            • API String ID: 1464919966-438819550
                                                                                                            • Opcode ID: 4ae419a0a360f17c8782b26ed26ab869862a0a5d89be499c4886004226ffa80f
                                                                                                            • Instruction ID: df2ba4a7a912167c7db7454db62063732426600b3d18234507bdef0b3f1c354b
                                                                                                            • Opcode Fuzzy Hash: 4ae419a0a360f17c8782b26ed26ab869862a0a5d89be499c4886004226ffa80f
                                                                                                            • Instruction Fuzzy Hash: 9C616BB65043459FCB11EF64D8409AEB3E8FF89314F04895EF989CB251EB31E949CB92
                                                                                                            Function 003CD076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 00363AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00363A97,?,?,00362E7F,?,?,?,00000000), ref: 00363AC2
                                                                                                              • Part of subcall function 003CE199: GetFileAttributesW.KERNEL32(?,003CCF95), ref: 003CE19A
                                                                                                            • FindFirstFileW.KERNEL32(?,?), ref: 003CD122
                                                                                                            • DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 003CD1DD
                                                                                                            • MoveFileW.KERNEL32(?,?), ref: 003CD1F0
                                                                                                            • DeleteFileW.KERNEL32(?,?,?,?), ref: 003CD20D
                                                                                                            • FindNextFileW.KERNEL32(00000000,00000010), ref: 003CD237
                                                                                                              • Part of subcall function 003CD29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,003CD21C,?,?), ref: 003CD2B2
                                                                                                            • FindClose.KERNEL32(00000000,?,?,?), ref: 003CD253
                                                                                                            • FindClose.KERNEL32(00000000), ref: 003CD264
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
                                                                                                            • String ID: \*.*
                                                                                                            • API String ID: 1946585618-1173974218
                                                                                                            • Opcode ID: 8a9a7d973e32f72c73bd4f817cdaf3b9524c99c2b2b296c613bfeabbf2b0596e
                                                                                                            • Instruction ID: b3a01856f0155a14ed3affe3d7b3d9222cadd9ee443516159d00d4529834f843
                                                                                                            • Opcode Fuzzy Hash: 8a9a7d973e32f72c73bd4f817cdaf3b9524c99c2b2b296c613bfeabbf2b0596e
                                                                                                            • Instruction Fuzzy Hash: D2613F3180110DAACF16EBE0DA52EEDB7B9AF55300F248569F402BB195EB319F09DB61
                                                                                                            Function 003DED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                                                                                                            • String ID:
                                                                                                            • API String ID: 1737998785-0
                                                                                                            • Opcode ID: d507c97195c607f48bfafa2fed3e040869da16b16eda453334fbb6d584345659
                                                                                                            • Instruction ID: 566dad958bb39d927d62f51edad2cb393b67dd0d72eb0bbb6aa0139ebbd019ee
                                                                                                            • Opcode Fuzzy Hash: d507c97195c607f48bfafa2fed3e040869da16b16eda453334fbb6d584345659
                                                                                                            • Instruction Fuzzy Hash: 2D41CD32204211AFE722EF15E888B29BBE9FF44318F15D09AE4598F762C775EC41CB90
                                                                                                            Function 003CE8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 003C16C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 003C170D
                                                                                                              • Part of subcall function 003C16C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 003C173A
                                                                                                              • Part of subcall function 003C16C3: GetLastError.KERNEL32 ref: 003C174A
                                                                                                            • ExitWindowsEx.USER32(?,00000000), ref: 003CE932
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
                                                                                                            • String ID: $ $@$SeShutdownPrivilege
                                                                                                            • API String ID: 2234035333-3163812486
                                                                                                            • Opcode ID: 8945cfbf6566ad77b6f13774d7b1934c566e156acc8af7bc22e24f6fc03c77b8
                                                                                                            • Instruction ID: b940e360007dc4a25d425e58da8f0744cad6541841de2c3b763efb0fc5ed50db
                                                                                                            • Opcode Fuzzy Hash: 8945cfbf6566ad77b6f13774d7b1934c566e156acc8af7bc22e24f6fc03c77b8
                                                                                                            • Instruction Fuzzy Hash: C9014972660225ABEB5626B49C86FBF725CA705740F16092AFC13E70D2DBB85C40C394
                                                                                                            Function 003E1204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • socket.WSOCK32(00000002,00000001,00000006), ref: 003E1276
                                                                                                            • WSAGetLastError.WSOCK32 ref: 003E1283
                                                                                                            • bind.WSOCK32(00000000,?,00000010), ref: 003E12BA
                                                                                                            • WSAGetLastError.WSOCK32 ref: 003E12C5
                                                                                                            • closesocket.WSOCK32(00000000), ref: 003E12F4
                                                                                                            • listen.WSOCK32(00000000,00000005), ref: 003E1303
                                                                                                            • WSAGetLastError.WSOCK32 ref: 003E130D
                                                                                                            • closesocket.WSOCK32(00000000), ref: 003E133C
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ErrorLast$closesocket$bindlistensocket
                                                                                                            • String ID:
                                                                                                            • API String ID: 540024437-0
                                                                                                            • Opcode ID: 49aaa4a4b4617df62291064ac7caa18543b5ec05a31121f500c0a1a2a17ecadf
                                                                                                            • Instruction ID: b69648ebd323753158c398ed598f951f5ef24b95f838aea59985e4dfdda90730
                                                                                                            • Opcode Fuzzy Hash: 49aaa4a4b4617df62291064ac7caa18543b5ec05a31121f500c0a1a2a17ecadf
                                                                                                            • Instruction Fuzzy Hash: 0D41E3316001509FD712DF25C988B6ABBE5BF46318F198688E9568F3D6C771EC81CBE1
                                                                                                            Function 0039B952 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • _free.LIBCMT ref: 0039B9D4
                                                                                                            • _free.LIBCMT ref: 0039B9F8
                                                                                                            • _free.LIBCMT ref: 0039BB7F
                                                                                                            • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00403700), ref: 0039BB91
                                                                                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,0043121C,000000FF,00000000,0000003F,00000000,?,?), ref: 0039BC09
                                                                                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,00431270,000000FF,?,0000003F,00000000,?), ref: 0039BC36
                                                                                                            • _free.LIBCMT ref: 0039BD4B
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: _free$ByteCharMultiWide$InformationTimeZone
                                                                                                            • String ID:
                                                                                                            • API String ID: 314583886-0
                                                                                                            • Opcode ID: 4fbf8ab4ec8b44a5f1e499cfd222c62f9ac761ccdcd9ef9bb143c01bafef52b9
                                                                                                            • Instruction ID: 1f9b4699bd9694256a87ab23a09b719a45902ed30b49d3ddebb8246d108270e9
                                                                                                            • Opcode Fuzzy Hash: 4fbf8ab4ec8b44a5f1e499cfd222c62f9ac761ccdcd9ef9bb143c01bafef52b9
                                                                                                            • Instruction Fuzzy Hash: 61C12871904209AFDF22DF78AE41BAEFBB9EF41310F1541AAE495DB291E7309E41CB50
                                                                                                            Function 003CD3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 00363AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00363A97,?,?,00362E7F,?,?,?,00000000), ref: 00363AC2
                                                                                                              • Part of subcall function 003CE199: GetFileAttributesW.KERNEL32(?,003CCF95), ref: 003CE19A
                                                                                                            • FindFirstFileW.KERNEL32(?,?), ref: 003CD420
                                                                                                            • DeleteFileW.KERNEL32(?,?,?,?), ref: 003CD470
                                                                                                            • FindNextFileW.KERNEL32(00000000,00000010), ref: 003CD481
                                                                                                            • FindClose.KERNEL32(00000000), ref: 003CD498
                                                                                                            • FindClose.KERNEL32(00000000), ref: 003CD4A1
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
                                                                                                            • String ID: \*.*
                                                                                                            • API String ID: 2649000838-1173974218
                                                                                                            • Opcode ID: f0e2870fd08ad0b649a1a0a717fe37c0c606b638c1f426f2efa7ed2c0da80b14
                                                                                                            • Instruction ID: 9e577e83e960543f77c495e3e686fc84628291be35ed472d4bd0af7fc077c67a
                                                                                                            • Opcode Fuzzy Hash: f0e2870fd08ad0b649a1a0a717fe37c0c606b638c1f426f2efa7ed2c0da80b14
                                                                                                            • Instruction Fuzzy Hash: CF3182310183459BC306EF64D9529AF77ECAE92304F449E2DF4D597191EB30AE09DB63
                                                                                                            Function 0039E4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: __floor_pentium4
                                                                                                            • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                                                                                            • API String ID: 4168288129-2761157908
                                                                                                            • Opcode ID: 084be7d2351941d3d690f30d1597e3d6ae885b62c35b3ac20ce54a65ef365375
                                                                                                            • Instruction ID: b3805bfb5f4540163f61fb93475cdd8cbcf68cdc42a91891a41357160f9b7c75
                                                                                                            • Opcode Fuzzy Hash: 084be7d2351941d3d690f30d1597e3d6ae885b62c35b3ac20ce54a65ef365375
                                                                                                            • Instruction Fuzzy Hash: E1C23B72E086288FDF26DE68DD407EAB7B9EB45305F1541EAD44DE7240E778AE818F40
                                                                                                            Function 003D648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • _wcslen.LIBCMT ref: 003D64DC
                                                                                                            • CoInitialize.OLE32(00000000), ref: 003D6639
                                                                                                            • CoCreateInstance.OLE32(003FFCF8,00000000,00000001,003FFB68,?), ref: 003D6650
                                                                                                            • CoUninitialize.OLE32 ref: 003D68D4
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CreateInitializeInstanceUninitialize_wcslen
                                                                                                            • String ID: .lnk
                                                                                                            • API String ID: 886957087-24824748
                                                                                                            • Opcode ID: da2e125a86a13d8d5f3368aee92c9cbae2a9e842add1dcd4618ae3509336f71d
                                                                                                            • Instruction ID: 17cb0ab6bc73f533e43c44060366aecd72822f61824961aed6f2b9e461070baf
                                                                                                            • Opcode Fuzzy Hash: da2e125a86a13d8d5f3368aee92c9cbae2a9e842add1dcd4618ae3509336f71d
                                                                                                            • Instruction Fuzzy Hash: 69D17A71508301AFC301EF24D881A6BB7E9FF95704F00896EF5958B295DB71ED45CBA2
                                                                                                            Function 003E22DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetForegroundWindow.USER32(?,?,00000000), ref: 003E22E8
                                                                                                              • Part of subcall function 003DE4EC: GetWindowRect.USER32(?,?), ref: 003DE504
                                                                                                            • GetDesktopWindow.USER32 ref: 003E2312
                                                                                                            • GetWindowRect.USER32(00000000), ref: 003E2319
                                                                                                            • mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 003E2355
                                                                                                            • GetCursorPos.USER32(?), ref: 003E2381
                                                                                                            • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 003E23DF
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Window$Rectmouse_event$CursorDesktopForeground
                                                                                                            • String ID:
                                                                                                            • API String ID: 2387181109-0
                                                                                                            • Opcode ID: 6c8bcc63afc1a2a50a24e617c02b9d486d30d08b25645d4d71e7313783513b94
                                                                                                            • Instruction ID: 4eeb2c3ab597860460a5e79a9f65732a9561932dd6186abce0337ad46971b4c8
                                                                                                            • Opcode Fuzzy Hash: 6c8bcc63afc1a2a50a24e617c02b9d486d30d08b25645d4d71e7313783513b94
                                                                                                            • Instruction Fuzzy Hash: AE31BE72504359ABC722DF15C845F6BBBAEFB84310F001A19F985DB181DB34E908CB92
                                                                                                            Function 003D9B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 00369CB3: _wcslen.LIBCMT ref: 00369CBD
                                                                                                            • FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 003D9B78
                                                                                                            • FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 003D9C8B
                                                                                                              • Part of subcall function 003D3874: GetInputState.USER32 ref: 003D38CB
                                                                                                              • Part of subcall function 003D3874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 003D3966
                                                                                                            • Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 003D9BA8
                                                                                                            • FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 003D9C75
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
                                                                                                            • String ID: *.*
                                                                                                            • API String ID: 1972594611-438819550
                                                                                                            • Opcode ID: c6363b8b08c6afd8f2b34a84050bc2d56ba86eca8fcfc1a7bec5c2a3911df41c
                                                                                                            • Instruction ID: 21897f30359fef53bfe10f87f894af6f371578493d240ba00db5bbfa4da6e6be
                                                                                                            • Opcode Fuzzy Hash: c6363b8b08c6afd8f2b34a84050bc2d56ba86eca8fcfc1a7bec5c2a3911df41c
                                                                                                            • Instruction Fuzzy Hash: 8641737695420AAFCF16DF64D945BEE7BB8EF05310F244197E405A72A1EB309E44CF60
                                                                                                            Function 00368060 Relevance: 8.7, Strings: 6, Instructions: 1151COMMON
                                                                                                            Download Yara Rule
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: ERCP$InitializeCriticalSectionEx$VUUU$VUUU$VUUU$VUUU
                                                                                                            • API String ID: 0-1173862840
                                                                                                            • Opcode ID: da392d0f21341a144a96ed6d62ce53223d10142ca1a0784e9c5c0590b704f2dd
                                                                                                            • Instruction ID: 1fa418e1f32186aeb9e4302a786d80a2ec5c1d8c8a5950a01639e50cf2b619d6
                                                                                                            • Opcode Fuzzy Hash: da392d0f21341a144a96ed6d62ce53223d10142ca1a0784e9c5c0590b704f2dd
                                                                                                            • Instruction Fuzzy Hash: BEA2B370E0061ACBDF26CF58C8417ADB7B1FF59310F2586AAD915AB688DB709D81CF50
                                                                                                            Function 0037997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 00379BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00379BB2
                                                                                                            • DefDlgProcW.USER32(?,?,?,?,?), ref: 00379A4E
                                                                                                            • GetSysColor.USER32(0000000F), ref: 00379B23
                                                                                                            • SetBkColor.GDI32(?,00000000), ref: 00379B36
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Color$LongProcWindow
                                                                                                            • String ID:
                                                                                                            • API String ID: 3131106179-0
                                                                                                            • Opcode ID: ba49733d92f1ca71b2ed77eaf2470a77faac840e3708f05bc1e91a150603ca3d
                                                                                                            • Instruction ID: 29a09fd0ad92df731a7c02449b62475d5310e6e48da946d9e6f165236445baee
                                                                                                            • Opcode Fuzzy Hash: ba49733d92f1ca71b2ed77eaf2470a77faac840e3708f05bc1e91a150603ca3d
                                                                                                            • Instruction Fuzzy Hash: 28A13E70109404BEE73BAA3C8C49FBB265DDB82304F16831BF606DADA5CA299D01C375
                                                                                                            Function 003E1806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 003E304E: inet_addr.WSOCK32(?), ref: 003E307A
                                                                                                              • Part of subcall function 003E304E: _wcslen.LIBCMT ref: 003E309B
                                                                                                            • socket.WSOCK32(00000002,00000002,00000011), ref: 003E185D
                                                                                                            • WSAGetLastError.WSOCK32 ref: 003E1884
                                                                                                            • bind.WSOCK32(00000000,?,00000010), ref: 003E18DB
                                                                                                            • WSAGetLastError.WSOCK32 ref: 003E18E6
                                                                                                            • closesocket.WSOCK32(00000000), ref: 003E1915
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
                                                                                                            • String ID:
                                                                                                            • API String ID: 1601658205-0
                                                                                                            • Opcode ID: deceb4a93a7a7bd178967abe2b9599d433d75a08812c3f7d290a9c71d399080a
                                                                                                            • Instruction ID: f9e8e7775dca9541daa670b81947026b5d2ac50db881ce97a75264188fca588e
                                                                                                            • Opcode Fuzzy Hash: deceb4a93a7a7bd178967abe2b9599d433d75a08812c3f7d290a9c71d399080a
                                                                                                            • Instruction Fuzzy Hash: 1C51C371A00210AFDB12AF24C886F7A77E5AB44718F08C598F94A9F3D7C775AD41CBA1
                                                                                                            Function 003F1C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Window$EnabledForegroundIconicVisibleZoomed
                                                                                                            • String ID:
                                                                                                            • API String ID: 292994002-0
                                                                                                            • Opcode ID: bdfe34e634a7b8a960a941856405ddee52eef5428051edc4767b707b69e30f69
                                                                                                            • Instruction ID: 8b5bdd50fd222516a4f7c9a7dc8a1f7cb0a7403a4b92e916a961dabeaaa54f5a
                                                                                                            • Opcode Fuzzy Hash: bdfe34e634a7b8a960a941856405ddee52eef5428051edc4767b707b69e30f69
                                                                                                            • Instruction Fuzzy Hash: 8E21A331780218DFD7228F1AE844B7A7BA9EF95324F199068E946CB351CB71EC42CB90
                                                                                                            Function 003C8298 Relevance: 6.6, APIs: 1, Strings: 3, Instructions: 568stringCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • lstrlenW.KERNEL32(?,?,?,00000000), ref: 003C82AA
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: lstrlen
                                                                                                            • String ID: ($tbB$|
                                                                                                            • API String ID: 1659193697-3141210941
                                                                                                            • Opcode ID: 9529bdbc8101655ec47e691029e7c352e1bf36363849313a7914ae02e4f80a6d
                                                                                                            • Instruction ID: 59fb25f31a5ad3df9b87b1aebb13bb424726db758ee2974bf2e5c10e01b3a733
                                                                                                            • Opcode Fuzzy Hash: 9529bdbc8101655ec47e691029e7c352e1bf36363849313a7914ae02e4f80a6d
                                                                                                            • Instruction Fuzzy Hash: EC323379A006059FCB29CF59C480E6AB7F0FF48710B15C46EE59ADB7A1EB70EA41CB44
                                                                                                            Function 003EA67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • CreateToolhelp32Snapshot.KERNEL32 ref: 003EA6AC
                                                                                                            • Process32FirstW.KERNEL32(00000000,?), ref: 003EA6BA
                                                                                                              • Part of subcall function 00369CB3: _wcslen.LIBCMT ref: 00369CBD
                                                                                                            • Process32NextW.KERNEL32(00000000,?), ref: 003EA79C
                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 003EA7AB
                                                                                                              • Part of subcall function 0037CE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,003A3303,?), ref: 0037CE8A
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
                                                                                                            • String ID:
                                                                                                            • API String ID: 1991900642-0
                                                                                                            • Opcode ID: d8bd12e3b93275e4a03e4dce644f8a0222c94eb2c689a4d9bf886c986906157a
                                                                                                            • Instruction ID: 183acc6f8eddc7b2a909afcbbc8e2b0894ee198d5d11784ddea2eb308c571ee3
                                                                                                            • Opcode Fuzzy Hash: d8bd12e3b93275e4a03e4dce644f8a0222c94eb2c689a4d9bf886c986906157a
                                                                                                            • Instruction Fuzzy Hash: F8515F715083509FD711EF25C886A6BBBE8FF89754F00892DF589DB291EB70E904CB92
                                                                                                            Function 003CAA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 003CAAAC
                                                                                                            • SetKeyboardState.USER32(00000080), ref: 003CAAC8
                                                                                                            • PostMessageW.USER32(?,00000102,00000001,00000001), ref: 003CAB36
                                                                                                            • SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 003CAB88
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: KeyboardState$InputMessagePostSend
                                                                                                            • String ID:
                                                                                                            • API String ID: 432972143-0
                                                                                                            • Opcode ID: fdd1bf793dc4d23135c0435e2dddd61954dfb8e420083d12bf9604cb4110c71b
                                                                                                            • Instruction ID: 888f67f1a9ab872ce9c616c68b66375901885737f76a4401af9f422f5e24677f
                                                                                                            • Opcode Fuzzy Hash: fdd1bf793dc4d23135c0435e2dddd61954dfb8e420083d12bf9604cb4110c71b
                                                                                                            • Instruction Fuzzy Hash: 9A310570A80A0CAEEB378A69CC05FFA7BBAAB44314F04421EF185D61D1D7758D81D7A2
                                                                                                            Function 003DCE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • InternetReadFile.WININET(?,?,00000400,?), ref: 003DCE89
                                                                                                            • GetLastError.KERNEL32(?,00000000), ref: 003DCEEA
                                                                                                            • SetEvent.KERNEL32(?,?,00000000), ref: 003DCEFE
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ErrorEventFileInternetLastRead
                                                                                                            • String ID:
                                                                                                            • API String ID: 234945975-0
                                                                                                            • Opcode ID: 8ccbdb80ef5919214e386d00f879027cb3228af8d02deab8982e59ca98f3ff06
                                                                                                            • Instruction ID: f18c4e6d895e1b609b544c792d29aae85582de5ee08d71fd92efd5650fc383eb
                                                                                                            • Opcode Fuzzy Hash: 8ccbdb80ef5919214e386d00f879027cb3228af8d02deab8982e59ca98f3ff06
                                                                                                            • Instruction Fuzzy Hash: 8D21EDB2520306ABDB22DFA5E948BA777FCEB00305F10541FE542D2251E730EE04DB54
                                                                                                            Function 003CDBBE Relevance: 6.0, APIs: 4, Instructions: 29filestringCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • lstrlenW.KERNEL32(?,003A5222), ref: 003CDBCE
                                                                                                            • GetFileAttributesW.KERNEL32(?), ref: 003CDBDD
                                                                                                            • FindFirstFileW.KERNEL32(?,?), ref: 003CDBEE
                                                                                                            • FindClose.KERNEL32(00000000), ref: 003CDBFA
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: FileFind$AttributesCloseFirstlstrlen
                                                                                                            • String ID:
                                                                                                            • API String ID: 2695905019-0
                                                                                                            • Opcode ID: 9d5aee32de7b96b22913778feec2611e93d3bb734d30afc7000f46540241d381
                                                                                                            • Instruction ID: f143f5ba122ac81464acad1bdeb59617cc2616df51e74a848bbdc8c8b17e7e50
                                                                                                            • Opcode Fuzzy Hash: 9d5aee32de7b96b22913778feec2611e93d3bb734d30afc7000f46540241d381
                                                                                                            • Instruction Fuzzy Hash: 70F0A0308A091867C2226B78AE0D9BA376C9E01334F108B1AF836C21F0EBB06D54C695
                                                                                                            Function 003D5C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • FindFirstFileW.KERNEL32(?,?), ref: 003D5CC1
                                                                                                            • FindNextFileW.KERNEL32(00000000,?), ref: 003D5D17
                                                                                                            • FindClose.KERNEL32(?), ref: 003D5D5F
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Find$File$CloseFirstNext
                                                                                                            • String ID:
                                                                                                            • API String ID: 3541575487-0
                                                                                                            • Opcode ID: a9f23eefc99c12d813ffd30a70c578e968337ef3435ff4fa36dc4cb777ecbd0e
                                                                                                            • Instruction ID: 668f1d2877c0a7a3e17fb25bf47664a2543aa78a1d9f9abdc9afa9c81f7415e8
                                                                                                            • Opcode Fuzzy Hash: a9f23eefc99c12d813ffd30a70c578e968337ef3435ff4fa36dc4cb777ecbd0e
                                                                                                            • Instruction Fuzzy Hash: A151A835604A019FC716DF28D494EAAB7E4FF49314F15855EE99A8B3A2CB30EC04CFA1
                                                                                                            Function 00392622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • IsDebuggerPresent.KERNEL32 ref: 0039271A
                                                                                                            • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00392724
                                                                                                            • UnhandledExceptionFilter.KERNEL32(?), ref: 00392731
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                                                                            • String ID:
                                                                                                            • API String ID: 3906539128-0
                                                                                                            • Opcode ID: d8637844208b5a729f1114113e89f157d66dcec9ddccfce5b4bed5b1bd2eec4a
                                                                                                            • Instruction ID: fa4b3d4cd26168b6ff1e19e8389ad745976d0fa165177e9cebeadd67f37ae75f
                                                                                                            • Opcode Fuzzy Hash: d8637844208b5a729f1114113e89f157d66dcec9ddccfce5b4bed5b1bd2eec4a
                                                                                                            • Instruction Fuzzy Hash: 1731D37495131CABCB26DF68DD8879DBBB8AF08310F5041EAE81CA7261E7749F858F44
                                                                                                            Function 003D51CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • SetErrorMode.KERNEL32(00000001), ref: 003D51DA
                                                                                                            • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 003D5238
                                                                                                            • SetErrorMode.KERNEL32(00000000), ref: 003D52A1
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ErrorMode$DiskFreeSpace
                                                                                                            • String ID:
                                                                                                            • API String ID: 1682464887-0
                                                                                                            • Opcode ID: b93d15d1c90f765f0a3b9d8e2d7d7097d926692717949c4337fc9ec9410eaf94
                                                                                                            • Instruction ID: 9ce6abbcf5a5eedf54eae8efd6d76f1a1449aa6085aae4a930bfc18868486fb2
                                                                                                            • Opcode Fuzzy Hash: b93d15d1c90f765f0a3b9d8e2d7d7097d926692717949c4337fc9ec9410eaf94
                                                                                                            • Instruction Fuzzy Hash: 9B318E75A10508DFDB01DF94D884EADBBB4FF08314F048499E805AF3A6CB31E85ACB90
                                                                                                            Function 003C16C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 0037FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00380668
                                                                                                              • Part of subcall function 0037FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00380685
                                                                                                            • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 003C170D
                                                                                                            • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 003C173A
                                                                                                            • GetLastError.KERNEL32 ref: 003C174A
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
                                                                                                            • String ID:
                                                                                                            • API String ID: 577356006-0
                                                                                                            • Opcode ID: d170d92835ba66c2f6c63d11721b810c876373c4487d1964c0238f3675a0547b
                                                                                                            • Instruction ID: 2a5d715970ebe632dacf03d9843fdb560e11ca979e8d720ed1cc7a735f5e790a
                                                                                                            • Opcode Fuzzy Hash: d170d92835ba66c2f6c63d11721b810c876373c4487d1964c0238f3675a0547b
                                                                                                            • Instruction Fuzzy Hash: DD11BCB2410209FFD729AF54DC86E6AB7BDFB04714B20852EE05696242EB70FC41CB20
                                                                                                            Function 003CD5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 003CD608
                                                                                                            • DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 003CD645
                                                                                                            • CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 003CD650
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CloseControlCreateDeviceFileHandle
                                                                                                            • String ID:
                                                                                                            • API String ID: 33631002-0
                                                                                                            • Opcode ID: adf58b192b3670ffc2dae694d4f0cd74cc7760bf9768b5289d76d03d5ff8d14b
                                                                                                            • Instruction ID: 559968e6d372cfbd21166b9b684670204e79dc192edad45529896c6997a3f4c5
                                                                                                            • Opcode Fuzzy Hash: adf58b192b3670ffc2dae694d4f0cd74cc7760bf9768b5289d76d03d5ff8d14b
                                                                                                            • Instruction Fuzzy Hash: 19117C75E01228BBDB118F989C44FAFBBBCEB45B50F108126F904E7290C2704A01CBA1
                                                                                                            Function 003C1663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 003C168C
                                                                                                            • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 003C16A1
                                                                                                            • FreeSid.ADVAPI32(?), ref: 003C16B1
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: AllocateCheckFreeInitializeMembershipToken
                                                                                                            • String ID:
                                                                                                            • API String ID: 3429775523-0
                                                                                                            • Opcode ID: 6c73c973a9d8fc04a824d4cc71308d4701ae7404ba73dc4cad5dbda323bc6b0a
                                                                                                            • Instruction ID: 96f37ae95cd59231882046a03d12888a46e07382b0269d6dd88893b1d9640285
                                                                                                            • Opcode Fuzzy Hash: 6c73c973a9d8fc04a824d4cc71308d4701ae7404ba73dc4cad5dbda323bc6b0a
                                                                                                            • Instruction Fuzzy Hash: 27F0F47199030DFBDB01DFE49D89EAEBBBCEB08704F504965E901E2181EB74EA449B54
                                                                                                            Function 00384CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetCurrentProcess.KERNEL32(003928E9,?,00384CBE,003928E9,004288B8,0000000C,00384E15,003928E9,00000002,00000000,?,003928E9), ref: 00384D09
                                                                                                            • TerminateProcess.KERNEL32(00000000,?,00384CBE,003928E9,004288B8,0000000C,00384E15,003928E9,00000002,00000000,?,003928E9), ref: 00384D10
                                                                                                            • ExitProcess.KERNEL32 ref: 00384D22
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Process$CurrentExitTerminate
                                                                                                            • String ID:
                                                                                                            • API String ID: 1703294689-0
                                                                                                            • Opcode ID: 7d868fedcb7eae07cce207dcfffd08499ff7711345556234f36da82dc957e1de
                                                                                                            • Instruction ID: 69adeca3a0f25e17194e73cc8886eff4fdb2c486647c634713d9e18defd29078
                                                                                                            • Opcode Fuzzy Hash: 7d868fedcb7eae07cce207dcfffd08499ff7711345556234f36da82dc957e1de
                                                                                                            • Instruction Fuzzy Hash: 57E0B635050249ABCF13BF54DE09A687B6DEB41781F114054FC058A523CB39ED56DB80
                                                                                                            Function 0039C2A2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON
                                                                                                            Download Yara Rule
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: /
                                                                                                            • API String ID: 0-2043925204
                                                                                                            • Opcode ID: 97eaaf580243568eee9de6dbc1593a2a8e4f279557f6df011f94611bdcc70dba
                                                                                                            • Instruction ID: f119b8208d697fcadb54ab7281982887c989b1b8530a6f8f18dbfe31bf5cdd55
                                                                                                            • Opcode Fuzzy Hash: 97eaaf580243568eee9de6dbc1593a2a8e4f279557f6df011f94611bdcc70dba
                                                                                                            • Instruction Fuzzy Hash: C5415976A00219AFCF219FB9CC88EBB77B8EB84354F5046A9F905DB181E6709D81CB50
                                                                                                            Function 003BD27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetUserNameW.ADVAPI32(?,?), ref: 003BD28C
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: NameUser
                                                                                                            • String ID: X64
                                                                                                            • API String ID: 2645101109-893830106
                                                                                                            • Opcode ID: d7c01a0577a755343ac48103064e2fabe26a07a2d23f6943e7478da66b79c5bc
                                                                                                            • Instruction ID: 1be87d1dae7e4a1459d2d851905fe5c1a1c8a65c55d02fd1122a46373694d1d5
                                                                                                            • Opcode Fuzzy Hash: d7c01a0577a755343ac48103064e2fabe26a07a2d23f6943e7478da66b79c5bc
                                                                                                            • Instruction Fuzzy Hash: 2DD0C9B481111DEACB95CB90DC88DD9B37CBF04305F104555F106A2400DB3495498F10
                                                                                                            Function 0038CAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
                                                                                                            • Instruction ID: ea0a5e7ccc74fb233f7243366954980307778e38b93dde1dd95516ae678c7cf0
                                                                                                            • Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
                                                                                                            • Instruction Fuzzy Hash: C3021C71E102199BDF15DFA9C8806ADFBF1FF48314F2581AAD919EB384D730AE418B94
                                                                                                            Function 0036CAF0 Relevance: 3.2, Strings: 2, Instructions: 659COMMON
                                                                                                            Download Yara Rule
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: Variable is not of type 'Object'.$p#C
                                                                                                            • API String ID: 0-3188107015
                                                                                                            • Opcode ID: 1fef7edeee08bdca227facf42ca6e3eba08fbb7734f4c8859c750ea57c409b11
                                                                                                            • Instruction ID: 121842ae63913e83935b12006051edbde56624f9bf420c1255b66f70edf4a808
                                                                                                            • Opcode Fuzzy Hash: 1fef7edeee08bdca227facf42ca6e3eba08fbb7734f4c8859c750ea57c409b11
                                                                                                            • Instruction Fuzzy Hash: 5C32BE30910218DFCF1ADF90C984AFEB7B9BF04308F109069E946AF696D775AD46CB60
                                                                                                            Function 003D68EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • FindFirstFileW.KERNEL32(?,?), ref: 003D6918
                                                                                                            • FindClose.KERNEL32(00000000), ref: 003D6961
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Find$CloseFileFirst
                                                                                                            • String ID:
                                                                                                            • API String ID: 2295610775-0
                                                                                                            • Opcode ID: 0be22ae4f9d8fb7d85e481394e1f24e1f98b786dc12e5270ac2337f508df3b61
                                                                                                            • Instruction ID: a1fa8675ef2f6132e51afd03d6f712c2405528ca067f23b22de38014c46e0156
                                                                                                            • Opcode Fuzzy Hash: 0be22ae4f9d8fb7d85e481394e1f24e1f98b786dc12e5270ac2337f508df3b61
                                                                                                            • Instruction Fuzzy Hash: 0F11E2326142009FC711CF69D485A26BBE4FF89328F05C69AF4698F3A2C770EC05CB90
                                                                                                            Function 003D37B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,003E4891,?,?,00000035,?), ref: 003D37E4
                                                                                                            • FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,003E4891,?,?,00000035,?), ref: 003D37F4
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ErrorFormatLastMessage
                                                                                                            • String ID:
                                                                                                            • API String ID: 3479602957-0
                                                                                                            • Opcode ID: 68a6c74dc83f696ff3b7679a3d21db31d5afe6f8f5eef511d68f21d1bfd34a08
                                                                                                            • Instruction ID: ec3d5980d5eebdaf994814af43edbddb20817e406ebb466e50a9d24b0b0026ab
                                                                                                            • Opcode Fuzzy Hash: 68a6c74dc83f696ff3b7679a3d21db31d5afe6f8f5eef511d68f21d1bfd34a08
                                                                                                            • Instruction Fuzzy Hash: 5AF055B16012292AEB2213669C4CFEB3BAEEFC4760F000232F508E2284C9608D04C6B0
                                                                                                            Function 003CB226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 003CB25D
                                                                                                            • keybd_event.USER32(?,7694C0D0,?,00000000), ref: 003CB270
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: InputSendkeybd_event
                                                                                                            • String ID:
                                                                                                            • API String ID: 3536248340-0
                                                                                                            • Opcode ID: eaea5f395e81f7d777f92762167562c49aaa0037c28c6efd9ccb840f13e9fea5
                                                                                                            • Instruction ID: 88cdb4787dc0f3357255636c5b999544ab93332c0d95bd535271c0dbf187ce52
                                                                                                            • Opcode Fuzzy Hash: eaea5f395e81f7d777f92762167562c49aaa0037c28c6efd9ccb840f13e9fea5
                                                                                                            • Instruction Fuzzy Hash: 17F01D7185424DABDB069FA1C806BBEBBB4FF04305F009409F955A5192C3799615DF94
                                                                                                            Function 003C10BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,003C11FC), ref: 003C10D4
                                                                                                            • CloseHandle.KERNEL32(?,?,003C11FC), ref: 003C10E9
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: AdjustCloseHandlePrivilegesToken
                                                                                                            • String ID:
                                                                                                            • API String ID: 81990902-0
                                                                                                            • Opcode ID: 8cb60aa3244ea29293a4aa2687f42f3b2245fecdc828e601f17a91e964e4df57
                                                                                                            • Instruction ID: 87b735f02481cf8aab5e8ba4784a253c0bfc8c465e5f1b79cdea37be12443963
                                                                                                            • Opcode Fuzzy Hash: 8cb60aa3244ea29293a4aa2687f42f3b2245fecdc828e601f17a91e964e4df57
                                                                                                            • Instruction Fuzzy Hash: ACE01A32018610AEE7362B11FC05E7377A9FB04310F10882EB4A5844B1DA62AC90EB10
                                                                                                            Function 0039676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00396766,?,?,00000008,?,?,0039FEFE,00000000), ref: 00396998
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ExceptionRaise
                                                                                                            • String ID:
                                                                                                            • API String ID: 3997070919-0
                                                                                                            • Opcode ID: a2f1f752b1c98d7a2c7f2c59b4cf98372ba881b4d60eebd2ff5af97708d5e777
                                                                                                            • Instruction ID: fa8320bd9e268cf14afce7cd32b8b981efadfbc0f248a1a2a5320a4e5d7152bb
                                                                                                            • Opcode Fuzzy Hash: a2f1f752b1c98d7a2c7f2c59b4cf98372ba881b4d60eebd2ff5af97708d5e777
                                                                                                            • Instruction Fuzzy Hash: ABB14C71611609DFDB16CF28C48AB657BE0FF45364F268658E8A9CF2A2C335E991CB40
                                                                                                            Function 0037B119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON
                                                                                                            Download Yara Rule
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID: 0-3916222277
                                                                                                            • Opcode ID: 5b5ac5960634891c01a39e6a07c8b8ee008a4f10119a83f2f935185ea30ccef0
                                                                                                            • Instruction ID: 5c2797cf088fb01214f737043fe44c92bace5c08f6835cb6b35c9c6099801592
                                                                                                            • Opcode Fuzzy Hash: 5b5ac5960634891c01a39e6a07c8b8ee008a4f10119a83f2f935185ea30ccef0
                                                                                                            • Instruction Fuzzy Hash: 34128F759002299BCB25CF59C8807EEB7F9FF48310F1581AAE949EB641DB349E81CF90
                                                                                                            Function 003DEAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • BlockInput.USER32(00000001), ref: 003DEABD
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: BlockInput
                                                                                                            • String ID:
                                                                                                            • API String ID: 3456056419-0
                                                                                                            • Opcode ID: d5af3c7267318e281fe8fc40511c70457c65ddf84786c5339add478fe6748154
                                                                                                            • Instruction ID: 2bd7dcb8243e2977e524974d4c1736c807104882c356ded22c0c6d8eea527d03
                                                                                                            • Opcode Fuzzy Hash: d5af3c7267318e281fe8fc40511c70457c65ddf84786c5339add478fe6748154
                                                                                                            • Instruction Fuzzy Hash: B7E012322102059FC711EF59D404D9AFBDDAF58760F008416FD45CB351D6B0A8408B90
                                                                                                            Function 003809D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,003803EE), ref: 003809DA
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ExceptionFilterUnhandled
                                                                                                            • String ID:
                                                                                                            • API String ID: 3192549508-0
                                                                                                            • Opcode ID: 7e588b41fa6f234c6e8be7be608eea35c70f3ce421e95543d8d331867803acd8
                                                                                                            • Instruction ID: b3ea457b3c6b78861b445b12cbc92e268e15f0cbb6fd995a4224152220161c42
                                                                                                            • Opcode Fuzzy Hash: 7e588b41fa6f234c6e8be7be608eea35c70f3ce421e95543d8d331867803acd8
                                                                                                            • Instruction Fuzzy Hash:
                                                                                                            Function 0038781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON
                                                                                                            Download Yara Rule
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: 0
                                                                                                            • API String ID: 0-4108050209
                                                                                                            • Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
                                                                                                            • Instruction ID: c2dea87139811e708ced23095cb57e531618d68fc16214efbbe9ab821468391b
                                                                                                            • Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
                                                                                                            • Instruction Fuzzy Hash: EC51776160C7095BDB3BBA28889F7FE278B9B02380F3905C9D886CB682D715DE01D352
                                                                                                            Function 003D2046 Relevance: 1.3, Strings: 1, Instructions: 72COMMON
                                                                                                            Download Yara Rule
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: 0&C
                                                                                                            • API String ID: 0-4146179980
                                                                                                            • Opcode ID: bdf7e806ada8de299fdf7947d7794cd3ba0d16db076a1f773ef2ae75516d801f
                                                                                                            • Instruction ID: 90d31f0727df19cf4e6bb37fc91d5029d0e65d07f92a8766a8f556fb0b9c1e5e
                                                                                                            • Opcode Fuzzy Hash: bdf7e806ada8de299fdf7947d7794cd3ba0d16db076a1f773ef2ae75516d801f
                                                                                                            • Instruction Fuzzy Hash: 8921BB326206118BD728CF79C92367E73E5A764310F15862EE4A7C77D0DE75A904C744
                                                                                                            Function 00396DD9 Relevance: .6, Instructions: 637COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: efab11457708cd5336c7e28b90a50b75145b0949f16958a9b0de7f6c2f1aee00
                                                                                                            • Instruction ID: 4e2498e1615abd10b6720ad40549458607bc89689dc664bf18edd4da3745de82
                                                                                                            • Opcode Fuzzy Hash: efab11457708cd5336c7e28b90a50b75145b0949f16958a9b0de7f6c2f1aee00
                                                                                                            • Instruction Fuzzy Hash: ED320022D39F014DDB239634CA26336A249AFB73C5F16D737E81AB59E6EB78C4834100
                                                                                                            Function 0037CC39 Relevance: .6, Instructions: 635COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: a5451b36de3346d8d67d3a7c512958af46d44651d0e7e8e7ef78f14ba3512036
                                                                                                            • Instruction ID: e4c9f9e17daad16fe73b9bfa44abd96ecf954bbffaea48d218c6ff88abe30b75
                                                                                                            • Opcode Fuzzy Hash: a5451b36de3346d8d67d3a7c512958af46d44651d0e7e8e7ef78f14ba3512036
                                                                                                            • Instruction Fuzzy Hash: 16321B31A201068BDF37CF28C4906FD7BE5EB45308F2AA56AD659CBE91D634DD82DB40
                                                                                                            Function 00367920 Relevance: .6, Instructions: 563COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 388afe6465e59be598d3bfc2a58d7266f96e2960d625f60c474c39c8128d32b6
                                                                                                            • Instruction ID: d1907cc43bdff04ea218fcd4d5c28239131de1f54e5bf1fb26a95fc468aa0b7e
                                                                                                            • Opcode Fuzzy Hash: 388afe6465e59be598d3bfc2a58d7266f96e2960d625f60c474c39c8128d32b6
                                                                                                            • Instruction Fuzzy Hash: 0F22D270A04609DFDF15CFA4C881BAEB3F5FF49304F608529E816AB295EB35AD15CB50
                                                                                                            Function 003691C0 Relevance: .5, Instructions: 475COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: b81f7d01caeb0259c9a1e4439a297c3f1c859b13d15ebf56294bf364ed26bddc
                                                                                                            • Instruction ID: f39133f155ea8fdc9d2c46d5debb739474884fefda9ff445d582f35ab1b44d2d
                                                                                                            • Opcode Fuzzy Hash: b81f7d01caeb0259c9a1e4439a297c3f1c859b13d15ebf56294bf364ed26bddc
                                                                                                            • Instruction Fuzzy Hash: 3F02C6B0E00209EFDB16DF54D881BAEB7B5FF45300F218169E806DB295EB35AE11CB91
                                                                                                            Function 00387A4A Relevance: .2, Instructions: 237COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 60737180cd8c437398e925b9dc44ddb9149a5202685aa9ca2d204aaa98acc45b
                                                                                                            • Instruction ID: 5f25a1167b8029b1482e96e5bb5d7f09de6276a2454fd86b3249dd30eb462724
                                                                                                            • Opcode Fuzzy Hash: 60737180cd8c437398e925b9dc44ddb9149a5202685aa9ca2d204aaa98acc45b
                                                                                                            • Instruction Fuzzy Hash: 1B61873120C34996DE3BBA288C95BBE639BDF41700F3509DAE843DF381DA19DE428325
                                                                                                            Function 00387CA7 Relevance: .2, Instructions: 237COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: b1496a540b0cb96fa8651fe117d9a8269ed93c6c4ce96707c4442727aa7b03f4
                                                                                                            • Instruction ID: f30563f0931caa954f30457fb9e91a41bc196e66b16e30bd7a86c8e3a1268d9f
                                                                                                            • Opcode Fuzzy Hash: b1496a540b0cb96fa8651fe117d9a8269ed93c6c4ce96707c4442727aa7b03f4
                                                                                                            • Instruction Fuzzy Hash: 4A618C3120C70997DE3BBA284891BBF638BDF42744F3119D9E943DF681EA12ED4A8355
                                                                                                            Function 019B4788 Relevance: .1, Instructions: 92COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2228816640.00000000019B1000.00000040.00000020.00020000.00000000.sdmp, Offset: 019B1000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_19b1000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
                                                                                                            • Instruction ID: 9981996c8b21247a56960b26cc40dc4ff7ae9ae5e90c956217bf30411eb9b797
                                                                                                            • Opcode Fuzzy Hash: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
                                                                                                            • Instruction Fuzzy Hash: E441D371D1051CEBCF48CFADC991AEEBBF2AF88201F548299D516AB345D730AB41DB80
                                                                                                            Function 019B4618 Relevance: .0, Instructions: 35COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2228816640.00000000019B1000.00000040.00000020.00020000.00000000.sdmp, Offset: 019B1000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_19b1000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
                                                                                                            • Instruction ID: e7489cc37456306c03f893351b81ddef9ad9a5d41503e8281a8c7c654a64c283
                                                                                                            • Opcode Fuzzy Hash: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
                                                                                                            • Instruction Fuzzy Hash: ED019278A00109EFCB44DF98C6909AEF7B5FB48310F208599D819A7702D730AE41DB80
                                                                                                            Function 019B4678 Relevance: .0, Instructions: 35COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2228816640.00000000019B1000.00000040.00000020.00020000.00000000.sdmp, Offset: 019B1000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_19b1000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
                                                                                                            • Instruction ID: a3cfe0eaa0da8bb7fc8c28a069c2ba729494a128e0ff134845812be69717c3cb
                                                                                                            • Opcode Fuzzy Hash: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
                                                                                                            • Instruction Fuzzy Hash: 98014278A01509EFCB44DF98C6909AEF7F5FB88310F208599D919A7746D730AE51DB80
                                                                                                            Function 019B2FA8 Relevance: .0, Instructions: 6COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2228816640.00000000019B1000.00000040.00000020.00020000.00000000.sdmp, Offset: 019B1000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_19b1000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
                                                                                                            • Instruction ID: 2052e7d0eb43af8a57a5c2d707c06396f1b84aee57587abda472ed480d51124b
                                                                                                            • Opcode Fuzzy Hash: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
                                                                                                            • Instruction Fuzzy Hash: 1AB012310527488BC2118B89E008B1073ECA308E04F1000B0D40C07B01827874008D48
                                                                                                            Function 003E2ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • DeleteObject.GDI32(00000000), ref: 003E2B30
                                                                                                            • DeleteObject.GDI32(00000000), ref: 003E2B43
                                                                                                            • DestroyWindow.USER32 ref: 003E2B52
                                                                                                            • GetDesktopWindow.USER32 ref: 003E2B6D
                                                                                                            • GetWindowRect.USER32(00000000), ref: 003E2B74
                                                                                                            • SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 003E2CA3
                                                                                                            • AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 003E2CB1
                                                                                                            • CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 003E2CF8
                                                                                                            • GetClientRect.USER32(00000000,?), ref: 003E2D04
                                                                                                            • CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 003E2D40
                                                                                                            • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 003E2D62
                                                                                                            • GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 003E2D75
                                                                                                            • GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 003E2D80
                                                                                                            • GlobalLock.KERNEL32(00000000), ref: 003E2D89
                                                                                                            • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 003E2D98
                                                                                                            • GlobalUnlock.KERNEL32(00000000), ref: 003E2DA1
                                                                                                            • CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 003E2DA8
                                                                                                            • GlobalFree.KERNEL32(00000000), ref: 003E2DB3
                                                                                                            • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 003E2DC5
                                                                                                            • OleLoadPicture.OLEAUT32(?,00000000,00000000,003FFC38,00000000), ref: 003E2DDB
                                                                                                            • GlobalFree.KERNEL32(00000000), ref: 003E2DEB
                                                                                                            • CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 003E2E11
                                                                                                            • SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 003E2E30
                                                                                                            • SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 003E2E52
                                                                                                            • ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 003E303F
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
                                                                                                            • String ID: $AutoIt v3$DISPLAY$static
                                                                                                            • API String ID: 2211948467-2373415609
                                                                                                            • Opcode ID: 09d67626ba0fe0bcdc2ec4e70429246352c3341646c44e848033672b07f1be74
                                                                                                            • Instruction ID: 2ecd8ffaddabc1ec8d7888151f7637930b92c44aeb19ceb0f847a87bd4b37820
                                                                                                            • Opcode Fuzzy Hash: 09d67626ba0fe0bcdc2ec4e70429246352c3341646c44e848033672b07f1be74
                                                                                                            • Instruction Fuzzy Hash: F2028C71510219AFDB16DF64CD89EAE7BB9FF49310F048258F915AB2A1DB70AD01CF60
                                                                                                            Function 003F70D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • SetTextColor.GDI32(?,00000000), ref: 003F712F
                                                                                                            • GetSysColorBrush.USER32(0000000F), ref: 003F7160
                                                                                                            • GetSysColor.USER32(0000000F), ref: 003F716C
                                                                                                            • SetBkColor.GDI32(?,000000FF), ref: 003F7186
                                                                                                            • SelectObject.GDI32(?,?), ref: 003F7195
                                                                                                            • InflateRect.USER32(?,000000FF,000000FF), ref: 003F71C0
                                                                                                            • GetSysColor.USER32(00000010), ref: 003F71C8
                                                                                                            • CreateSolidBrush.GDI32(00000000), ref: 003F71CF
                                                                                                            • FrameRect.USER32(?,?,00000000), ref: 003F71DE
                                                                                                            • DeleteObject.GDI32(00000000), ref: 003F71E5
                                                                                                            • InflateRect.USER32(?,000000FE,000000FE), ref: 003F7230
                                                                                                            • FillRect.USER32(?,?,?), ref: 003F7262
                                                                                                            • GetWindowLongW.USER32(?,000000F0), ref: 003F7284
                                                                                                              • Part of subcall function 003F73E8: GetSysColor.USER32(00000012), ref: 003F7421
                                                                                                              • Part of subcall function 003F73E8: SetTextColor.GDI32(?,?), ref: 003F7425
                                                                                                              • Part of subcall function 003F73E8: GetSysColorBrush.USER32(0000000F), ref: 003F743B
                                                                                                              • Part of subcall function 003F73E8: GetSysColor.USER32(0000000F), ref: 003F7446
                                                                                                              • Part of subcall function 003F73E8: GetSysColor.USER32(00000011), ref: 003F7463
                                                                                                              • Part of subcall function 003F73E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 003F7471
                                                                                                              • Part of subcall function 003F73E8: SelectObject.GDI32(?,00000000), ref: 003F7482
                                                                                                              • Part of subcall function 003F73E8: SetBkColor.GDI32(?,00000000), ref: 003F748B
                                                                                                              • Part of subcall function 003F73E8: SelectObject.GDI32(?,?), ref: 003F7498
                                                                                                              • Part of subcall function 003F73E8: InflateRect.USER32(?,000000FF,000000FF), ref: 003F74B7
                                                                                                              • Part of subcall function 003F73E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 003F74CE
                                                                                                              • Part of subcall function 003F73E8: GetWindowLongW.USER32(00000000,000000F0), ref: 003F74DB
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
                                                                                                            • String ID:
                                                                                                            • API String ID: 4124339563-0
                                                                                                            • Opcode ID: b49af9a730a9adc7314a7729b254dd9bdf8bd129ecb96dc65dc355d802734eb8
                                                                                                            • Instruction ID: ae120c11d13580c7fb6d70820173cb579fdc093056efed66784526c605761e11
                                                                                                            • Opcode Fuzzy Hash: b49af9a730a9adc7314a7729b254dd9bdf8bd129ecb96dc65dc355d802734eb8
                                                                                                            • Instruction Fuzzy Hash: 6EA1AE72058309BFDB029F60DD48EBBBBADFB49320F101A19FA66961E1D731E944CB51
                                                                                                            Function 003E2711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • DestroyWindow.USER32(00000000), ref: 003E273E
                                                                                                            • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 003E286A
                                                                                                            • SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 003E28A9
                                                                                                            • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 003E28B9
                                                                                                            • CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 003E2900
                                                                                                            • GetClientRect.USER32(00000000,?), ref: 003E290C
                                                                                                            • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 003E2955
                                                                                                            • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 003E2964
                                                                                                            • GetStockObject.GDI32(00000011), ref: 003E2974
                                                                                                            • SelectObject.GDI32(00000000,00000000), ref: 003E2978
                                                                                                            • GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 003E2988
                                                                                                            • GetDeviceCaps.GDI32(00000000,0000005A), ref: 003E2991
                                                                                                            • DeleteDC.GDI32(00000000), ref: 003E299A
                                                                                                            • CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 003E29C6
                                                                                                            • SendMessageW.USER32(00000030,00000000,00000001), ref: 003E29DD
                                                                                                            • CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 003E2A1D
                                                                                                            • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 003E2A31
                                                                                                            • SendMessageW.USER32(00000404,00000001,00000000), ref: 003E2A42
                                                                                                            • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 003E2A77
                                                                                                            • GetStockObject.GDI32(00000011), ref: 003E2A82
                                                                                                            • SendMessageW.USER32(00000030,00000000,?,50000000), ref: 003E2A8D
                                                                                                            • ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 003E2A97
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
                                                                                                            • String ID: AutoIt v3$DISPLAY$msctls_progress32$static
                                                                                                            • API String ID: 2910397461-517079104
                                                                                                            • Opcode ID: 4aaf6a23ea8739d9dee1c9405bd366c6122f81585b79982abc9b7ed3996e709a
                                                                                                            • Instruction ID: d5541b444091c2f100391fdc3bbc1d01937aa887269b3549e60be7f792fb0c8a
                                                                                                            • Opcode Fuzzy Hash: 4aaf6a23ea8739d9dee1c9405bd366c6122f81585b79982abc9b7ed3996e709a
                                                                                                            • Instruction Fuzzy Hash: F3B16C71A50219AFEB15DFA9CD45FAF7BA9EB08710F008215FA15EB2E0D770AD40CB94
                                                                                                            Function 003D4ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • SetErrorMode.KERNEL32(00000001), ref: 003D4AED
                                                                                                            • GetDriveTypeW.KERNEL32(?,003FCB68,?,\\.\,003FCC08), ref: 003D4BCA
                                                                                                            • SetErrorMode.KERNEL32(00000000,003FCB68,?,\\.\,003FCC08), ref: 003D4D36
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ErrorMode$DriveType
                                                                                                            • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
                                                                                                            • API String ID: 2907320926-4222207086
                                                                                                            • Opcode ID: d74d0da2e4c2e1fd853f1801cd8fcd3b5e561d7940df328f9adfb78afa9373a0
                                                                                                            • Instruction ID: 6d550f5fd7de5ab941dc9020927429c89e76b6af8983cfe2c9c7d0272998455d
                                                                                                            • Opcode Fuzzy Hash: d74d0da2e4c2e1fd853f1801cd8fcd3b5e561d7940df328f9adfb78afa9373a0
                                                                                                            • Instruction Fuzzy Hash: 2D61F332722209EBCB06DF24EA81E7877B5AB04300B718417F806ABB56DB39ED41DB45
                                                                                                            Function 003F73E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetSysColor.USER32(00000012), ref: 003F7421
                                                                                                            • SetTextColor.GDI32(?,?), ref: 003F7425
                                                                                                            • GetSysColorBrush.USER32(0000000F), ref: 003F743B
                                                                                                            • GetSysColor.USER32(0000000F), ref: 003F7446
                                                                                                            • CreateSolidBrush.GDI32(?), ref: 003F744B
                                                                                                            • GetSysColor.USER32(00000011), ref: 003F7463
                                                                                                            • CreatePen.GDI32(00000000,00000001,00743C00), ref: 003F7471
                                                                                                            • SelectObject.GDI32(?,00000000), ref: 003F7482
                                                                                                            • SetBkColor.GDI32(?,00000000), ref: 003F748B
                                                                                                            • SelectObject.GDI32(?,?), ref: 003F7498
                                                                                                            • InflateRect.USER32(?,000000FF,000000FF), ref: 003F74B7
                                                                                                            • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 003F74CE
                                                                                                            • GetWindowLongW.USER32(00000000,000000F0), ref: 003F74DB
                                                                                                            • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 003F752A
                                                                                                            • GetWindowTextW.USER32(00000000,00000000,00000001), ref: 003F7554
                                                                                                            • InflateRect.USER32(?,000000FD,000000FD), ref: 003F7572
                                                                                                            • DrawFocusRect.USER32(?,?), ref: 003F757D
                                                                                                            • GetSysColor.USER32(00000011), ref: 003F758E
                                                                                                            • SetTextColor.GDI32(?,00000000), ref: 003F7596
                                                                                                            • DrawTextW.USER32(?,003F70F5,000000FF,?,00000000), ref: 003F75A8
                                                                                                            • SelectObject.GDI32(?,?), ref: 003F75BF
                                                                                                            • DeleteObject.GDI32(?), ref: 003F75CA
                                                                                                            • SelectObject.GDI32(?,?), ref: 003F75D0
                                                                                                            • DeleteObject.GDI32(?), ref: 003F75D5
                                                                                                            • SetTextColor.GDI32(?,?), ref: 003F75DB
                                                                                                            • SetBkColor.GDI32(?,?), ref: 003F75E5
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                                                                                                            • String ID:
                                                                                                            • API String ID: 1996641542-0
                                                                                                            • Opcode ID: 7d5aafbce763228cc1cc8eb66c6d5767f5cbd0aab4410eb2922bfba89bc8dbe1
                                                                                                            • Instruction ID: f1645bfe35e23f032a9dda68d520d4e83af8ae7fcd59b443ae2a64efb7f5c685
                                                                                                            • Opcode Fuzzy Hash: 7d5aafbce763228cc1cc8eb66c6d5767f5cbd0aab4410eb2922bfba89bc8dbe1
                                                                                                            • Instruction Fuzzy Hash: 39617A7294421CAFDF029FA4DD48EEEBFB9EB09320F115125FA15AB2A1D7709940CB90
                                                                                                            Function 003F0FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetCursorPos.USER32(?), ref: 003F1128
                                                                                                            • GetDesktopWindow.USER32 ref: 003F113D
                                                                                                            • GetWindowRect.USER32(00000000), ref: 003F1144
                                                                                                            • GetWindowLongW.USER32(?,000000F0), ref: 003F1199
                                                                                                            • DestroyWindow.USER32(?), ref: 003F11B9
                                                                                                            • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 003F11ED
                                                                                                            • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 003F120B
                                                                                                            • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 003F121D
                                                                                                            • SendMessageW.USER32(00000000,00000421,?,?), ref: 003F1232
                                                                                                            • SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 003F1245
                                                                                                            • IsWindowVisible.USER32(00000000), ref: 003F12A1
                                                                                                            • SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 003F12BC
                                                                                                            • SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 003F12D0
                                                                                                            • GetWindowRect.USER32(00000000,?), ref: 003F12E8
                                                                                                            • MonitorFromPoint.USER32(?,?,00000002), ref: 003F130E
                                                                                                            • GetMonitorInfoW.USER32(00000000,?), ref: 003F1328
                                                                                                            • CopyRect.USER32(?,?), ref: 003F133F
                                                                                                            • SendMessageW.USER32(00000000,00000412,00000000), ref: 003F13AA
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
                                                                                                            • String ID: ($0$tooltips_class32
                                                                                                            • API String ID: 698492251-4156429822
                                                                                                            • Opcode ID: 9c4d318df1ccdbb5c07d6d2a743a847d97a3b4a8418c3da2fefa16e5347741fc
                                                                                                            • Instruction ID: 0de44da0d7352d55ed9a72935ca60dde422a466a7a2cb53c5c9f6e761f3727eb
                                                                                                            • Opcode Fuzzy Hash: 9c4d318df1ccdbb5c07d6d2a743a847d97a3b4a8418c3da2fefa16e5347741fc
                                                                                                            • Instruction Fuzzy Hash: 4BB18A71618345EFD701DF64D984BAABBE8FF84350F008919FA999B2A1CB71E844CF91
                                                                                                            Function 003F0241 Relevance: 35.4, APIs: 7, Strings: 13, Instructions: 391windowCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • CharUpperBuffW.USER32(?,?), ref: 003F02E5
                                                                                                            • _wcslen.LIBCMT ref: 003F031F
                                                                                                            • _wcslen.LIBCMT ref: 003F0389
                                                                                                            • _wcslen.LIBCMT ref: 003F03F1
                                                                                                            • _wcslen.LIBCMT ref: 003F0475
                                                                                                            • SendMessageW.USER32(?,00001032,00000000,00000000), ref: 003F04C5
                                                                                                            • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 003F0504
                                                                                                              • Part of subcall function 0037F9F2: _wcslen.LIBCMT ref: 0037F9FD
                                                                                                              • Part of subcall function 003C223F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 003C2258
                                                                                                              • Part of subcall function 003C223F: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 003C228A
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: _wcslen$MessageSend$BuffCharUpper
                                                                                                            • String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
                                                                                                            • API String ID: 1103490817-719923060
                                                                                                            • Opcode ID: 4788f73cfdd0ebe1197f72b754c3b41661572666a92483e5781bbd0fa2def82e
                                                                                                            • Instruction ID: 359cb9607bb75383e8aaa36746343220db80796b2b1f1c8d8c5fbbb4f542d30d
                                                                                                            • Opcode Fuzzy Hash: 4788f73cfdd0ebe1197f72b754c3b41661572666a92483e5781bbd0fa2def82e
                                                                                                            • Instruction Fuzzy Hash: FFE1F0312082048FC71ADF28C55093AB3E6FF89314F55895DFA9AAB7A6DB30ED45CB41
                                                                                                            Function 00378891 Relevance: 35.3, APIs: 18, Strings: 2, Instructions: 282windowtimeCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00378968
                                                                                                            • GetSystemMetrics.USER32(00000007), ref: 00378970
                                                                                                            • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 0037899B
                                                                                                            • GetSystemMetrics.USER32(00000008), ref: 003789A3
                                                                                                            • GetSystemMetrics.USER32(00000004), ref: 003789C8
                                                                                                            • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 003789E5
                                                                                                            • AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 003789F5
                                                                                                            • CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00378A28
                                                                                                            • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00378A3C
                                                                                                            • GetClientRect.USER32(00000000,000000FF), ref: 00378A5A
                                                                                                            • GetStockObject.GDI32(00000011), ref: 00378A76
                                                                                                            • SendMessageW.USER32(00000000,00000030,00000000), ref: 00378A81
                                                                                                              • Part of subcall function 0037912D: GetCursorPos.USER32(?), ref: 00379141
                                                                                                              • Part of subcall function 0037912D: ScreenToClient.USER32(00000000,?), ref: 0037915E
                                                                                                              • Part of subcall function 0037912D: GetAsyncKeyState.USER32(00000001), ref: 00379183
                                                                                                              • Part of subcall function 0037912D: GetAsyncKeyState.USER32(00000002), ref: 0037919D
                                                                                                            • SetTimer.USER32(00000000,00000000,00000028,003790FC), ref: 00378AA8
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                                                                                                            • String ID: AutoIt v3 GUI$InitializeCriticalSectionEx
                                                                                                            • API String ID: 1458621304-260769550
                                                                                                            • Opcode ID: 2ffc207dd6b0ab5735cd206da2fb5454f51e3eb7d9ec87bb2ff7d1293f2a476b
                                                                                                            • Instruction ID: f1f362c7c904876da6e3ed6ff036efb8aa32fae1bd145fb5945cca9a2d2a44c5
                                                                                                            • Opcode Fuzzy Hash: 2ffc207dd6b0ab5735cd206da2fb5454f51e3eb7d9ec87bb2ff7d1293f2a476b
                                                                                                            • Instruction Fuzzy Hash: 10B16F71A402099FDB15DF68CD4ABEE7BB5FB48314F118129FA19E7290DB389840CB55
                                                                                                            Function 003C0D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 003C10F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 003C1114
                                                                                                              • Part of subcall function 003C10F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,003C0B9B,?,?,?), ref: 003C1120
                                                                                                              • Part of subcall function 003C10F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,003C0B9B,?,?,?), ref: 003C112F
                                                                                                              • Part of subcall function 003C10F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,003C0B9B,?,?,?), ref: 003C1136
                                                                                                              • Part of subcall function 003C10F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 003C114D
                                                                                                            • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 003C0DF5
                                                                                                            • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 003C0E29
                                                                                                            • GetLengthSid.ADVAPI32(?), ref: 003C0E40
                                                                                                            • GetAce.ADVAPI32(?,00000000,?), ref: 003C0E7A
                                                                                                            • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 003C0E96
                                                                                                            • GetLengthSid.ADVAPI32(?), ref: 003C0EAD
                                                                                                            • GetProcessHeap.KERNEL32(00000008,00000008), ref: 003C0EB5
                                                                                                            • HeapAlloc.KERNEL32(00000000), ref: 003C0EBC
                                                                                                            • GetLengthSid.ADVAPI32(?,00000008,?), ref: 003C0EDD
                                                                                                            • CopySid.ADVAPI32(00000000), ref: 003C0EE4
                                                                                                            • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 003C0F13
                                                                                                            • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 003C0F35
                                                                                                            • SetUserObjectSecurity.USER32(?,00000004,?), ref: 003C0F47
                                                                                                            • GetProcessHeap.KERNEL32(00000000,00000000), ref: 003C0F6E
                                                                                                            • HeapFree.KERNEL32(00000000), ref: 003C0F75
                                                                                                            • GetProcessHeap.KERNEL32(00000000,00000000), ref: 003C0F7E
                                                                                                            • HeapFree.KERNEL32(00000000), ref: 003C0F85
                                                                                                            • GetProcessHeap.KERNEL32(00000000,00000000), ref: 003C0F8E
                                                                                                            • HeapFree.KERNEL32(00000000), ref: 003C0F95
                                                                                                            • GetProcessHeap.KERNEL32(00000000,?), ref: 003C0FA1
                                                                                                            • HeapFree.KERNEL32(00000000), ref: 003C0FA8
                                                                                                              • Part of subcall function 003C1193: GetProcessHeap.KERNEL32(00000008,003C0BB1,?,00000000,?,003C0BB1,?), ref: 003C11A1
                                                                                                              • Part of subcall function 003C1193: HeapAlloc.KERNEL32(00000000,?,00000000,?,003C0BB1,?), ref: 003C11A8
                                                                                                              • Part of subcall function 003C1193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,003C0BB1,?), ref: 003C11B7
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
                                                                                                            • String ID:
                                                                                                            • API String ID: 4175595110-0
                                                                                                            • Opcode ID: 42be19695d3fff9ef6da1bb3bc6ae8b39218c632a214d477e40caeaf7008967c
                                                                                                            • Instruction ID: f00f34eb66109e0c45d94955e2ca4206c1dea4365a132390db362706161871aa
                                                                                                            • Opcode Fuzzy Hash: 42be19695d3fff9ef6da1bb3bc6ae8b39218c632a214d477e40caeaf7008967c
                                                                                                            • Instruction Fuzzy Hash: 2371687290024AEBDF269FA4DD48FAEBBBCBF05300F058119F919E6191DB319E55CB60
                                                                                                            Function 003EC3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 003EC4BD
                                                                                                            • RegCreateKeyExW.ADVAPI32(?,?,00000000,003FCC08,00000000,?,00000000,?,?), ref: 003EC544
                                                                                                            • RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 003EC5A4
                                                                                                            • _wcslen.LIBCMT ref: 003EC5F4
                                                                                                            • _wcslen.LIBCMT ref: 003EC66F
                                                                                                            • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 003EC6B2
                                                                                                            • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 003EC7C1
                                                                                                            • RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 003EC84D
                                                                                                            • RegCloseKey.ADVAPI32(?), ref: 003EC881
                                                                                                            • RegCloseKey.ADVAPI32(00000000), ref: 003EC88E
                                                                                                            • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 003EC960
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Value$Close$_wcslen$ConnectCreateRegistry
                                                                                                            • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                                                                                                            • API String ID: 9721498-966354055
                                                                                                            • Opcode ID: 7d8b113f2cc81a80659a3befb383191bce1351017fb19406d99a80c25671f314
                                                                                                            • Instruction ID: b1ceb3bb11322e0ad28fd99b81d1264745ce6d7e8df3bcb5af1d493f5049fbba
                                                                                                            • Opcode Fuzzy Hash: 7d8b113f2cc81a80659a3befb383191bce1351017fb19406d99a80c25671f314
                                                                                                            • Instruction Fuzzy Hash: 5E1289352142119FC716DF15C881A2ABBE5EF89714F15899DF98A9F3A2DB30EC42CB81
                                                                                                            Function 003F091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • CharUpperBuffW.USER32(?,?), ref: 003F09C6
                                                                                                            • _wcslen.LIBCMT ref: 003F0A01
                                                                                                            • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 003F0A54
                                                                                                            • _wcslen.LIBCMT ref: 003F0A8A
                                                                                                            • _wcslen.LIBCMT ref: 003F0B06
                                                                                                            • _wcslen.LIBCMT ref: 003F0B81
                                                                                                              • Part of subcall function 0037F9F2: _wcslen.LIBCMT ref: 0037F9FD
                                                                                                              • Part of subcall function 003C2BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 003C2BFA
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: _wcslen$MessageSend$BuffCharUpper
                                                                                                            • String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
                                                                                                            • API String ID: 1103490817-4258414348
                                                                                                            • Opcode ID: 8ac4cea9b10e6a72bd6d30b67af481c3c1538716f5366c0cf248c482deb89f63
                                                                                                            • Instruction ID: e357cc059b6197d583ab49d4ad12277d04a07176495cfdb7d3a25c1c121d4119
                                                                                                            • Opcode Fuzzy Hash: 8ac4cea9b10e6a72bd6d30b67af481c3c1538716f5366c0cf248c482deb89f63
                                                                                                            • Instruction Fuzzy Hash: FCE1CE312083058FCB1ADF28C45093AB7E1BF99318F55899DF99A9B7A2D730ED45CB81
                                                                                                            Function 003EC998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: _wcslen$BuffCharUpper
                                                                                                            • String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
                                                                                                            • API String ID: 1256254125-909552448
                                                                                                            • Opcode ID: 7890c9c4a8ed32e8b981b7f52ba176a3e56118fb840feb82b5947e6f853841c6
                                                                                                            • Instruction ID: 9960ce9be3e551707b267b47264dacd3db20c9cb6605e8f0f21a68a696e35128
                                                                                                            • Opcode Fuzzy Hash: 7890c9c4a8ed32e8b981b7f52ba176a3e56118fb840feb82b5947e6f853841c6
                                                                                                            • Instruction Fuzzy Hash: 467108326201BB8BCB22DE7ED9415BE33A5AF61754B226335F8659B2C4E735CD438390
                                                                                                            Function 003F833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • _wcslen.LIBCMT ref: 003F835A
                                                                                                            • _wcslen.LIBCMT ref: 003F836E
                                                                                                            • _wcslen.LIBCMT ref: 003F8391
                                                                                                            • _wcslen.LIBCMT ref: 003F83B4
                                                                                                            • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 003F83F2
                                                                                                            • LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,003F5BF2), ref: 003F844E
                                                                                                            • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 003F8487
                                                                                                            • LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 003F84CA
                                                                                                            • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 003F8501
                                                                                                            • FreeLibrary.KERNEL32(?), ref: 003F850D
                                                                                                            • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 003F851D
                                                                                                            • DestroyIcon.USER32(?,?,?,?,?,003F5BF2), ref: 003F852C
                                                                                                            • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 003F8549
                                                                                                            • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 003F8555
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
                                                                                                            • String ID: .dll$.exe$.icl
                                                                                                            • API String ID: 799131459-1154884017
                                                                                                            • Opcode ID: 0103a4089454f453fa5b9c0b909e8ad92bec02943addb96b28722793d22eeeff
                                                                                                            • Instruction ID: 32e188b564e1da53088038feb269950439ba51099acf64a3ff9d387355359b09
                                                                                                            • Opcode Fuzzy Hash: 0103a4089454f453fa5b9c0b909e8ad92bec02943addb96b28722793d22eeeff
                                                                                                            • Instruction Fuzzy Hash: 0561F17154021ABFEB1ADF64CC41BBE77ACBF05B10F10464AFA19DA1D1DB74A990CBA0
                                                                                                            Function 00367778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON
                                                                                                            Download Yara Rule
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
                                                                                                            • API String ID: 0-1645009161
                                                                                                            • Opcode ID: 94df2fcee26bd5dc759a1ad0d392f5f1cd4c1ef35bb1af17c5121bbecc769ef0
                                                                                                            • Instruction ID: 82a259f156ee486cc983a8d46234f3371d5bdabbad26bfb58b89182a547f79ec
                                                                                                            • Opcode Fuzzy Hash: 94df2fcee26bd5dc759a1ad0d392f5f1cd4c1ef35bb1af17c5121bbecc769ef0
                                                                                                            • Instruction Fuzzy Hash: B481E071644209BBDB23AF60CC42FBE37A8EF15304F518025F905AF19AEB71DA01CBA5
                                                                                                            Function 003C5A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • LoadIconW.USER32(00000063), ref: 003C5A2E
                                                                                                            • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 003C5A40
                                                                                                            • SetWindowTextW.USER32(?,?), ref: 003C5A57
                                                                                                            • GetDlgItem.USER32(?,000003EA), ref: 003C5A6C
                                                                                                            • SetWindowTextW.USER32(00000000,?), ref: 003C5A72
                                                                                                            • GetDlgItem.USER32(?,000003E9), ref: 003C5A82
                                                                                                            • SetWindowTextW.USER32(00000000,?), ref: 003C5A88
                                                                                                            • SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 003C5AA9
                                                                                                            • SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 003C5AC3
                                                                                                            • GetWindowRect.USER32(?,?), ref: 003C5ACC
                                                                                                            • _wcslen.LIBCMT ref: 003C5B33
                                                                                                            • SetWindowTextW.USER32(?,?), ref: 003C5B6F
                                                                                                            • GetDesktopWindow.USER32 ref: 003C5B75
                                                                                                            • GetWindowRect.USER32(00000000), ref: 003C5B7C
                                                                                                            • MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 003C5BD3
                                                                                                            • GetClientRect.USER32(?,?), ref: 003C5BE0
                                                                                                            • PostMessageW.USER32(?,00000005,00000000,?), ref: 003C5C05
                                                                                                            • SetTimer.USER32(?,0000040A,00000000,00000000), ref: 003C5C2F
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
                                                                                                            • String ID:
                                                                                                            • API String ID: 895679908-0
                                                                                                            • Opcode ID: 35420ce2f0111809e4fd7125534d4bdb17ad4247bbd744fc71d85fe6d2db44c6
                                                                                                            • Instruction ID: 3ac5f58f27959991e59b3f09a8ffc129a8012317bbfe88ec9c304f6051118d47
                                                                                                            • Opcode Fuzzy Hash: 35420ce2f0111809e4fd7125534d4bdb17ad4247bbd744fc71d85fe6d2db44c6
                                                                                                            • Instruction Fuzzy Hash: 51714931900A09AFDB22DFA9CE85FAEBBF9EB48704F10451CE542E65A0D775BD84CB50
                                                                                                            Function 003DFE0E Relevance: 27.1, APIs: 18, Instructions: 128COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • LoadCursorW.USER32(00000000,00007F89), ref: 003DFE27
                                                                                                            • LoadCursorW.USER32(00000000,00007F8A), ref: 003DFE32
                                                                                                            • LoadCursorW.USER32(00000000,00007F00), ref: 003DFE3D
                                                                                                            • LoadCursorW.USER32(00000000,00007F03), ref: 003DFE48
                                                                                                            • LoadCursorW.USER32(00000000,00007F8B), ref: 003DFE53
                                                                                                            • LoadCursorW.USER32(00000000,00007F01), ref: 003DFE5E
                                                                                                            • LoadCursorW.USER32(00000000,00007F81), ref: 003DFE69
                                                                                                            • LoadCursorW.USER32(00000000,00007F88), ref: 003DFE74
                                                                                                            • LoadCursorW.USER32(00000000,00007F80), ref: 003DFE7F
                                                                                                            • LoadCursorW.USER32(00000000,00007F86), ref: 003DFE8A
                                                                                                            • LoadCursorW.USER32(00000000,00007F83), ref: 003DFE95
                                                                                                            • LoadCursorW.USER32(00000000,00007F85), ref: 003DFEA0
                                                                                                            • LoadCursorW.USER32(00000000,00007F82), ref: 003DFEAB
                                                                                                            • LoadCursorW.USER32(00000000,00007F84), ref: 003DFEB6
                                                                                                            • LoadCursorW.USER32(00000000,00007F04), ref: 003DFEC1
                                                                                                            • LoadCursorW.USER32(00000000,00007F02), ref: 003DFECC
                                                                                                            • GetCursorInfo.USER32(?), ref: 003DFEDC
                                                                                                            • GetLastError.KERNEL32 ref: 003DFF1E
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Cursor$Load$ErrorInfoLast
                                                                                                            • String ID:
                                                                                                            • API String ID: 3215588206-0
                                                                                                            • Opcode ID: 547ae30a0f9e7f608936971c730105a61e09168cf88cd668480bbee4af028eda
                                                                                                            • Instruction ID: 876f65c5ea7fa54d55494cb9694148b428c370cca8d2a0be929cef83c2144389
                                                                                                            • Opcode Fuzzy Hash: 547ae30a0f9e7f608936971c730105a61e09168cf88cd668480bbee4af028eda
                                                                                                            • Instruction Fuzzy Hash: 794174B0D08319AEDB119FBA9CC586EBFE8FF04754B50452AE11DEB281DB789901CF90
                                                                                                            Function 003C30F7 Relevance: 26.6, APIs: 8, Strings: 7, Instructions: 400COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: _wcslen
                                                                                                            • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT$[B
                                                                                                            • API String ID: 176396367-2028763074
                                                                                                            • Opcode ID: 1479ed7739eaf9e567bc98ab13c5ba8d8e58f5cf7610e6f5ee1f690450fcf202
                                                                                                            • Instruction ID: 7d54899d3ed8cc6373347397d68ac231c36d2633eb5d4ecca997928e03979487
                                                                                                            • Opcode Fuzzy Hash: 1479ed7739eaf9e567bc98ab13c5ba8d8e58f5cf7610e6f5ee1f690450fcf202
                                                                                                            • Instruction Fuzzy Hash: B2E1C332A00626ABCB1AAF68C841FFDBBB4BF55710F65C11EE456E7240DB30AE458790
                                                                                                            Function 003800C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • __scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 003800C6
                                                                                                              • Part of subcall function 003800ED: InitializeCriticalSectionAndSpinCount.KERNEL32(0043070C,00000FA0,334A1C35,?,?,?,?,003A23B3,000000FF), ref: 0038011C
                                                                                                              • Part of subcall function 003800ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,003A23B3,000000FF), ref: 00380127
                                                                                                              • Part of subcall function 003800ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,003A23B3,000000FF), ref: 00380138
                                                                                                              • Part of subcall function 003800ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 0038014E
                                                                                                              • Part of subcall function 003800ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 0038015C
                                                                                                              • Part of subcall function 003800ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 0038016A
                                                                                                              • Part of subcall function 003800ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00380195
                                                                                                              • Part of subcall function 003800ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 003801A0
                                                                                                            • ___scrt_fastfail.LIBCMT ref: 003800E7
                                                                                                              • Part of subcall function 003800A3: __onexit.LIBCMT ref: 003800A9
                                                                                                            Strings
                                                                                                            • InitializeConditionVariable, xrefs: 00380148
                                                                                                            • api-ms-win-core-synch-l1-2-0.dll, xrefs: 00380122
                                                                                                            • WakeAllConditionVariable, xrefs: 00380162
                                                                                                            • SleepConditionVariableCS, xrefs: 00380154
                                                                                                            • kernel32.dll, xrefs: 00380133
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
                                                                                                            • String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
                                                                                                            • API String ID: 66158676-1714406822
                                                                                                            • Opcode ID: a42553f78e6a6bccb61445717535e1ecc2957cd9b718c3ca6af465cbf0b3224b
                                                                                                            • Instruction ID: 9e5be61cfa2dcc199e104da140c1ac6924c75dfb5fe18db39cbe395c7ff9d568
                                                                                                            • Opcode Fuzzy Hash: a42553f78e6a6bccb61445717535e1ecc2957cd9b718c3ca6af465cbf0b3224b
                                                                                                            • Instruction Fuzzy Hash: 092168326803046FE7277BA4AC0AB7E3398EF05B60F11017AFD01A7691DB749C04CB94
                                                                                                            Function 003D44C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • CharLowerBuffW.USER32(00000000,00000000,003FCC08), ref: 003D4527
                                                                                                            • _wcslen.LIBCMT ref: 003D453B
                                                                                                            • _wcslen.LIBCMT ref: 003D4599
                                                                                                            • _wcslen.LIBCMT ref: 003D45F4
                                                                                                            • _wcslen.LIBCMT ref: 003D463F
                                                                                                            • _wcslen.LIBCMT ref: 003D46A7
                                                                                                              • Part of subcall function 0037F9F2: _wcslen.LIBCMT ref: 0037F9FD
                                                                                                            • GetDriveTypeW.KERNEL32(?,00426BF0,00000061), ref: 003D4743
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: _wcslen$BuffCharDriveLowerType
                                                                                                            • String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
                                                                                                            • API String ID: 2055661098-1000479233
                                                                                                            • Opcode ID: 7e98385edbe82606b5aa9b65e6f24461b8915288607d51ceea229b07693f946b
                                                                                                            • Instruction ID: b7f0c54b1ddbb69145e122c7c9b1aa099133b8d3e4fe2bc24f4689b15e243536
                                                                                                            • Opcode Fuzzy Hash: 7e98385edbe82606b5aa9b65e6f24461b8915288607d51ceea229b07693f946b
                                                                                                            • Instruction Fuzzy Hash: F5B114326083029FC712DF28E890A7AB7E5BFA6760F51891EF496CB391D730D944CB52
                                                                                                            Function 003F911E Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 181windowfileCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 00379BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00379BB2
                                                                                                            • DragQueryPoint.SHELL32(?,?), ref: 003F9147
                                                                                                              • Part of subcall function 003F7674: ClientToScreen.USER32(?,?), ref: 003F769A
                                                                                                              • Part of subcall function 003F7674: GetWindowRect.USER32(?,?), ref: 003F7710
                                                                                                              • Part of subcall function 003F7674: PtInRect.USER32(?,?,003F8B89), ref: 003F7720
                                                                                                            • SendMessageW.USER32(?,000000B0,?,?), ref: 003F91B0
                                                                                                            • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 003F91BB
                                                                                                            • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 003F91DE
                                                                                                            • SendMessageW.USER32(?,000000C2,00000001,?), ref: 003F9225
                                                                                                            • SendMessageW.USER32(?,000000B0,?,?), ref: 003F923E
                                                                                                            • SendMessageW.USER32(?,000000B1,?,?), ref: 003F9255
                                                                                                            • SendMessageW.USER32(?,000000B1,?,?), ref: 003F9277
                                                                                                            • DragFinish.SHELL32(?), ref: 003F927E
                                                                                                            • DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 003F9371
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
                                                                                                            • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$p#C
                                                                                                            • API String ID: 221274066-2677816439
                                                                                                            • Opcode ID: d374ef7988c246f271939a2fb92414b0559ec2392d4eeb6b88440eddde955748
                                                                                                            • Instruction ID: 327b454b20da7c5c38f36df95943d93e8d376e498b5924b98b941ec13beaa85d
                                                                                                            • Opcode Fuzzy Hash: d374ef7988c246f271939a2fb92414b0559ec2392d4eeb6b88440eddde955748
                                                                                                            • Instruction Fuzzy Hash: 01617A71108309AFC702EF64DD85EAFBBE8EF88750F10492EF595971A0DB709A49CB52
                                                                                                            Function 003EAFF9 Relevance: 24.4, APIs: 16, Instructions: 418processCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • _wcslen.LIBCMT ref: 003EB198
                                                                                                            • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 003EB1B0
                                                                                                            • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 003EB1D4
                                                                                                            • _wcslen.LIBCMT ref: 003EB200
                                                                                                            • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 003EB214
                                                                                                            • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 003EB236
                                                                                                            • _wcslen.LIBCMT ref: 003EB332
                                                                                                              • Part of subcall function 003D05A7: GetStdHandle.KERNEL32(000000F6), ref: 003D05C6
                                                                                                            • _wcslen.LIBCMT ref: 003EB34B
                                                                                                            • _wcslen.LIBCMT ref: 003EB366
                                                                                                            • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 003EB3B6
                                                                                                            • GetLastError.KERNEL32(00000000), ref: 003EB407
                                                                                                            • CloseHandle.KERNEL32(?), ref: 003EB439
                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 003EB44A
                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 003EB45C
                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 003EB46E
                                                                                                            • CloseHandle.KERNEL32(?), ref: 003EB4E3
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
                                                                                                            • String ID:
                                                                                                            • API String ID: 2178637699-0
                                                                                                            • Opcode ID: 2533c5ccc1cdf704aab951b2fc94741341d39ae4a79065e0a097f7c393ba1e62
                                                                                                            • Instruction ID: 808fd6f674fcacbf30102304db6a503e10c8c0f4b42b7b003f37424bf28e53a1
                                                                                                            • Opcode Fuzzy Hash: 2533c5ccc1cdf704aab951b2fc94741341d39ae4a79065e0a097f7c393ba1e62
                                                                                                            • Instruction Fuzzy Hash: 3FF18A315082509FC726EF25C891B6BBBE5AF85314F15895DF8999F2A2DB30EC40CB52
                                                                                                            Function 0036326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetMenuItemCount.USER32(00431990), ref: 003A2F8D
                                                                                                            • GetMenuItemCount.USER32(00431990), ref: 003A303D
                                                                                                            • GetCursorPos.USER32(?), ref: 003A3081
                                                                                                            • SetForegroundWindow.USER32(00000000), ref: 003A308A
                                                                                                            • TrackPopupMenuEx.USER32(00431990,00000000,?,00000000,00000000,00000000), ref: 003A309D
                                                                                                            • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 003A30A9
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
                                                                                                            • String ID: 0
                                                                                                            • API String ID: 36266755-4108050209
                                                                                                            • Opcode ID: 364a4de3ab6819bb9dbb0f1f45c9133ea28772674904b7ea1212fa45b66049cb
                                                                                                            • Instruction ID: 539019090b582350e0a644842069de8e251568dedc5e5555b3a6e849df5d409b
                                                                                                            • Opcode Fuzzy Hash: 364a4de3ab6819bb9dbb0f1f45c9133ea28772674904b7ea1212fa45b66049cb
                                                                                                            • Instruction Fuzzy Hash: AE711970644205BEEB239F29CC59FAABF68FF06324F204216F515AA1E0C7B1AD54DB50
                                                                                                            Function 003F6CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • DestroyWindow.USER32(?,?), ref: 003F6DEB
                                                                                                              • Part of subcall function 00366B57: _wcslen.LIBCMT ref: 00366B6A
                                                                                                            • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 003F6E5F
                                                                                                            • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 003F6E81
                                                                                                            • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 003F6E94
                                                                                                            • DestroyWindow.USER32(?), ref: 003F6EB5
                                                                                                            • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00360000,00000000), ref: 003F6EE4
                                                                                                            • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 003F6EFD
                                                                                                            • GetDesktopWindow.USER32 ref: 003F6F16
                                                                                                            • GetWindowRect.USER32(00000000), ref: 003F6F1D
                                                                                                            • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 003F6F35
                                                                                                            • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 003F6F4D
                                                                                                              • Part of subcall function 00379944: GetWindowLongW.USER32(?,000000EB), ref: 00379952
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
                                                                                                            • String ID: 0$tooltips_class32
                                                                                                            • API String ID: 2429346358-3619404913
                                                                                                            • Opcode ID: 8a4ecef4bf2796159a0c7a16ae809c71422e98dc31b3e6ab1bd6396ed4265aea
                                                                                                            • Instruction ID: 955c3f3c6db69eb6e912a152ff4676f83b0944d1a73846aa3ed16f7bf3dacf30
                                                                                                            • Opcode Fuzzy Hash: 8a4ecef4bf2796159a0c7a16ae809c71422e98dc31b3e6ab1bd6396ed4265aea
                                                                                                            • Instruction Fuzzy Hash: 99716771144348AFDB22CF18DD55FBABBE9FB89304F04482DFA9987261C770A90ACB15
                                                                                                            Function 003DC476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 003DC4B0
                                                                                                            • GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 003DC4C3
                                                                                                            • SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 003DC4D7
                                                                                                            • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 003DC4F0
                                                                                                            • InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 003DC533
                                                                                                            • InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 003DC549
                                                                                                            • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 003DC554
                                                                                                            • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 003DC584
                                                                                                            • GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 003DC5DC
                                                                                                            • SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 003DC5F0
                                                                                                            • InternetCloseHandle.WININET(00000000), ref: 003DC5FB
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
                                                                                                            • String ID:
                                                                                                            • API String ID: 3800310941-3916222277
                                                                                                            • Opcode ID: b81c5303b89da200b6b7ee13695dc03b5760707cd41065576810ed691137862a
                                                                                                            • Instruction ID: 6d24b96c5973945b1dabc46f117465df9846ad7c06e3350a794b84883437ecbe
                                                                                                            • Opcode Fuzzy Hash: b81c5303b89da200b6b7ee13695dc03b5760707cd41065576810ed691137862a
                                                                                                            • Instruction Fuzzy Hash: C9517DB256020ABFDB239F61E948ABB7BBDFF09744F00541AF945D6610DB34E908DB60
                                                                                                            Function 003F856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00000000,?,000000EC), ref: 003F8592
                                                                                                            • GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 003F85A2
                                                                                                            • GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 003F85AD
                                                                                                            • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 003F85BA
                                                                                                            • GlobalLock.KERNEL32(00000000), ref: 003F85C8
                                                                                                            • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 003F85D7
                                                                                                            • GlobalUnlock.KERNEL32(00000000), ref: 003F85E0
                                                                                                            • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 003F85E7
                                                                                                            • CreateStreamOnHGlobal.OLE32(00000000,00000001,000000F0,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 003F85F8
                                                                                                            • OleLoadPicture.OLEAUT32(000000F0,00000000,00000000,003FFC38,?), ref: 003F8611
                                                                                                            • GlobalFree.KERNEL32(00000000), ref: 003F8621
                                                                                                            • GetObjectW.GDI32(?,00000018,?), ref: 003F8641
                                                                                                            • CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 003F8671
                                                                                                            • DeleteObject.GDI32(?), ref: 003F8699
                                                                                                            • SendMessageW.USER32(?,00000172,00000000,00000000), ref: 003F86AF
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
                                                                                                            • String ID:
                                                                                                            • API String ID: 3840717409-0
                                                                                                            • Opcode ID: 89a49b853dabf082a9f39ec8f8c6c2ba7f6711c312988bb0487479438a1d82f2
                                                                                                            • Instruction ID: ae40058273f03f9e038ae6bcf535a02632af2624db048a3f3961522da0f5db7a
                                                                                                            • Opcode Fuzzy Hash: 89a49b853dabf082a9f39ec8f8c6c2ba7f6711c312988bb0487479438a1d82f2
                                                                                                            • Instruction Fuzzy Hash: 90411875640208BFDB129FA5CD48EBA7BBCEF89711F114458FA09E7260DB349D05DB20
                                                                                                            Function 003D14BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • VariantInit.OLEAUT32(00000000), ref: 003D1502
                                                                                                            • VariantCopy.OLEAUT32(?,?), ref: 003D150B
                                                                                                            • VariantClear.OLEAUT32(?), ref: 003D1517
                                                                                                            • VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 003D15FB
                                                                                                            • VarR8FromDec.OLEAUT32(?,?), ref: 003D1657
                                                                                                            • VariantInit.OLEAUT32(?), ref: 003D1708
                                                                                                            • SysFreeString.OLEAUT32(?), ref: 003D178C
                                                                                                            • VariantClear.OLEAUT32(?), ref: 003D17D8
                                                                                                            • VariantClear.OLEAUT32(?), ref: 003D17E7
                                                                                                            • VariantInit.OLEAUT32(00000000), ref: 003D1823
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
                                                                                                            • String ID: %4d%02d%02d%02d%02d%02d$Default
                                                                                                            • API String ID: 1234038744-3931177956
                                                                                                            • Opcode ID: fb40304fbe9a62eea3f83cfd3c6b78ede88c521bcbd22e97e24f6c192956501d
                                                                                                            • Instruction ID: f3ae0f21e5eede92171659591a323dbc9f59cac2732010479df06f5960ce383a
                                                                                                            • Opcode Fuzzy Hash: fb40304fbe9a62eea3f83cfd3c6b78ede88c521bcbd22e97e24f6c192956501d
                                                                                                            • Instruction Fuzzy Hash: 9CD1EE72A00105EBDB129F65F885B79B7BABF46700F108057F846AF694DB78EC40DB61
                                                                                                            Function 003EB60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 00369CB3: _wcslen.LIBCMT ref: 00369CBD
                                                                                                              • Part of subcall function 003EC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,003EB6AE,?,?), ref: 003EC9B5
                                                                                                              • Part of subcall function 003EC998: _wcslen.LIBCMT ref: 003EC9F1
                                                                                                              • Part of subcall function 003EC998: _wcslen.LIBCMT ref: 003ECA68
                                                                                                              • Part of subcall function 003EC998: _wcslen.LIBCMT ref: 003ECA9E
                                                                                                            • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 003EB6F4
                                                                                                            • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 003EB772
                                                                                                            • RegDeleteValueW.ADVAPI32(?,?), ref: 003EB80A
                                                                                                            • RegCloseKey.ADVAPI32(?), ref: 003EB87E
                                                                                                            • RegCloseKey.ADVAPI32(?), ref: 003EB89C
                                                                                                            • LoadLibraryA.KERNEL32(advapi32.dll), ref: 003EB8F2
                                                                                                            • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 003EB904
                                                                                                            • RegDeleteKeyW.ADVAPI32(?,?), ref: 003EB922
                                                                                                            • FreeLibrary.KERNEL32(00000000), ref: 003EB983
                                                                                                            • RegCloseKey.ADVAPI32(00000000), ref: 003EB994
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
                                                                                                            • String ID: RegDeleteKeyExW$advapi32.dll
                                                                                                            • API String ID: 146587525-4033151799
                                                                                                            • Opcode ID: 83d5a16bb708f12d49a74b67292b14f985c24d66b3bbe4f131f6371d74cfdda7
                                                                                                            • Instruction ID: 4a942544d851feb85d4511241355bb7ba7f856d5100fd9acaf4eaa1ac4f9c81a
                                                                                                            • Opcode Fuzzy Hash: 83d5a16bb708f12d49a74b67292b14f985c24d66b3bbe4f131f6371d74cfdda7
                                                                                                            • Instruction Fuzzy Hash: C3C17B34204291AFD712DF15C495F2ABBE5BF84308F15869CF49A8B7A2CB71EC46CB91
                                                                                                            Function 003E255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetDC.USER32(00000000), ref: 003E25D8
                                                                                                            • CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 003E25E8
                                                                                                            • CreateCompatibleDC.GDI32(?), ref: 003E25F4
                                                                                                            • SelectObject.GDI32(00000000,?), ref: 003E2601
                                                                                                            • StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 003E266D
                                                                                                            • GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 003E26AC
                                                                                                            • GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 003E26D0
                                                                                                            • SelectObject.GDI32(?,?), ref: 003E26D8
                                                                                                            • DeleteObject.GDI32(?), ref: 003E26E1
                                                                                                            • DeleteDC.GDI32(?), ref: 003E26E8
                                                                                                            • ReleaseDC.USER32(00000000,?), ref: 003E26F3
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
                                                                                                            • String ID: (
                                                                                                            • API String ID: 2598888154-3887548279
                                                                                                            • Opcode ID: 3d2add8d191a190a5976319122b5d678ec46db8647a17d1b97575b83e7266af5
                                                                                                            • Instruction ID: 95b6580afa6e96fdf3308284960c3a68190067bd0f8405d44a38417f5d2a492f
                                                                                                            • Opcode Fuzzy Hash: 3d2add8d191a190a5976319122b5d678ec46db8647a17d1b97575b83e7266af5
                                                                                                            • Instruction Fuzzy Hash: CD61F275D00219EFCF06CFA8D984EAEBBB9FF48310F248529E955A7250D770A951CFA0
                                                                                                            Function 0039DA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • ___free_lconv_mon.LIBCMT ref: 0039DAA1
                                                                                                              • Part of subcall function 0039D63C: _free.LIBCMT ref: 0039D659
                                                                                                              • Part of subcall function 0039D63C: _free.LIBCMT ref: 0039D66B
                                                                                                              • Part of subcall function 0039D63C: _free.LIBCMT ref: 0039D67D
                                                                                                              • Part of subcall function 0039D63C: _free.LIBCMT ref: 0039D68F
                                                                                                              • Part of subcall function 0039D63C: _free.LIBCMT ref: 0039D6A1
                                                                                                              • Part of subcall function 0039D63C: _free.LIBCMT ref: 0039D6B3
                                                                                                              • Part of subcall function 0039D63C: _free.LIBCMT ref: 0039D6C5
                                                                                                              • Part of subcall function 0039D63C: _free.LIBCMT ref: 0039D6D7
                                                                                                              • Part of subcall function 0039D63C: _free.LIBCMT ref: 0039D6E9
                                                                                                              • Part of subcall function 0039D63C: _free.LIBCMT ref: 0039D6FB
                                                                                                              • Part of subcall function 0039D63C: _free.LIBCMT ref: 0039D70D
                                                                                                              • Part of subcall function 0039D63C: _free.LIBCMT ref: 0039D71F
                                                                                                              • Part of subcall function 0039D63C: _free.LIBCMT ref: 0039D731
                                                                                                            • _free.LIBCMT ref: 0039DA96
                                                                                                              • Part of subcall function 003929C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0039D7D1,00000000,00000000,00000000,00000000,?,0039D7F8,00000000,00000007,00000000,?,0039DBF5,00000000), ref: 003929DE
                                                                                                              • Part of subcall function 003929C8: GetLastError.KERNEL32(00000000,?,0039D7D1,00000000,00000000,00000000,00000000,?,0039D7F8,00000000,00000007,00000000,?,0039DBF5,00000000,00000000), ref: 003929F0
                                                                                                            • _free.LIBCMT ref: 0039DAB8
                                                                                                            • _free.LIBCMT ref: 0039DACD
                                                                                                            • _free.LIBCMT ref: 0039DAD8
                                                                                                            • _free.LIBCMT ref: 0039DAFA
                                                                                                            • _free.LIBCMT ref: 0039DB0D
                                                                                                            • _free.LIBCMT ref: 0039DB1B
                                                                                                            • _free.LIBCMT ref: 0039DB26
                                                                                                            • _free.LIBCMT ref: 0039DB5E
                                                                                                            • _free.LIBCMT ref: 0039DB65
                                                                                                            • _free.LIBCMT ref: 0039DB82
                                                                                                            • _free.LIBCMT ref: 0039DB9A
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                                                                            • String ID:
                                                                                                            • API String ID: 161543041-0
                                                                                                            • Opcode ID: 90d3a1520fcb69d1d6abb74b957322405e7f3f0dae25df9b8136f8abbfc4ff7e
                                                                                                            • Instruction ID: b5d929b9642ae9adb21b273babe8f5435b8f6e147e4613a7d4f2e43db020ac79
                                                                                                            • Opcode Fuzzy Hash: 90d3a1520fcb69d1d6abb74b957322405e7f3f0dae25df9b8136f8abbfc4ff7e
                                                                                                            • Instruction Fuzzy Hash: D5314B32604705AFEF23AA39E846B5BB7E9FF11320F564419E449DB191DF31AC60CB60
                                                                                                            Function 003C365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetClassNameW.USER32(?,?,00000100), ref: 003C369C
                                                                                                            • _wcslen.LIBCMT ref: 003C36A7
                                                                                                            • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 003C3797
                                                                                                            • GetClassNameW.USER32(?,?,00000400), ref: 003C380C
                                                                                                            • GetDlgCtrlID.USER32(?), ref: 003C385D
                                                                                                            • GetWindowRect.USER32(?,?), ref: 003C3882
                                                                                                            • GetParent.USER32(?), ref: 003C38A0
                                                                                                            • ScreenToClient.USER32(00000000), ref: 003C38A7
                                                                                                            • GetClassNameW.USER32(?,?,00000100), ref: 003C3921
                                                                                                            • GetWindowTextW.USER32(?,?,00000400), ref: 003C395D
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
                                                                                                            • String ID: %s%u
                                                                                                            • API String ID: 4010501982-679674701
                                                                                                            • Opcode ID: 91bd46dd0b1e9b90a4231a5e310e9ff3bcb0d6be86b49755c22c790ddb506b6e
                                                                                                            • Instruction ID: bdc8328cd2b4740427e818edc80fb6a13345000d160c037a593228e50d5838a3
                                                                                                            • Opcode Fuzzy Hash: 91bd46dd0b1e9b90a4231a5e310e9ff3bcb0d6be86b49755c22c790ddb506b6e
                                                                                                            • Instruction Fuzzy Hash: E5918C71204706AFDB1ADF24C885FAAB7A8FF44354F00862DF999D6190DB30AE59CB91
                                                                                                            Function 003C4954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetClassNameW.USER32(?,?,00000400), ref: 003C4994
                                                                                                            • GetWindowTextW.USER32(?,?,00000400), ref: 003C49DA
                                                                                                            • _wcslen.LIBCMT ref: 003C49EB
                                                                                                            • CharUpperBuffW.USER32(?,00000000), ref: 003C49F7
                                                                                                            • _wcsstr.LIBVCRUNTIME ref: 003C4A2C
                                                                                                            • GetClassNameW.USER32(00000018,?,00000400), ref: 003C4A64
                                                                                                            • GetWindowTextW.USER32(?,?,00000400), ref: 003C4A9D
                                                                                                            • GetClassNameW.USER32(00000018,?,00000400), ref: 003C4AE6
                                                                                                            • GetClassNameW.USER32(?,?,00000400), ref: 003C4B20
                                                                                                            • GetWindowRect.USER32(?,?), ref: 003C4B8B
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
                                                                                                            • String ID: ThumbnailClass
                                                                                                            • API String ID: 1311036022-1241985126
                                                                                                            • Opcode ID: b5a268e15c45a659871f628c6025d3f04ce0c00d994583471a0b268836de1bc1
                                                                                                            • Instruction ID: 69d89f10fcb944c8724c5096b6edff51204509e3c623edd3acb4f4972d5640fd
                                                                                                            • Opcode Fuzzy Hash: b5a268e15c45a659871f628c6025d3f04ce0c00d994583471a0b268836de1bc1
                                                                                                            • Instruction Fuzzy Hash: 8491AB71108209ABDB06DF14C995FAA77A8FF84314F05846EFD85DA096EB30ED45CBA1
                                                                                                            Function 003F8D0E Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 221windowCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 00379BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00379BB2
                                                                                                            • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 003F8D5A
                                                                                                            • GetFocus.USER32 ref: 003F8D6A
                                                                                                            • GetDlgCtrlID.USER32(00000000), ref: 003F8D75
                                                                                                            • DefDlgProcW.USER32(?,00000111,?,?,00000000,?,?,?,?,?,?,?), ref: 003F8E1D
                                                                                                            • GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 003F8ECF
                                                                                                            • GetMenuItemCount.USER32(?), ref: 003F8EEC
                                                                                                            • GetMenuItemID.USER32(?,00000000), ref: 003F8EFC
                                                                                                            • GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 003F8F2E
                                                                                                            • GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 003F8F70
                                                                                                            • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 003F8FA1
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow
                                                                                                            • String ID: 0
                                                                                                            • API String ID: 1026556194-4108050209
                                                                                                            • Opcode ID: efd6eb11be9207134e314f077acea128b42f2e0d35205ec7385d1672efe4cc01
                                                                                                            • Instruction ID: c922f2e18ccc5515e0bd09be2bb53b821f269b40d60fdc840b8e789352071383
                                                                                                            • Opcode Fuzzy Hash: efd6eb11be9207134e314f077acea128b42f2e0d35205ec7385d1672efe4cc01
                                                                                                            • Instruction Fuzzy Hash: 7681BE715083099FD71ACF24D884ABBBBE9FF98314F050959FA88DB291DB30D904CBA1
                                                                                                            Function 003CDC0E Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 178COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetFileVersionInfoSizeW.VERSION(?,?), ref: 003CDC20
                                                                                                            • GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 003CDC46
                                                                                                            • _wcslen.LIBCMT ref: 003CDC50
                                                                                                            • _wcsstr.LIBVCRUNTIME ref: 003CDCA0
                                                                                                            • VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 003CDCBC
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: FileInfoVersion$QuerySizeValue_wcslen_wcsstr
                                                                                                            • String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
                                                                                                            • API String ID: 1939486746-1459072770
                                                                                                            • Opcode ID: 7a387be4defe862bf457968298f63cfec08cbdc8c0990654387d086db468a8a0
                                                                                                            • Instruction ID: 11559a59648c0cba5d3c8f7b476f99bbd888f458c47cb3a8d43ad550f3f3c24d
                                                                                                            • Opcode Fuzzy Hash: 7a387be4defe862bf457968298f63cfec08cbdc8c0990654387d086db468a8a0
                                                                                                            • Instruction Fuzzy Hash: 40411072A403087ADB12B6649C47FFF77ACEF45710F2040AAF905EA182EB759D00A7A4
                                                                                                            Function 003ECC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 003ECC64
                                                                                                            • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 003ECC8D
                                                                                                            • FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 003ECD48
                                                                                                              • Part of subcall function 003ECC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 003ECCAA
                                                                                                              • Part of subcall function 003ECC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 003ECCBD
                                                                                                              • Part of subcall function 003ECC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 003ECCCF
                                                                                                              • Part of subcall function 003ECC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 003ECD05
                                                                                                              • Part of subcall function 003ECC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 003ECD28
                                                                                                            • RegDeleteKeyW.ADVAPI32(?,?), ref: 003ECCF3
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
                                                                                                            • String ID: RegDeleteKeyExW$advapi32.dll
                                                                                                            • API String ID: 2734957052-4033151799
                                                                                                            • Opcode ID: 6e67bb9b498937bf06b45a5104dc50c64a3c600e672bb04de1d99748584abf8d
                                                                                                            • Instruction ID: 8b6871e5f5762e32b1e409acf5de402ada3bdf383dfd6df86f1321b9b1d9910b
                                                                                                            • Opcode Fuzzy Hash: 6e67bb9b498937bf06b45a5104dc50c64a3c600e672bb04de1d99748584abf8d
                                                                                                            • Instruction Fuzzy Hash: 0831B07195112DBBDB228B55DC88EFFBB7CEF05740F011265F906E2280DB349E46DAA0
                                                                                                            Function 003D3D1E Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 003D3D40
                                                                                                            • _wcslen.LIBCMT ref: 003D3D6D
                                                                                                            • CreateDirectoryW.KERNEL32(?,00000000), ref: 003D3D9D
                                                                                                            • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 003D3DBE
                                                                                                            • RemoveDirectoryW.KERNEL32(?), ref: 003D3DCE
                                                                                                            • DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 003D3E55
                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 003D3E60
                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 003D3E6B
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
                                                                                                            • String ID: :$\$\??\%s
                                                                                                            • API String ID: 1149970189-3457252023
                                                                                                            • Opcode ID: 977e31b24cb2c1335a17314705da1b7d9c19e3ba4bce24bb692777c89e601ea3
                                                                                                            • Instruction ID: 919c35decaf113d63c6149dd0129e409cf4e79048c921cd3c3e4e4381d19c8d0
                                                                                                            • Opcode Fuzzy Hash: 977e31b24cb2c1335a17314705da1b7d9c19e3ba4bce24bb692777c89e601ea3
                                                                                                            • Instruction Fuzzy Hash: A231C176940209ABDB229BA0EC48FEB37BDEF88700F1140B6F509D6160E7749B44CB25
                                                                                                            Function 003CE6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • timeGetTime.WINMM ref: 003CE6B4
                                                                                                              • Part of subcall function 0037E551: timeGetTime.WINMM(?,?,003CE6D4), ref: 0037E555
                                                                                                            • Sleep.KERNEL32(0000000A), ref: 003CE6E1
                                                                                                            • EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 003CE705
                                                                                                            • FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 003CE727
                                                                                                            • SetActiveWindow.USER32 ref: 003CE746
                                                                                                            • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 003CE754
                                                                                                            • SendMessageW.USER32(00000010,00000000,00000000), ref: 003CE773
                                                                                                            • Sleep.KERNEL32(000000FA), ref: 003CE77E
                                                                                                            • IsWindow.USER32 ref: 003CE78A
                                                                                                            • EndDialog.USER32(00000000), ref: 003CE79B
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
                                                                                                            • String ID: BUTTON
                                                                                                            • API String ID: 1194449130-3405671355
                                                                                                            • Opcode ID: 9cf75c480af072e9426adf43c3a501f39c44290398a3b78e773a47e5b821c766
                                                                                                            • Instruction ID: 7ae3e13a2e984f87805e34ce2002af1112fa291ae87dd3edb0b294cf08c48ba9
                                                                                                            • Opcode Fuzzy Hash: 9cf75c480af072e9426adf43c3a501f39c44290398a3b78e773a47e5b821c766
                                                                                                            • Instruction Fuzzy Hash: 2C218EB1250608AFEB025F21EE8AF357B6DAB55348F103438F815D15A1DBB1AC10CB28
                                                                                                            Function 003CE9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 00369CB3: _wcslen.LIBCMT ref: 00369CBD
                                                                                                            • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 003CEA5D
                                                                                                            • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 003CEA73
                                                                                                            • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 003CEA84
                                                                                                            • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 003CEA96
                                                                                                            • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 003CEAA7
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: SendString$_wcslen
                                                                                                            • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                                                                                                            • API String ID: 2420728520-1007645807
                                                                                                            • Opcode ID: fa6891cadff562b5fbbac3aa2b72c0d3dfdb7706a87e551175b93936b71114c7
                                                                                                            • Instruction ID: 96c36ee562bb690736151832a9943ce1b261f8e85e733c176e2276d63fb08a92
                                                                                                            • Opcode Fuzzy Hash: fa6891cadff562b5fbbac3aa2b72c0d3dfdb7706a87e551175b93936b71114c7
                                                                                                            • Instruction Fuzzy Hash: C811C675B902697DD721A7A1EC4AFFF6A7CEBD2B00F51042A7801E60D4EEB00D44CAB0
                                                                                                            Function 003C5CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetDlgItem.USER32(?,00000001), ref: 003C5CE2
                                                                                                            • GetWindowRect.USER32(00000000,?), ref: 003C5CFB
                                                                                                            • MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 003C5D59
                                                                                                            • GetDlgItem.USER32(?,00000002), ref: 003C5D69
                                                                                                            • GetWindowRect.USER32(00000000,?), ref: 003C5D7B
                                                                                                            • MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 003C5DCF
                                                                                                            • GetDlgItem.USER32(?,000003E9), ref: 003C5DDD
                                                                                                            • GetWindowRect.USER32(00000000,?), ref: 003C5DEF
                                                                                                            • MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 003C5E31
                                                                                                            • GetDlgItem.USER32(?,000003EA), ref: 003C5E44
                                                                                                            • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 003C5E5A
                                                                                                            • InvalidateRect.USER32(?,00000000,00000001), ref: 003C5E67
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Window$ItemMoveRect$Invalidate
                                                                                                            • String ID:
                                                                                                            • API String ID: 3096461208-0
                                                                                                            • Opcode ID: af74dcf3cb39d8da37747fbb2b201585f7f2485d5e384557cf883d6570e2f006
                                                                                                            • Instruction ID: 5021db21388fa0a0508cff88b9d449cf7f66b000791b89ff2d6e58e714fe6ea8
                                                                                                            • Opcode Fuzzy Hash: af74dcf3cb39d8da37747fbb2b201585f7f2485d5e384557cf883d6570e2f006
                                                                                                            • Instruction Fuzzy Hash: 20512D70B50609AFDF19DF68DD89EAEBBB9EB48300F148129F516E6290D770AE44CB50
                                                                                                            Function 00378BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 00378F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00378BE8,?,00000000,?,?,?,?,00378BBA,00000000,?), ref: 00378FC5
                                                                                                            • DestroyWindow.USER32(?), ref: 00378C81
                                                                                                            • KillTimer.USER32(00000000,?,?,?,?,00378BBA,00000000,?), ref: 00378D1B
                                                                                                            • DestroyAcceleratorTable.USER32(00000000), ref: 003B6973
                                                                                                            • ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,00378BBA,00000000,?), ref: 003B69A1
                                                                                                            • ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,00378BBA,00000000,?), ref: 003B69B8
                                                                                                            • ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00378BBA,00000000), ref: 003B69D4
                                                                                                            • DeleteObject.GDI32(00000000), ref: 003B69E6
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
                                                                                                            • String ID:
                                                                                                            • API String ID: 641708696-0
                                                                                                            • Opcode ID: fe12b1a97bd9cac04ee0f35b253d690352472884820399ec68515103c7face17
                                                                                                            • Instruction ID: 0b9abb1304895619ba4573737aece13d4faf32dc7054ef463db9f0cef7f2bc98
                                                                                                            • Opcode Fuzzy Hash: fe12b1a97bd9cac04ee0f35b253d690352472884820399ec68515103c7face17
                                                                                                            • Instruction Fuzzy Hash: 99619770142605DFCB379F14DA4DB69B7F5FF40316F15A528E14A9A9B0CB39A880CF94
                                                                                                            Function 00379838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 00379944: GetWindowLongW.USER32(?,000000EB), ref: 00379952
                                                                                                            • GetSysColor.USER32(0000000F), ref: 00379862
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ColorLongWindow
                                                                                                            • String ID:
                                                                                                            • API String ID: 259745315-0
                                                                                                            • Opcode ID: 2b8c8ccf0946905764c114f69769de0123f196e52c5c6ab666861ebf8effb08a
                                                                                                            • Instruction ID: 0dd35c7796b1b26dafa81312cc75b2f622cdef951e34a36cb3d27179663ee833
                                                                                                            • Opcode Fuzzy Hash: 2b8c8ccf0946905764c114f69769de0123f196e52c5c6ab666861ebf8effb08a
                                                                                                            • Instruction Fuzzy Hash: 7341F631144604AFDB329F389C84BB937A9EB47330F158756FAA68B2E1C7349C42DB11
                                                                                                            Function 00398D45 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 300COMMONLIBRARYCODE
                                                                                                            Download Yara Rule
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: .8
                                                                                                            • API String ID: 0-2175067728
                                                                                                            • Opcode ID: 4f3805d0eec8a305fdc118a3b7dac39362b47ed60ab54dde06fb76ddd699283c
                                                                                                            • Instruction ID: de7fbc9712bf1fe1887819a64a0606a8bebf1f52f309f392f2a8e709980507da
                                                                                                            • Opcode Fuzzy Hash: 4f3805d0eec8a305fdc118a3b7dac39362b47ed60ab54dde06fb76ddd699283c
                                                                                                            • Instruction Fuzzy Hash: 72C1EF75E04349AFDF13EFACD841BADBBB4AF4A310F05419AE425AB392C7719941CB60
                                                                                                            Function 003C96E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,003AF7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 003C9717
                                                                                                            • LoadStringW.USER32(00000000,?,003AF7F8,00000001), ref: 003C9720
                                                                                                              • Part of subcall function 00369CB3: _wcslen.LIBCMT ref: 00369CBD
                                                                                                            • GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,003AF7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 003C9742
                                                                                                            • LoadStringW.USER32(00000000,?,003AF7F8,00000001), ref: 003C9745
                                                                                                            • MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 003C9866
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: HandleLoadModuleString$Message_wcslen
                                                                                                            • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
                                                                                                            • API String ID: 747408836-2268648507
                                                                                                            • Opcode ID: 86952906ada00305f582c4241cae46f598f32d6f1c421c9d4d5b1c5a4968bb01
                                                                                                            • Instruction ID: 0650915adc5377c61360e7bcc61d045f5744fe503e04152af0970f3c7f9eb1d1
                                                                                                            • Opcode Fuzzy Hash: 86952906ada00305f582c4241cae46f598f32d6f1c421c9d4d5b1c5a4968bb01
                                                                                                            • Instruction Fuzzy Hash: 7F413B72900219AACB06EBA0DE46FEE737CAF15340F614066B505BB196EB356F48CB61
                                                                                                            Function 003C06DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 00366B57: _wcslen.LIBCMT ref: 00366B6A
                                                                                                            • WNetAddConnection2W.MPR(?,?,?,00000000), ref: 003C07A2
                                                                                                            • RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 003C07BE
                                                                                                            • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 003C07DA
                                                                                                            • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 003C0804
                                                                                                            • CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 003C082C
                                                                                                            • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 003C0837
                                                                                                            • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 003C083C
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
                                                                                                            • String ID: SOFTWARE\Classes\$\CLSID$\IPC$
                                                                                                            • API String ID: 323675364-22481851
                                                                                                            • Opcode ID: 87c1b8cf3717f91ffc6bc32b7940e092e183c893323d807046f1f3b14cc209ca
                                                                                                            • Instruction ID: 0a6bef67bad85769e028b1d7691934fd4443418ad1277b9196b47b0b702ba10f
                                                                                                            • Opcode Fuzzy Hash: 87c1b8cf3717f91ffc6bc32b7940e092e183c893323d807046f1f3b14cc209ca
                                                                                                            • Instruction Fuzzy Hash: 12410572D10629EBDB16EBA4DC95DEDB7B8BF04350F15816AE901A7160EB309E44CBA0
                                                                                                            Function 003E3C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • VariantInit.OLEAUT32(?), ref: 003E3C5C
                                                                                                            • CoInitialize.OLE32(00000000), ref: 003E3C8A
                                                                                                            • CoUninitialize.OLE32 ref: 003E3C94
                                                                                                            • _wcslen.LIBCMT ref: 003E3D2D
                                                                                                            • GetRunningObjectTable.OLE32(00000000,?), ref: 003E3DB1
                                                                                                            • SetErrorMode.KERNEL32(00000001,00000029), ref: 003E3ED5
                                                                                                            • CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 003E3F0E
                                                                                                            • CoGetObject.OLE32(?,00000000,003FFB98,?), ref: 003E3F2D
                                                                                                            • SetErrorMode.KERNEL32(00000000), ref: 003E3F40
                                                                                                            • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 003E3FC4
                                                                                                            • VariantClear.OLEAUT32(?), ref: 003E3FD8
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
                                                                                                            • String ID:
                                                                                                            • API String ID: 429561992-0
                                                                                                            • Opcode ID: e9b1edd90ce13a19bee36d2e31624d5e9e8d0c9726da49b39d2a502f37bd33e7
                                                                                                            • Instruction ID: 82898462433e71ca3e6a3e02066d652bb60a5ea3f73b0360fa10c1b9b63d6529
                                                                                                            • Opcode Fuzzy Hash: e9b1edd90ce13a19bee36d2e31624d5e9e8d0c9726da49b39d2a502f37bd33e7
                                                                                                            • Instruction Fuzzy Hash: 69C156716083559FC702DF29C88892BBBE9FF89744F104A5DF98A9B290D730EE05CB52
                                                                                                            Function 003D7A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • CoInitialize.OLE32(00000000), ref: 003D7AF3
                                                                                                            • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 003D7B8F
                                                                                                            • SHGetDesktopFolder.SHELL32(?), ref: 003D7BA3
                                                                                                            • CoCreateInstance.OLE32(003FFD08,00000000,00000001,00426E6C,?), ref: 003D7BEF
                                                                                                            • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 003D7C74
                                                                                                            • CoTaskMemFree.OLE32(?,?), ref: 003D7CCC
                                                                                                            • SHBrowseForFolderW.SHELL32(?), ref: 003D7D57
                                                                                                            • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 003D7D7A
                                                                                                            • CoTaskMemFree.OLE32(00000000), ref: 003D7D81
                                                                                                            • CoTaskMemFree.OLE32(00000000), ref: 003D7DD6
                                                                                                            • CoUninitialize.OLE32 ref: 003D7DDC
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
                                                                                                            • String ID:
                                                                                                            • API String ID: 2762341140-0
                                                                                                            • Opcode ID: 913d9ec7f30d70c8e0726796f0a4c9bb2c0168b0fc9ba77a09c65a82eea14a81
                                                                                                            • Instruction ID: 91d935779ea7e205a18bb2748e0fa4ee00dbe76d77f4a0ac6fb1b8250e88726f
                                                                                                            • Opcode Fuzzy Hash: 913d9ec7f30d70c8e0726796f0a4c9bb2c0168b0fc9ba77a09c65a82eea14a81
                                                                                                            • Instruction Fuzzy Hash: 52C12A75A04109AFCB15DFA4D884DAEBBF9FF48304B14849AE91ADB361D730EE45CB90
                                                                                                            Function 003F541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 003F5504
                                                                                                            • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 003F5515
                                                                                                            • CharNextW.USER32(00000158), ref: 003F5544
                                                                                                            • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 003F5585
                                                                                                            • SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 003F559B
                                                                                                            • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 003F55AC
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: MessageSend$CharNext
                                                                                                            • String ID:
                                                                                                            • API String ID: 1350042424-0
                                                                                                            • Opcode ID: de07898036f9cb46892a9e44e4232bc5e84c4c08a6a33dd3f574250f76cf75f7
                                                                                                            • Instruction ID: 6cffa8644f1e13fffa10b810d1eb5de8dda29c4424ace825f0859b5427b341ab
                                                                                                            • Opcode Fuzzy Hash: de07898036f9cb46892a9e44e4232bc5e84c4c08a6a33dd3f574250f76cf75f7
                                                                                                            • Instruction Fuzzy Hash: 15618C3090460CAFDF129F55CC84EFE7BB9EF0A721F158149FB25AA290D7748A81DB60
                                                                                                            Function 003BFA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 003BFAAF
                                                                                                            • SafeArrayAllocData.OLEAUT32(?), ref: 003BFB08
                                                                                                            • VariantInit.OLEAUT32(?), ref: 003BFB1A
                                                                                                            • SafeArrayAccessData.OLEAUT32(?,?), ref: 003BFB3A
                                                                                                            • VariantCopy.OLEAUT32(?,?), ref: 003BFB8D
                                                                                                            • SafeArrayUnaccessData.OLEAUT32(?), ref: 003BFBA1
                                                                                                            • VariantClear.OLEAUT32(?), ref: 003BFBB6
                                                                                                            • SafeArrayDestroyData.OLEAUT32(?), ref: 003BFBC3
                                                                                                            • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 003BFBCC
                                                                                                            • VariantClear.OLEAUT32(?), ref: 003BFBDE
                                                                                                            • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 003BFBE9
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                                                                                                            • String ID:
                                                                                                            • API String ID: 2706829360-0
                                                                                                            • Opcode ID: a39564e63fa5987fb40952c13a77ec2f1c0f362379b8afa3b69930feab7898c3
                                                                                                            • Instruction ID: aa75a30e7a3565f725edffdff6e2be384a45a0bae1436f4322eb04a7e7c1a1bd
                                                                                                            • Opcode Fuzzy Hash: a39564e63fa5987fb40952c13a77ec2f1c0f362379b8afa3b69930feab7898c3
                                                                                                            • Instruction Fuzzy Hash: FF416035A0021D9FCB06DF65CC549FDBBB9FF48348F009469E945AB261CB70A945CF90
                                                                                                            Function 003C9C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetKeyboardState.USER32(?), ref: 003C9CA1
                                                                                                            • GetAsyncKeyState.USER32(000000A0), ref: 003C9D22
                                                                                                            • GetKeyState.USER32(000000A0), ref: 003C9D3D
                                                                                                            • GetAsyncKeyState.USER32(000000A1), ref: 003C9D57
                                                                                                            • GetKeyState.USER32(000000A1), ref: 003C9D6C
                                                                                                            • GetAsyncKeyState.USER32(00000011), ref: 003C9D84
                                                                                                            • GetKeyState.USER32(00000011), ref: 003C9D96
                                                                                                            • GetAsyncKeyState.USER32(00000012), ref: 003C9DAE
                                                                                                            • GetKeyState.USER32(00000012), ref: 003C9DC0
                                                                                                            • GetAsyncKeyState.USER32(0000005B), ref: 003C9DD8
                                                                                                            • GetKeyState.USER32(0000005B), ref: 003C9DEA
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: State$Async$Keyboard
                                                                                                            • String ID:
                                                                                                            • API String ID: 541375521-0
                                                                                                            • Opcode ID: eab85bef037aad24f421bdaf5028bdbc44e387a67f197f0e6e510cd709268eae
                                                                                                            • Instruction ID: 94ed19fa7e05fd58a2aa4748c3ebd39ab542aba917066b4318d1faf9a24b671f
                                                                                                            • Opcode Fuzzy Hash: eab85bef037aad24f421bdaf5028bdbc44e387a67f197f0e6e510cd709268eae
                                                                                                            • Instruction Fuzzy Hash: 9F41E7305047C969FF339664880CBB5BEA06B22344F07805FD6C7A65C2DBA49DC8C7A2
                                                                                                            Function 003E055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • WSAStartup.WSOCK32(00000101,?), ref: 003E05BC
                                                                                                            • inet_addr.WSOCK32(?), ref: 003E061C
                                                                                                            • gethostbyname.WSOCK32(?), ref: 003E0628
                                                                                                            • IcmpCreateFile.IPHLPAPI ref: 003E0636
                                                                                                            • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 003E06C6
                                                                                                            • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 003E06E5
                                                                                                            • IcmpCloseHandle.IPHLPAPI(?), ref: 003E07B9
                                                                                                            • WSACleanup.WSOCK32 ref: 003E07BF
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
                                                                                                            • String ID: Ping
                                                                                                            • API String ID: 1028309954-2246546115
                                                                                                            • Opcode ID: 9adf092fcca753a5550e8390a568f74a1f28123145cb1b0c441a42a3c57504e4
                                                                                                            • Instruction ID: 4c76671d34bdbee073226dd049ba5bd014e59d8395b9805c4d5e3ea7db137988
                                                                                                            • Opcode Fuzzy Hash: 9adf092fcca753a5550e8390a568f74a1f28123145cb1b0c441a42a3c57504e4
                                                                                                            • Instruction Fuzzy Hash: F391BF346082519FD326CF16C488F1ABBE4EF44318F1586A9E4698F7A2C7B0EC85CF91
                                                                                                            Function 003E8CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: _wcslen$BuffCharLower
                                                                                                            • String ID: cdecl$none$stdcall$winapi
                                                                                                            • API String ID: 707087890-567219261
                                                                                                            • Opcode ID: 62f01aa90e0a9e3af6b02c2d1caa550d0f3d0dfdb5c708e89f9958bfb0949b5c
                                                                                                            • Instruction ID: 832aa2bc2455327fd1d7874bac8c4b2a5ae1362b08b33fb45fad0884d54eade3
                                                                                                            • Opcode Fuzzy Hash: 62f01aa90e0a9e3af6b02c2d1caa550d0f3d0dfdb5c708e89f9958bfb0949b5c
                                                                                                            • Instruction Fuzzy Hash: 3151C531E005669BCB16DF6DC9409BEB3A5BF65324B214369E41AEB2C4DB31DD40C790
                                                                                                            Function 003E372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • CoInitialize.OLE32 ref: 003E3774
                                                                                                            • CoUninitialize.OLE32 ref: 003E377F
                                                                                                            • CoCreateInstance.OLE32(?,00000000,00000017,003FFB78,?), ref: 003E37D9
                                                                                                            • IIDFromString.OLE32(?,?), ref: 003E384C
                                                                                                            • VariantInit.OLEAUT32(?), ref: 003E38E4
                                                                                                            • VariantClear.OLEAUT32(?), ref: 003E3936
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
                                                                                                            • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                                                                                                            • API String ID: 636576611-1287834457
                                                                                                            • Opcode ID: c4fff849694c24902fc4546648ce8dc93aa4ce197c5f648d8034e5ef26b3d45a
                                                                                                            • Instruction ID: d27ec0f1aa0d561970446c0a0297b3e8ceb0f75d1409450059691fa41fd406d0
                                                                                                            • Opcode Fuzzy Hash: c4fff849694c24902fc4546648ce8dc93aa4ce197c5f648d8034e5ef26b3d45a
                                                                                                            • Instruction Fuzzy Hash: 6461A071608361EFD312DF55C848B6ABBE8EF49714F104A4EF9859B291C770EE48CB92
                                                                                                            Function 003F8B02 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 149windowCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 00379BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00379BB2
                                                                                                              • Part of subcall function 0037912D: GetCursorPos.USER32(?), ref: 00379141
                                                                                                              • Part of subcall function 0037912D: ScreenToClient.USER32(00000000,?), ref: 0037915E
                                                                                                              • Part of subcall function 0037912D: GetAsyncKeyState.USER32(00000001), ref: 00379183
                                                                                                              • Part of subcall function 0037912D: GetAsyncKeyState.USER32(00000002), ref: 0037919D
                                                                                                            • ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?,?), ref: 003F8B6B
                                                                                                            • ImageList_EndDrag.COMCTL32 ref: 003F8B71
                                                                                                            • ReleaseCapture.USER32 ref: 003F8B77
                                                                                                            • SetWindowTextW.USER32(?,00000000), ref: 003F8C12
                                                                                                            • SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 003F8C25
                                                                                                            • DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?,?), ref: 003F8CFF
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
                                                                                                            • String ID: @GUI_DRAGFILE$@GUI_DROPID$p#C
                                                                                                            • API String ID: 1924731296-2471640071
                                                                                                            • Opcode ID: 0f410bb869a40308f7472d5547d2c4927afac39c580a6dac407bf650d6396878
                                                                                                            • Instruction ID: 914356fb68d876c667ad768f7181bf3d048325799c9feb0ec9b9f367cbab8f12
                                                                                                            • Opcode Fuzzy Hash: 0f410bb869a40308f7472d5547d2c4927afac39c580a6dac407bf650d6396878
                                                                                                            • Instruction Fuzzy Hash: 6F517C71204208AFD705DF24DD55FBA77E8FF88710F404629FA569B2E1CB749904CB66
                                                                                                            Function 003D3388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • LoadStringW.USER32(00000066,?,00000FFF,?), ref: 003D33CF
                                                                                                              • Part of subcall function 00369CB3: _wcslen.LIBCMT ref: 00369CBD
                                                                                                            • LoadStringW.USER32(00000072,?,00000FFF,?), ref: 003D33F0
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: LoadString$_wcslen
                                                                                                            • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
                                                                                                            • API String ID: 4099089115-3080491070
                                                                                                            • Opcode ID: c3701363bfdf24253d53e706c971558cf1975af3218b7c47fc64f4057e975846
                                                                                                            • Instruction ID: fb053947d8a9b2dd188749d891545843bc1a9b54ba86b5ecf64d2596eb1289d3
                                                                                                            • Opcode Fuzzy Hash: c3701363bfdf24253d53e706c971558cf1975af3218b7c47fc64f4057e975846
                                                                                                            • Instruction Fuzzy Hash: 1D51C132900209AADF16EBA0DE46EEEB378AF05340F208066F405771A5EB352F58DF61
                                                                                                            Function 003CB5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: _wcslen$BuffCharUpper
                                                                                                            • String ID: APPEND$EXISTS$KEYS$REMOVE
                                                                                                            • API String ID: 1256254125-769500911
                                                                                                            • Opcode ID: edf89f9f27b5d7f1ead2444add78b272c248702c54c9791ffec2264364519289
                                                                                                            • Instruction ID: 0fd688dc89934a5ba003192347d52d5e5ffe74184df57a21ffe42651131ae2c2
                                                                                                            • Opcode Fuzzy Hash: edf89f9f27b5d7f1ead2444add78b272c248702c54c9791ffec2264364519289
                                                                                                            • Instruction Fuzzy Hash: 99411A32A001278ACB216F7DCC92BBEF7A5AFA0754F26412EE425DB284E731CC51C790
                                                                                                            Function 003D5393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • SetErrorMode.KERNEL32(00000001), ref: 003D53A0
                                                                                                            • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 003D5416
                                                                                                            • GetLastError.KERNEL32 ref: 003D5420
                                                                                                            • SetErrorMode.KERNEL32(00000000,READY), ref: 003D54A7
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Error$Mode$DiskFreeLastSpace
                                                                                                            • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                                                                                                            • API String ID: 4194297153-14809454
                                                                                                            • Opcode ID: 717f7d9692aa57fc23b4b5eb61beb23eee607df556deca221b45575a709ca886
                                                                                                            • Instruction ID: 2af9b55fd38bb314cb4d4ff6185b381e6f209426dd17505d8f0ae85f889dfc9d
                                                                                                            • Opcode Fuzzy Hash: 717f7d9692aa57fc23b4b5eb61beb23eee607df556deca221b45575a709ca886
                                                                                                            • Instruction Fuzzy Hash: 9331C336A005089FC712DF69E484BAA7BB8EF05305F55806BE405CF392DB70DE82CB92
                                                                                                            Function 003F3C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • CreateMenu.USER32 ref: 003F3C79
                                                                                                            • SetMenu.USER32(?,00000000), ref: 003F3C88
                                                                                                            • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 003F3D10
                                                                                                            • IsMenu.USER32(?), ref: 003F3D24
                                                                                                            • CreatePopupMenu.USER32 ref: 003F3D2E
                                                                                                            • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 003F3D5B
                                                                                                            • DrawMenuBar.USER32 ref: 003F3D63
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Menu$CreateItem$DrawInfoInsertPopup
                                                                                                            • String ID: 0$F
                                                                                                            • API String ID: 161812096-3044882817
                                                                                                            • Opcode ID: 38694c9c1ee4a9c46ac7276a4cef8fbd00b57d5025ffae9340f694b636e343fb
                                                                                                            • Instruction ID: e1253803e4a94923aaff9cfc2e47815ca7bc798edf4f5c91521ea834a157c245
                                                                                                            • Opcode Fuzzy Hash: 38694c9c1ee4a9c46ac7276a4cef8fbd00b57d5025ffae9340f694b636e343fb
                                                                                                            • Instruction Fuzzy Hash: 86417879A0120DEFDB15DF65D884BAA7BB9FF49350F150028FA46A7360D730AA14CF94
                                                                                                            Function 003F3A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 003F3A9D
                                                                                                            • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 003F3AA0
                                                                                                            • GetWindowLongW.USER32(?,000000F0), ref: 003F3AC7
                                                                                                            • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 003F3AEA
                                                                                                            • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 003F3B62
                                                                                                            • SendMessageW.USER32(?,00001074,00000000,00000007), ref: 003F3BAC
                                                                                                            • SendMessageW.USER32(?,00001057,00000000,00000000), ref: 003F3BC7
                                                                                                            • SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 003F3BE2
                                                                                                            • SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 003F3BF6
                                                                                                            • SendMessageW.USER32(?,00001008,00000000,00000007), ref: 003F3C13
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: MessageSend$LongWindow
                                                                                                            • String ID:
                                                                                                            • API String ID: 312131281-0
                                                                                                            • Opcode ID: 0c692f2cb05324ff4ee2af82719a02a7c77ac65610d865e05a06447eb46cb4f6
                                                                                                            • Instruction ID: 6a1eb316c03fe3005a00ae6fb53290c2dd5f6641130f9ed697db26abbd1e08cd
                                                                                                            • Opcode Fuzzy Hash: 0c692f2cb05324ff4ee2af82719a02a7c77ac65610d865e05a06447eb46cb4f6
                                                                                                            • Instruction Fuzzy Hash: 28616975900248AFDB11DFA8CC81EFE77B8EF09700F1041A9FA15AB2A1C774AE45DB50
                                                                                                            Function 00392C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • _free.LIBCMT ref: 00392C94
                                                                                                              • Part of subcall function 003929C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0039D7D1,00000000,00000000,00000000,00000000,?,0039D7F8,00000000,00000007,00000000,?,0039DBF5,00000000), ref: 003929DE
                                                                                                              • Part of subcall function 003929C8: GetLastError.KERNEL32(00000000,?,0039D7D1,00000000,00000000,00000000,00000000,?,0039D7F8,00000000,00000007,00000000,?,0039DBF5,00000000,00000000), ref: 003929F0
                                                                                                            • _free.LIBCMT ref: 00392CA0
                                                                                                            • _free.LIBCMT ref: 00392CAB
                                                                                                            • _free.LIBCMT ref: 00392CB6
                                                                                                            • _free.LIBCMT ref: 00392CC1
                                                                                                            • _free.LIBCMT ref: 00392CCC
                                                                                                            • _free.LIBCMT ref: 00392CD7
                                                                                                            • _free.LIBCMT ref: 00392CE2
                                                                                                            • _free.LIBCMT ref: 00392CED
                                                                                                            • _free.LIBCMT ref: 00392CFB
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: _free$ErrorFreeHeapLast
                                                                                                            • String ID:
                                                                                                            • API String ID: 776569668-0
                                                                                                            • Opcode ID: a9eab72d4facbe921998593cdf2e069a73940a8e23c0296816f9fe5c7f47d394
                                                                                                            • Instruction ID: 299780ae9c710087defbee6c3cc5ff0bb3febb37bb3d3e89ca8584be28755d51
                                                                                                            • Opcode Fuzzy Hash: a9eab72d4facbe921998593cdf2e069a73940a8e23c0296816f9fe5c7f47d394
                                                                                                            • Instruction Fuzzy Hash: 48113276510508BFCF02EF55D982CDE3BA5BF06350F5145A5FA489F222DB31EE609B90
                                                                                                            Function 00361410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332comCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00361459
                                                                                                            • OleUninitialize.OLE32(?,00000000), ref: 003614F8
                                                                                                            • UnregisterHotKey.USER32(?), ref: 003616DD
                                                                                                            • DestroyWindow.USER32(?), ref: 003A24B9
                                                                                                            • FreeLibrary.KERNEL32(?), ref: 003A251E
                                                                                                            • VirtualFree.KERNEL32(?,00000000,00008000), ref: 003A254B
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
                                                                                                            • String ID: close all
                                                                                                            • API String ID: 469580280-3243417748
                                                                                                            • Opcode ID: fede388b75ae586c04913a1d9eb21fae12b2271be6498fac932843718cb031df
                                                                                                            • Instruction ID: ad5fb0d1c5f98949a1ea42fe0cf45c93fcd6c32d32bd64ef27775652f3f4f246
                                                                                                            • Opcode Fuzzy Hash: fede388b75ae586c04913a1d9eb21fae12b2271be6498fac932843718cb031df
                                                                                                            • Instruction Fuzzy Hash: 96D15D317012128FCB2BEF19C595A2AF7A4FF06700F1981ADE94A6B665DB30ED12CF51
                                                                                                            Function 003D7DF0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 003D7FAD
                                                                                                            • SetCurrentDirectoryW.KERNEL32(?), ref: 003D7FC1
                                                                                                            • GetFileAttributesW.KERNEL32(?), ref: 003D7FEB
                                                                                                            • SetFileAttributesW.KERNEL32(?,00000000), ref: 003D8005
                                                                                                            • SetCurrentDirectoryW.KERNEL32(?), ref: 003D8017
                                                                                                            • SetCurrentDirectoryW.KERNEL32(?), ref: 003D8060
                                                                                                            • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 003D80B0
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CurrentDirectory$AttributesFile
                                                                                                            • String ID: *.*
                                                                                                            • API String ID: 769691225-438819550
                                                                                                            • Opcode ID: 704621c29e42ee04dec5a8917c4042749b284509f8a4b1e4e60c00a82026e754
                                                                                                            • Instruction ID: ffeb48f96c4f62cb47509ee2aacd714f435c91de21bc7b9587e6626da5477716
                                                                                                            • Opcode Fuzzy Hash: 704621c29e42ee04dec5a8917c4042749b284509f8a4b1e4e60c00a82026e754
                                                                                                            • Instruction Fuzzy Hash: 7581AE725182459BCB22EF14D844AAAB3E8BF89314F154C5FF885CB350EB74ED49CB92
                                                                                                            Function 00365BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • SetWindowLongW.USER32(?,000000EB), ref: 00365C7A
                                                                                                              • Part of subcall function 00365D0A: GetClientRect.USER32(?,?), ref: 00365D30
                                                                                                              • Part of subcall function 00365D0A: GetWindowRect.USER32(?,?), ref: 00365D71
                                                                                                              • Part of subcall function 00365D0A: ScreenToClient.USER32(?,?), ref: 00365D99
                                                                                                            • GetDC.USER32 ref: 003A46F5
                                                                                                            • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 003A4708
                                                                                                            • SelectObject.GDI32(00000000,00000000), ref: 003A4716
                                                                                                            • SelectObject.GDI32(00000000,00000000), ref: 003A472B
                                                                                                            • ReleaseDC.USER32(?,00000000), ref: 003A4733
                                                                                                            • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 003A47C4
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
                                                                                                            • String ID: U
                                                                                                            • API String ID: 4009187628-3372436214
                                                                                                            • Opcode ID: 740873fe269506a0a960c7cc7e0fe98e7c4e2c8ce7de71ed439f1459e01ad0e3
                                                                                                            • Instruction ID: 0b48a880b7a2ff1a9c481f708099c4211aefce340cbb3920c2ef0dca079239f2
                                                                                                            • Opcode Fuzzy Hash: 740873fe269506a0a960c7cc7e0fe98e7c4e2c8ce7de71ed439f1459e01ad0e3
                                                                                                            • Instruction Fuzzy Hash: A871E231400249DFCF238F64C984ABA7BB9FF8B311F154269ED655A16AC7728C41DF50
                                                                                                            Function 003D359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 003D35E4
                                                                                                              • Part of subcall function 00369CB3: _wcslen.LIBCMT ref: 00369CBD
                                                                                                            • LoadStringW.USER32(00432390,?,00000FFF,?), ref: 003D360A
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: LoadString$_wcslen
                                                                                                            • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                                                                                                            • API String ID: 4099089115-2391861430
                                                                                                            • Opcode ID: 3f2ec393f2d8adae70ae7f7834e50f609f026abe8a58ed80f3945b3c5e630514
                                                                                                            • Instruction ID: a13fec62a64bcda36439e28787d3227995713c6aa7cc4d0a026f1fd1bf3ff13c
                                                                                                            • Opcode Fuzzy Hash: 3f2ec393f2d8adae70ae7f7834e50f609f026abe8a58ed80f3945b3c5e630514
                                                                                                            • Instruction Fuzzy Hash: 7F519E72900209BADF16EBA0DD42EEEBB78AF14300F148126F505761A5EB305E98DFA1
                                                                                                            Function 003DC253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 003DC272
                                                                                                            • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 003DC29A
                                                                                                            • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 003DC2CA
                                                                                                            • GetLastError.KERNEL32 ref: 003DC322
                                                                                                            • SetEvent.KERNEL32(?), ref: 003DC336
                                                                                                            • InternetCloseHandle.WININET(00000000), ref: 003DC341
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
                                                                                                            • String ID:
                                                                                                            • API String ID: 3113390036-3916222277
                                                                                                            • Opcode ID: 50988905efed31468e4ae7ca21c9a59def89eb14e627fc35ce53c0f85a5213bb
                                                                                                            • Instruction ID: 0e53b1428c6124d630010e6069290936805e016ac7c2e4eb6720cc7554c6f3e7
                                                                                                            • Opcode Fuzzy Hash: 50988905efed31468e4ae7ca21c9a59def89eb14e627fc35ce53c0f85a5213bb
                                                                                                            • Instruction Fuzzy Hash: FD318DB6520209AFDB239F65A988ABB7BFCEB49740F14951EF44696300DB34DD08DB60
                                                                                                            Function 003C989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,003A3AAF,?,?,Bad directive syntax error,003FCC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 003C98BC
                                                                                                            • LoadStringW.USER32(00000000,?,003A3AAF,?), ref: 003C98C3
                                                                                                              • Part of subcall function 00369CB3: _wcslen.LIBCMT ref: 00369CBD
                                                                                                            • MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 003C9987
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: HandleLoadMessageModuleString_wcslen
                                                                                                            • String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
                                                                                                            • API String ID: 858772685-4153970271
                                                                                                            • Opcode ID: 8d6e26d4eb04d958051a303b497ff516088d29119d630b9b67c9a31f4025e11f
                                                                                                            • Instruction ID: eb67b187ca80e8bc00f2ffb3ee1fcc6443ac7c363c094134430cfd2855bdd9bf
                                                                                                            • Opcode Fuzzy Hash: 8d6e26d4eb04d958051a303b497ff516088d29119d630b9b67c9a31f4025e11f
                                                                                                            • Instruction Fuzzy Hash: 70217E3194021EABCF12AF90CC0AFFE7739BF18700F04845AF5156A0A2EB75AA18DB50
                                                                                                            Function 003C209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetParent.USER32 ref: 003C20AB
                                                                                                            • GetClassNameW.USER32(00000000,?,00000100), ref: 003C20C0
                                                                                                            • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 003C214D
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ClassMessageNameParentSend
                                                                                                            • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                                                                                                            • API String ID: 1290815626-3381328864
                                                                                                            • Opcode ID: 4d3f7ec9291f2588c4a2b332f966177cafb6d8d9cc5c9b15db2f6faf0c789808
                                                                                                            • Instruction ID: db1290d8e6c49a6952647e14d8a1e2b017dddb0524c4ad2ed590f663412d8df4
                                                                                                            • Opcode Fuzzy Hash: 4d3f7ec9291f2588c4a2b332f966177cafb6d8d9cc5c9b15db2f6faf0c789808
                                                                                                            • Instruction Fuzzy Hash: E311E376688717B9FA073620AC06EA7779CDB04324F25006AFA04E94E1EA796C115B18
                                                                                                            Function 0039CE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: _free$EnvironmentVariable___from_strstr_to_strchr
                                                                                                            • String ID:
                                                                                                            • API String ID: 1282221369-0
                                                                                                            • Opcode ID: 8a831168e46656070a39993c53e2b2494542de2612f149397d0185a9c33f324e
                                                                                                            • Instruction ID: 8e20d2ae56fcfd02382af89d855d38a63ff9f80dd607b72af9acb772e5891b99
                                                                                                            • Opcode Fuzzy Hash: 8a831168e46656070a39993c53e2b2494542de2612f149397d0185a9c33f324e
                                                                                                            • Instruction Fuzzy Hash: 43616771914301AFDF23AFB4D891A6E7BE9EF05360F05426DF946AB282E7319D01C790
                                                                                                            Function 003F50D4 Relevance: 13.7, APIs: 9, Instructions: 162windowCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • SendMessageW.USER32(?,00002001,00000000,00000000), ref: 003F5186
                                                                                                            • ShowWindow.USER32(?,00000000), ref: 003F51C7
                                                                                                            • ShowWindow.USER32(?,00000005,?,00000000), ref: 003F51CD
                                                                                                            • SetFocus.USER32(?,?,00000005,?,00000000), ref: 003F51D1
                                                                                                              • Part of subcall function 003F6FBA: DeleteObject.GDI32(00000000), ref: 003F6FE6
                                                                                                            • GetWindowLongW.USER32(?,000000F0), ref: 003F520D
                                                                                                            • SetWindowLongW.USER32(?,000000F0,00000000), ref: 003F521A
                                                                                                            • InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 003F524D
                                                                                                            • SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 003F5287
                                                                                                            • SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 003F5296
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
                                                                                                            • String ID:
                                                                                                            • API String ID: 3210457359-0
                                                                                                            • Opcode ID: e329e1c59c9625fb274dbb0ea448306e5eeb19c7dafd3aa70c280d44c8a516e7
                                                                                                            • Instruction ID: f2bd48be1bf568a094f9c3eb9b1d5da9a6458d40b95fa5ec22b3397c09fc6c44
                                                                                                            • Opcode Fuzzy Hash: e329e1c59c9625fb274dbb0ea448306e5eeb19c7dafd3aa70c280d44c8a516e7
                                                                                                            • Instruction Fuzzy Hash: E4518130A90A0CBEEF369F24CC46BF97B65EF05321F158612F7159A2E0C775A990DB41
                                                                                                            Function 00378B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 003B6890
                                                                                                            • ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 003B68A9
                                                                                                            • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 003B68B9
                                                                                                            • ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 003B68D1
                                                                                                            • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 003B68F2
                                                                                                            • DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00378874,00000000,00000000,00000000,000000FF,00000000), ref: 003B6901
                                                                                                            • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 003B691E
                                                                                                            • DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00378874,00000000,00000000,00000000,000000FF,00000000), ref: 003B692D
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Icon$DestroyExtractImageLoadMessageSend
                                                                                                            • String ID:
                                                                                                            • API String ID: 1268354404-0
                                                                                                            • Opcode ID: c8851b311fedd92c3e5249bbab59e9f0b0fd8ebf70b26ac1823dcd9cf208c6e0
                                                                                                            • Instruction ID: 2daa5039d1f1b94775cba290382dc760d75b8fa0b50b8f017376719ab98b2fd9
                                                                                                            • Opcode Fuzzy Hash: c8851b311fedd92c3e5249bbab59e9f0b0fd8ebf70b26ac1823dcd9cf208c6e0
                                                                                                            • Instruction Fuzzy Hash: F5518B70640209EFDB22CF25CC56FAA7BB9EF48354F108528FA1AD76A0DB74E950DB40
                                                                                                            Function 003DC143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 003DC182
                                                                                                            • GetLastError.KERNEL32 ref: 003DC195
                                                                                                            • SetEvent.KERNEL32(?), ref: 003DC1A9
                                                                                                              • Part of subcall function 003DC253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 003DC272
                                                                                                              • Part of subcall function 003DC253: GetLastError.KERNEL32 ref: 003DC322
                                                                                                              • Part of subcall function 003DC253: SetEvent.KERNEL32(?), ref: 003DC336
                                                                                                              • Part of subcall function 003DC253: InternetCloseHandle.WININET(00000000), ref: 003DC341
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
                                                                                                            • String ID:
                                                                                                            • API String ID: 337547030-0
                                                                                                            • Opcode ID: 5b771b4be4b53e4b7ae76e7fc4b6e32054b7f6a95e00f0ffa3da4b29fe275c96
                                                                                                            • Instruction ID: e0d3ea400ac066dc4ace4d3796c8662acaa6d99a2995e22bc7831b2af0363481
                                                                                                            • Opcode Fuzzy Hash: 5b771b4be4b53e4b7ae76e7fc4b6e32054b7f6a95e00f0ffa3da4b29fe275c96
                                                                                                            • Instruction Fuzzy Hash: C4319E72570606AFDB229FA5ED44A76BBFCFF18300B14681EF95686710C731E814DB60
                                                                                                            Function 003C25A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 003C3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 003C3A57
                                                                                                              • Part of subcall function 003C3A3D: GetCurrentThreadId.KERNEL32 ref: 003C3A5E
                                                                                                              • Part of subcall function 003C3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,003C25B3), ref: 003C3A65
                                                                                                            • MapVirtualKeyW.USER32(00000025,00000000), ref: 003C25BD
                                                                                                            • PostMessageW.USER32(?,00000100,00000025,00000000), ref: 003C25DB
                                                                                                            • Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 003C25DF
                                                                                                            • MapVirtualKeyW.USER32(00000025,00000000), ref: 003C25E9
                                                                                                            • PostMessageW.USER32(?,00000100,00000027,00000000), ref: 003C2601
                                                                                                            • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 003C2605
                                                                                                            • MapVirtualKeyW.USER32(00000025,00000000), ref: 003C260F
                                                                                                            • PostMessageW.USER32(?,00000101,00000027,00000000), ref: 003C2623
                                                                                                            • Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 003C2627
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
                                                                                                            • String ID:
                                                                                                            • API String ID: 2014098862-0
                                                                                                            • Opcode ID: a6c72287b6d66b16171d56e3de7c153c57775aec826afd2ce6b2e6ba9050343a
                                                                                                            • Instruction ID: 1a328c01b4594f14deff0f5cb5b7da4e2d6d5a44467f615740b7d544b099a73c
                                                                                                            • Opcode Fuzzy Hash: a6c72287b6d66b16171d56e3de7c153c57775aec826afd2ce6b2e6ba9050343a
                                                                                                            • Instruction Fuzzy Hash: 7C01B1302A4214BBFB1167689C8AF6A7E5DDF4AB12F101005F358EE0D1C9E26854CA6A
                                                                                                            Function 003C1803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,003C1449,?,?,00000000), ref: 003C180C
                                                                                                            • HeapAlloc.KERNEL32(00000000,?,003C1449,?,?,00000000), ref: 003C1813
                                                                                                            • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,003C1449,?,?,00000000), ref: 003C1828
                                                                                                            • GetCurrentProcess.KERNEL32(?,00000000,?,003C1449,?,?,00000000), ref: 003C1830
                                                                                                            • DuplicateHandle.KERNEL32(00000000,?,003C1449,?,?,00000000), ref: 003C1833
                                                                                                            • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,003C1449,?,?,00000000), ref: 003C1843
                                                                                                            • GetCurrentProcess.KERNEL32(003C1449,00000000,?,003C1449,?,?,00000000), ref: 003C184B
                                                                                                            • DuplicateHandle.KERNEL32(00000000,?,003C1449,?,?,00000000), ref: 003C184E
                                                                                                            • CreateThread.KERNEL32(00000000,00000000,003C1874,00000000,00000000,00000000), ref: 003C1868
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
                                                                                                            • String ID:
                                                                                                            • API String ID: 1957940570-0
                                                                                                            • Opcode ID: 770f574f8b0664bfe21a0d13db4230c57d1a4fc2b54709b24464dffc1bde2c22
                                                                                                            • Instruction ID: a03b3f1d44f819bc12755535efa143edf82ac072a1cd1e5276bfb4cd0beca961
                                                                                                            • Opcode Fuzzy Hash: 770f574f8b0664bfe21a0d13db4230c57d1a4fc2b54709b24464dffc1bde2c22
                                                                                                            • Instruction Fuzzy Hash: 8101BBB5290308BFE711ABA5DD4DF6B3BACEB89B11F005411FA05DB1A2CA749810DB60
                                                                                                            Function 003EA0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 003CD4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 003CD501
                                                                                                              • Part of subcall function 003CD4DC: Process32FirstW.KERNEL32(00000000,?), ref: 003CD50F
                                                                                                              • Part of subcall function 003CD4DC: CloseHandle.KERNEL32(00000000), ref: 003CD5DC
                                                                                                            • OpenProcess.KERNEL32(00000001,00000000,?), ref: 003EA16D
                                                                                                            • GetLastError.KERNEL32 ref: 003EA180
                                                                                                            • OpenProcess.KERNEL32(00000001,00000000,?), ref: 003EA1B3
                                                                                                            • TerminateProcess.KERNEL32(00000000,00000000), ref: 003EA268
                                                                                                            • GetLastError.KERNEL32(00000000), ref: 003EA273
                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 003EA2C4
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
                                                                                                            • String ID: SeDebugPrivilege
                                                                                                            • API String ID: 2533919879-2896544425
                                                                                                            • Opcode ID: 0a0c33012167e22892d3ab04e39e9e3656fb397f5483121b479e6c7049963e71
                                                                                                            • Instruction ID: 5a8f8bc49598545a133535119db191d76fccb81b603ba5fa9407ea266c4c158f
                                                                                                            • Opcode Fuzzy Hash: 0a0c33012167e22892d3ab04e39e9e3656fb397f5483121b479e6c7049963e71
                                                                                                            • Instruction Fuzzy Hash: 4E61AA302046929FD712DF15C494F26BBE4AF44318F19858CE5668FBA3C7B6EC45CB92
                                                                                                            Function 003F3886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 003F3925
                                                                                                            • SendMessageW.USER32(00000000,00001036,00000000,?), ref: 003F393A
                                                                                                            • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 003F3954
                                                                                                            • _wcslen.LIBCMT ref: 003F3999
                                                                                                            • SendMessageW.USER32(?,00001057,00000000,?), ref: 003F39C6
                                                                                                            • SendMessageW.USER32(?,00001061,?,0000000F), ref: 003F39F4
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: MessageSend$Window_wcslen
                                                                                                            • String ID: SysListView32
                                                                                                            • API String ID: 2147712094-78025650
                                                                                                            • Opcode ID: 386584009783437bf1a88bd333eb58e0b821315220937deeb6c9262ad7d2ecc2
                                                                                                            • Instruction ID: 14a15b1847ec3df7dd084b257db6f92ca1d7b169a3b72711dea41d2381f5fd65
                                                                                                            • Opcode Fuzzy Hash: 386584009783437bf1a88bd333eb58e0b821315220937deeb6c9262ad7d2ecc2
                                                                                                            • Instruction Fuzzy Hash: 8541C471A0021DABDF229F64CC45FFA77A9EF08350F110526FA58E7291D7B59D84CB90
                                                                                                            Function 003CBC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 003CBCFD
                                                                                                            • IsMenu.USER32(00000000), ref: 003CBD1D
                                                                                                            • CreatePopupMenu.USER32 ref: 003CBD53
                                                                                                            • GetMenuItemCount.USER32(0164C0A8), ref: 003CBDA4
                                                                                                            • InsertMenuItemW.USER32(0164C0A8,?,00000001,00000030), ref: 003CBDCC
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Menu$Item$CountCreateInfoInsertPopup
                                                                                                            • String ID: 0$2
                                                                                                            • API String ID: 93392585-3793063076
                                                                                                            • Opcode ID: e733434fe787700d918ce19b16d3dc9d38436ba933649718ce0b81cde1a60a20
                                                                                                            • Instruction ID: e34fe57c7087172d32bbddf74c133a0c66f958a47789b133193c73ed0aa8fe0b
                                                                                                            • Opcode Fuzzy Hash: e733434fe787700d918ce19b16d3dc9d38436ba933649718ce0b81cde1a60a20
                                                                                                            • Instruction Fuzzy Hash: 9751BC70A002499BDB12DFA9D88AFAEFBF8BF45314F14815DE406EB290D7709D45CB61
                                                                                                            Function 00382D20 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • _ValidateLocalCookies.LIBCMT ref: 00382D4B
                                                                                                            • ___except_validate_context_record.LIBVCRUNTIME ref: 00382D53
                                                                                                            • _ValidateLocalCookies.LIBCMT ref: 00382DE1
                                                                                                            • __IsNonwritableInCurrentImage.LIBCMT ref: 00382E0C
                                                                                                            • _ValidateLocalCookies.LIBCMT ref: 00382E61
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                                                                            • String ID: &H8$csm
                                                                                                            • API String ID: 1170836740-607440215
                                                                                                            • Opcode ID: 1baee0f0fbc2833da3b43e142dde2ca7f294dde9c9da09958a14f07c0cda76ed
                                                                                                            • Instruction ID: b0a0875dd052d6fb6dc4cfc8de7d698486f4af5713d6496bd732da15177de140
                                                                                                            • Opcode Fuzzy Hash: 1baee0f0fbc2833da3b43e142dde2ca7f294dde9c9da09958a14f07c0cda76ed
                                                                                                            • Instruction Fuzzy Hash: 13418634A003099BCF11EF68C845A9FBFB5BF45314F1581A6E8256B392D775AA09CBD0
                                                                                                            Function 003CC874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • LoadIconW.USER32(00000000,00007F03), ref: 003CC913
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: IconLoad
                                                                                                            • String ID: blank$info$question$stop$warning
                                                                                                            • API String ID: 2457776203-404129466
                                                                                                            • Opcode ID: bb36f77870c1e0648ecfe51564826260f062b088127fabcea86bbb3a83c69d53
                                                                                                            • Instruction ID: 71f177d2b49ac9b22793ad38fa87da4d8d52dcc66e7301c00a7480f1fb30fe98
                                                                                                            • Opcode Fuzzy Hash: bb36f77870c1e0648ecfe51564826260f062b088127fabcea86bbb3a83c69d53
                                                                                                            • Instruction Fuzzy Hash: B7116D31799317BAE707AB14AC83FAB33ACCF15314B61102FF408EA182D7759D009368
                                                                                                            Function 003CDE27 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 70networkCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
                                                                                                            • String ID: 0.0.0.0
                                                                                                            • API String ID: 642191829-3771769585
                                                                                                            • Opcode ID: da720d66f55a3f835779158755683d4ae57edee6fc6e91d81bb805c4eb40817f
                                                                                                            • Instruction ID: 6c9fd392eeb139f0551cbe8e80a120447d08439296405008e97e67ea146e5cdb
                                                                                                            • Opcode Fuzzy Hash: da720d66f55a3f835779158755683d4ae57edee6fc6e91d81bb805c4eb40817f
                                                                                                            • Instruction Fuzzy Hash: 0A11E431904219AFCB22BB70DC0AEEE77ACDB15710F0101BAF549DA091EF708E85CB90
                                                                                                            Function 003CED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: _wcslen$LocalTime
                                                                                                            • String ID:
                                                                                                            • API String ID: 952045576-0
                                                                                                            • Opcode ID: bc5ff72641b55e4f1af182351a90096c59175e8557ec1d643790453889473b5b
                                                                                                            • Instruction ID: acd6a64e190df13e5fd1321e093141070ee92dc27a0d2acd6c2be0ed91c49d3e
                                                                                                            • Opcode Fuzzy Hash: bc5ff72641b55e4f1af182351a90096c59175e8557ec1d643790453889473b5b
                                                                                                            • Instruction Fuzzy Hash: EB41B565C1021876CB22FBF4888AECFB7A8AF45310F5088A6E518E7162FB34D645C3E5
                                                                                                            Function 0037F8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,003B682C,00000004,00000000,00000000), ref: 0037F953
                                                                                                            • ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,003B682C,00000004,00000000,00000000), ref: 003BF3D1
                                                                                                            • ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,003B682C,00000004,00000000,00000000), ref: 003BF454
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ShowWindow
                                                                                                            • String ID:
                                                                                                            • API String ID: 1268545403-0
                                                                                                            • Opcode ID: 54de75ffde180de6462f461a3164077ae865f8b12a8534295c29485485728130
                                                                                                            • Instruction ID: 5f428e67c4d38209a84335c53ce43aee148de8927d2c117d9ffb743c96e0bf81
                                                                                                            • Opcode Fuzzy Hash: 54de75ffde180de6462f461a3164077ae865f8b12a8534295c29485485728130
                                                                                                            • Instruction Fuzzy Hash: 97412931608640BEC73B9B2D8D887BA7B99BB47314F15D03CE35F56960D739A880DB11
                                                                                                            Function 003F2D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • DeleteObject.GDI32(00000000), ref: 003F2D1B
                                                                                                            • GetDC.USER32(00000000), ref: 003F2D23
                                                                                                            • GetDeviceCaps.GDI32(00000000,0000005A), ref: 003F2D2E
                                                                                                            • ReleaseDC.USER32(00000000,00000000), ref: 003F2D3A
                                                                                                            • CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 003F2D76
                                                                                                            • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 003F2D87
                                                                                                            • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,003F5A65,?,?,000000FF,00000000,?,000000FF,?), ref: 003F2DC2
                                                                                                            • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 003F2DE1
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                                                                                                            • String ID:
                                                                                                            • API String ID: 3864802216-0
                                                                                                            • Opcode ID: 0b45d4b76e4a17a7e0f4d03187556014dca0cd36242ceb1cf7891e987b9e429f
                                                                                                            • Instruction ID: 542e32c892e69d542e24b934f99412cc450bd66db2b9ca1a738caf9fda5eb896
                                                                                                            • Opcode Fuzzy Hash: 0b45d4b76e4a17a7e0f4d03187556014dca0cd36242ceb1cf7891e987b9e429f
                                                                                                            • Instruction Fuzzy Hash: C9315A72251618ABEB128F50CD8AFBB3BADEB09715F084065FE08DA291C6759C51CBA4
                                                                                                            Function 003C5622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: _memcmp
                                                                                                            • String ID:
                                                                                                            • API String ID: 2931989736-0
                                                                                                            • Opcode ID: 9bba2a9bb12ecad2de89732384cd109a58066d7cbe59d714820ce9d72cacda79
                                                                                                            • Instruction ID: 9d7bbddb9e71dba56121178e779990d395c729f42b068dd9609a91a80cb19a99
                                                                                                            • Opcode Fuzzy Hash: 9bba2a9bb12ecad2de89732384cd109a58066d7cbe59d714820ce9d72cacda79
                                                                                                            • Instruction Fuzzy Hash: 8F21C966641A197BD617A5208E82FFB335CAF21385F440028FE04DEA81F761FDA183A9
                                                                                                            Function 003E4FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON
                                                                                                            Download Yara Rule
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: NULL Pointer assignment$Not an Object type
                                                                                                            • API String ID: 0-572801152
                                                                                                            • Opcode ID: dc9a9099c127d2bd84781a41145480af0c1bded555834b4237b0a6894669ea45
                                                                                                            • Instruction ID: e1f92f6e26579d576a39f1f542e89f5b8fd3eaf6d4da30f6bc5a43bb530b0d32
                                                                                                            • Opcode Fuzzy Hash: dc9a9099c127d2bd84781a41145480af0c1bded555834b4237b0a6894669ea45
                                                                                                            • Instruction Fuzzy Hash: D7D1E375A0065A9FDF11CF99C880BAEB7B5BF48348F158269E915EB2C1E370DD41CB90
                                                                                                            Function 003A1522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetCPInfo.KERNEL32(00000000,00000000,?,7FFFFFFF,?,?,003A17FB,00000000,00000000,?,00000000,?,?,?,?,00000000), ref: 003A15CE
                                                                                                            • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,003A17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 003A1651
                                                                                                            • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,003A17FB,?,003A17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 003A16E4
                                                                                                            • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,003A17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 003A16FB
                                                                                                              • Part of subcall function 00393820: RtlAllocateHeap.NTDLL(00000000,?,00431444,?,0037FDF5,?,?,0036A976,00000010,00431440,003613FC,?,003613C6,?,00361129), ref: 00393852
                                                                                                            • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,003A17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 003A1777
                                                                                                            • __freea.LIBCMT ref: 003A17A2
                                                                                                            • __freea.LIBCMT ref: 003A17AE
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
                                                                                                            • String ID:
                                                                                                            • API String ID: 2829977744-0
                                                                                                            • Opcode ID: 3dd463e8f51bfe634ae368c56403dd448bc156272e7320af2ad22987b8c9c318
                                                                                                            • Instruction ID: c1ace0e8384726476f96ad18aa93a3d3103806b12ee853c6db94c9a843789624
                                                                                                            • Opcode Fuzzy Hash: 3dd463e8f51bfe634ae368c56403dd448bc156272e7320af2ad22987b8c9c318
                                                                                                            • Instruction Fuzzy Hash: 2291D472E102169ADF268E74C981EEE7BB9EF4B310F194659E802EB190D736CC44CB60
                                                                                                            Function 003E4523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Variant$ClearInit
                                                                                                            • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
                                                                                                            • API String ID: 2610073882-625585964
                                                                                                            • Opcode ID: 43d750e8e1e2ce0c14e2640d18abed1a2d1e0355791b05809124f343cb2ed64a
                                                                                                            • Instruction ID: 39a660dfd4ce546745ab37550dd444261d6c8b58486e9148c9e058ad5b55b0e7
                                                                                                            • Opcode Fuzzy Hash: 43d750e8e1e2ce0c14e2640d18abed1a2d1e0355791b05809124f343cb2ed64a
                                                                                                            • Instruction Fuzzy Hash: 0A919371A00269AFDF21CFA6D844FAEB7B8EF4A710F118659F515AB2C0D7709941CFA0
                                                                                                            Function 003D1187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 003D125C
                                                                                                            • SafeArrayAccessData.OLEAUT32(00000000,?), ref: 003D1284
                                                                                                            • SafeArrayUnaccessData.OLEAUT32(00000001), ref: 003D12A8
                                                                                                            • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 003D12D8
                                                                                                            • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 003D135F
                                                                                                            • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 003D13C4
                                                                                                            • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 003D1430
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ArraySafe$Data$Access$UnaccessVartype
                                                                                                            • String ID:
                                                                                                            • API String ID: 2550207440-0
                                                                                                            • Opcode ID: 4f45eb0022402076e8b2da9854ac45423a3c50cc2e59e16ded5c6578dc342ed5
                                                                                                            • Instruction ID: 5c1f92e645b2f993b03afea6c4aa8f6e8097f5fce19970663a1ada6ee24ff69d
                                                                                                            • Opcode Fuzzy Hash: 4f45eb0022402076e8b2da9854ac45423a3c50cc2e59e16ded5c6578dc342ed5
                                                                                                            • Instruction Fuzzy Hash: F891F576A00208BFDB12DFA5E885BBEB7B9FF44714F11442AE900EB391D775A941CB90
                                                                                                            Function 0037948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ObjectSelect$BeginCreatePath
                                                                                                            • String ID:
                                                                                                            • API String ID: 3225163088-0
                                                                                                            • Opcode ID: 2e21a36755356c20b38325b517ea11b26bb0b048f83f781fcff655d4c35b0267
                                                                                                            • Instruction ID: 76652633056f19583ae5a6b197a791d9616a5ada0c0c35708cf13ab3698631ab
                                                                                                            • Opcode Fuzzy Hash: 2e21a36755356c20b38325b517ea11b26bb0b048f83f781fcff655d4c35b0267
                                                                                                            • Instruction Fuzzy Hash: 92913B71D40219EFCB12CFA9CC84AEEBBB8FF49320F148556E519B7251D778A942CB60
                                                                                                            Function 003E3947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • VariantInit.OLEAUT32(?), ref: 003E396B
                                                                                                            • CharUpperBuffW.USER32(?,?), ref: 003E3A7A
                                                                                                            • _wcslen.LIBCMT ref: 003E3A8A
                                                                                                            • VariantClear.OLEAUT32(?), ref: 003E3C1F
                                                                                                              • Part of subcall function 003D0CDF: VariantInit.OLEAUT32(00000000), ref: 003D0D1F
                                                                                                              • Part of subcall function 003D0CDF: VariantCopy.OLEAUT32(?,?), ref: 003D0D28
                                                                                                              • Part of subcall function 003D0CDF: VariantClear.OLEAUT32(?), ref: 003D0D34
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
                                                                                                            • String ID: AUTOIT.ERROR$Incorrect Parameter format
                                                                                                            • API String ID: 4137639002-1221869570
                                                                                                            • Opcode ID: e6261ac93727820fe3f61a5bd9c4d812c57b1a24a20dd8baedf72e0c8c05ebfb
                                                                                                            • Instruction ID: 9be7bc61e2c9957e5141cff85f5e6cb64430d46eade81a88f42f5d62dbb13faa
                                                                                                            • Opcode Fuzzy Hash: e6261ac93727820fe3f61a5bd9c4d812c57b1a24a20dd8baedf72e0c8c05ebfb
                                                                                                            • Instruction Fuzzy Hash: F0919C746083559FC711DF29C48496AB7E8FF89314F14896EF88A9B391DB30EE45CB82
                                                                                                            Function 003E4BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 003C000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,003BFF41,80070057,?,?,?,003C035E), ref: 003C002B
                                                                                                              • Part of subcall function 003C000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,003BFF41,80070057,?,?), ref: 003C0046
                                                                                                              • Part of subcall function 003C000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,003BFF41,80070057,?,?), ref: 003C0054
                                                                                                              • Part of subcall function 003C000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,003BFF41,80070057,?), ref: 003C0064
                                                                                                            • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 003E4C51
                                                                                                            • _wcslen.LIBCMT ref: 003E4D59
                                                                                                            • CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 003E4DCF
                                                                                                            • CoTaskMemFree.OLE32(?), ref: 003E4DDA
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
                                                                                                            • String ID: NULL Pointer assignment
                                                                                                            • API String ID: 614568839-2785691316
                                                                                                            • Opcode ID: 4928b2f7f193e8ee066b65aa22f85691618348aec7abebfbd90533a9355b8de4
                                                                                                            • Instruction ID: e133e0c62b84504e5bd825f4e709ef9e6d8bd2157a69da5263752e658837999d
                                                                                                            • Opcode Fuzzy Hash: 4928b2f7f193e8ee066b65aa22f85691618348aec7abebfbd90533a9355b8de4
                                                                                                            • Instruction Fuzzy Hash: 27911971D0026D9FDF16DFA5D891AEEB7B8BF48300F10826AE515BB291DB709A44CF60
                                                                                                            Function 003F20FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetMenu.USER32(?), ref: 003F2183
                                                                                                            • GetMenuItemCount.USER32(00000000), ref: 003F21B5
                                                                                                            • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 003F21DD
                                                                                                            • _wcslen.LIBCMT ref: 003F2213
                                                                                                            • GetMenuItemID.USER32(?,?), ref: 003F224D
                                                                                                            • GetSubMenu.USER32(?,?), ref: 003F225B
                                                                                                              • Part of subcall function 003C3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 003C3A57
                                                                                                              • Part of subcall function 003C3A3D: GetCurrentThreadId.KERNEL32 ref: 003C3A5E
                                                                                                              • Part of subcall function 003C3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,003C25B3), ref: 003C3A65
                                                                                                            • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 003F22E3
                                                                                                              • Part of subcall function 003CE97B: Sleep.KERNEL32 ref: 003CE9F3
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
                                                                                                            • String ID:
                                                                                                            • API String ID: 4196846111-0
                                                                                                            • Opcode ID: 1c76fa6f549a6b1085db835183ba1c8e51a866c0527b8fcfed7ba9b04e3bc821
                                                                                                            • Instruction ID: e4deace5f044f4af3e9fdbf05e69ee75256ee24fa523d467194d9d54e1aded9a
                                                                                                            • Opcode Fuzzy Hash: 1c76fa6f549a6b1085db835183ba1c8e51a866c0527b8fcfed7ba9b04e3bc821
                                                                                                            • Instruction Fuzzy Hash: 35717D75A00209EFCB12DFA4C841ABEB7F5AF48310F158459E916EB355DB34AD41CB90
                                                                                                            Function 003CAEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetParent.USER32(?), ref: 003CAEF9
                                                                                                            • GetKeyboardState.USER32(?), ref: 003CAF0E
                                                                                                            • SetKeyboardState.USER32(?), ref: 003CAF6F
                                                                                                            • PostMessageW.USER32(?,00000101,00000010,?), ref: 003CAF9D
                                                                                                            • PostMessageW.USER32(?,00000101,00000011,?), ref: 003CAFBC
                                                                                                            • PostMessageW.USER32(?,00000101,00000012,?), ref: 003CAFFD
                                                                                                            • PostMessageW.USER32(?,00000101,0000005B,?), ref: 003CB020
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: MessagePost$KeyboardState$Parent
                                                                                                            • String ID:
                                                                                                            • API String ID: 87235514-0
                                                                                                            • Opcode ID: 904ac1e16890ceff325e04a4eeddba142939596d8f950246cdd6c4f577af6706
                                                                                                            • Instruction ID: 46b81862c4e7d13e168b7ef5fa0bb292047d1d8f3ce787bd90033c8a6fd2d693
                                                                                                            • Opcode Fuzzy Hash: 904ac1e16890ceff325e04a4eeddba142939596d8f950246cdd6c4f577af6706
                                                                                                            • Instruction Fuzzy Hash: 1E51A2A06146D93DFB3752348C46FBABEA95B06308F09858DE1D5D58C2C3A9AC84D752
                                                                                                            Function 003CACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetParent.USER32(00000000), ref: 003CAD19
                                                                                                            • GetKeyboardState.USER32(?), ref: 003CAD2E
                                                                                                            • SetKeyboardState.USER32(?), ref: 003CAD8F
                                                                                                            • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 003CADBB
                                                                                                            • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 003CADD8
                                                                                                            • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 003CAE17
                                                                                                            • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 003CAE38
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: MessagePost$KeyboardState$Parent
                                                                                                            • String ID:
                                                                                                            • API String ID: 87235514-0
                                                                                                            • Opcode ID: 959cd6a112d9093ae882c22b73939e09c6dfc2c47f82adb4c6887a1d34c082c4
                                                                                                            • Instruction ID: 9c7df15925201a866fe513104d9bd73cc1d1cfc27a517899e19c6f454cda162f
                                                                                                            • Opcode Fuzzy Hash: 959cd6a112d9093ae882c22b73939e09c6dfc2c47f82adb4c6887a1d34c082c4
                                                                                                            • Instruction Fuzzy Hash: 6751D6A1548BD93DFB3783348C55F7ABEA85B45308F09848DE1D6CA8C3D694EC84E792
                                                                                                            Function 0039542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetConsoleCP.KERNEL32(003A3CD6,?,?,?,?,?,?,?,?,00395BA3,?,?,003A3CD6,?,?), ref: 00395470
                                                                                                            • __fassign.LIBCMT ref: 003954EB
                                                                                                            • __fassign.LIBCMT ref: 00395506
                                                                                                            • WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,003A3CD6,00000005,00000000,00000000), ref: 0039552C
                                                                                                            • WriteFile.KERNEL32(?,003A3CD6,00000000,00395BA3,00000000,?,?,?,?,?,?,?,?,?,00395BA3,?), ref: 0039554B
                                                                                                            • WriteFile.KERNEL32(?,?,00000001,00395BA3,00000000,?,?,?,?,?,?,?,?,?,00395BA3,?), ref: 00395584
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                                                                                            • String ID:
                                                                                                            • API String ID: 1324828854-0
                                                                                                            • Opcode ID: 3c95301d986483cad90f6c6df8b8b44bd624278defb93639a59759e6db1af3ac
                                                                                                            • Instruction ID: 0b0b8d2a96883f7a7654582d7a2847f1a19aa54c69e96e843c00b3a939453717
                                                                                                            • Opcode Fuzzy Hash: 3c95301d986483cad90f6c6df8b8b44bd624278defb93639a59759e6db1af3ac
                                                                                                            • Instruction Fuzzy Hash: 0351E871A006099FDF12CFA8D845AEEBBF9EF09300F15411AF556E7292D730DA81CB60
                                                                                                            Function 003E10B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 003E304E: inet_addr.WSOCK32(?), ref: 003E307A
                                                                                                              • Part of subcall function 003E304E: _wcslen.LIBCMT ref: 003E309B
                                                                                                            • socket.WSOCK32(00000002,00000001,00000006), ref: 003E1112
                                                                                                            • WSAGetLastError.WSOCK32 ref: 003E1121
                                                                                                            • WSAGetLastError.WSOCK32 ref: 003E11C9
                                                                                                            • closesocket.WSOCK32(00000000), ref: 003E11F9
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
                                                                                                            • String ID:
                                                                                                            • API String ID: 2675159561-0
                                                                                                            • Opcode ID: 9e83700a6cdb29984aab20c3799f052877ecf7140a3eea53ec4223d51cfea9e7
                                                                                                            • Instruction ID: 7dc8c820c659eaed5c04f54e2eae37adb31a1b8c0d1b5fb2a65a48499df366b0
                                                                                                            • Opcode Fuzzy Hash: 9e83700a6cdb29984aab20c3799f052877ecf7140a3eea53ec4223d51cfea9e7
                                                                                                            • Instruction Fuzzy Hash: 6F412231200268AFDB129F15C884BAABBE9EF45364F148259F9069F2D1C770AD41CBA0
                                                                                                            Function 003CCF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 003CDDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,003CCF22,?), ref: 003CDDFD
                                                                                                              • Part of subcall function 003CDDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,003CCF22,?), ref: 003CDE16
                                                                                                            • lstrcmpiW.KERNEL32(?,?), ref: 003CCF45
                                                                                                            • MoveFileW.KERNEL32(?,?), ref: 003CCF7F
                                                                                                            • _wcslen.LIBCMT ref: 003CD005
                                                                                                            • _wcslen.LIBCMT ref: 003CD01B
                                                                                                            • SHFileOperationW.SHELL32(?), ref: 003CD061
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
                                                                                                            • String ID: \*.*
                                                                                                            • API String ID: 3164238972-1173974218
                                                                                                            • Opcode ID: bbdb19ed852b522514c6c24f44281267fd5b95dcde4e935e646ccd4e1ab991a4
                                                                                                            • Instruction ID: 56006789c81d370d00aedb079a243b5ade35b2f0d192cd4652abec5442d3fcbc
                                                                                                            • Opcode Fuzzy Hash: bbdb19ed852b522514c6c24f44281267fd5b95dcde4e935e646ccd4e1ab991a4
                                                                                                            • Instruction Fuzzy Hash: 1A4144719452185EDF13EBA4C981FDDB7B8AF08780F1010EAE509EB141EA34AA44CB50
                                                                                                            Function 003F2DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 003F2E1C
                                                                                                            • GetWindowLongW.USER32(00000000,000000F0), ref: 003F2E4F
                                                                                                            • GetWindowLongW.USER32(00000000,000000F0), ref: 003F2E84
                                                                                                            • SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 003F2EB6
                                                                                                            • SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 003F2EE0
                                                                                                            • GetWindowLongW.USER32(00000000,000000F0), ref: 003F2EF1
                                                                                                            • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 003F2F0B
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: LongWindow$MessageSend
                                                                                                            • String ID:
                                                                                                            • API String ID: 2178440468-0
                                                                                                            • Opcode ID: 3b4fba336d1d10334c86aa72bf96d982d3eb295e2fea169c0d82d9a3b0a1f2b8
                                                                                                            • Instruction ID: a8587c5031e1208d8086e66c9cdb8da2a774df0bdc58ca0f9fd6c3ddf84083a0
                                                                                                            • Opcode Fuzzy Hash: 3b4fba336d1d10334c86aa72bf96d982d3eb295e2fea169c0d82d9a3b0a1f2b8
                                                                                                            • Instruction Fuzzy Hash: DB31F230654258EFEB228F58DD84F6637E5EBAA710F2A1164FA44CF2B1CB71A840DB41
                                                                                                            Function 003C7726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 003C7769
                                                                                                            • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 003C778F
                                                                                                            • SysAllocString.OLEAUT32(00000000), ref: 003C7792
                                                                                                            • SysAllocString.OLEAUT32(?), ref: 003C77B0
                                                                                                            • SysFreeString.OLEAUT32(?), ref: 003C77B9
                                                                                                            • StringFromGUID2.OLE32(?,?,00000028), ref: 003C77DE
                                                                                                            • SysAllocString.OLEAUT32(?), ref: 003C77EC
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                                                                            • String ID:
                                                                                                            • API String ID: 3761583154-0
                                                                                                            • Opcode ID: 3e230bd3bf16e8f750b10a02286643b52118d576f2b1d8ee0a02061f870a9975
                                                                                                            • Instruction ID: 0158a4fd67d03e857914a1a6c40d939ef2c88f247dbbff3bf514ca56054a3f72
                                                                                                            • Opcode Fuzzy Hash: 3e230bd3bf16e8f750b10a02286643b52118d576f2b1d8ee0a02061f870a9975
                                                                                                            • Instruction Fuzzy Hash: 0A21B27660421DAFDB12DFA8CD88DBB73ACEB09364B008029FD14DB150D674DC45CB64
                                                                                                            Function 003C77FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 003C7842
                                                                                                            • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 003C7868
                                                                                                            • SysAllocString.OLEAUT32(00000000), ref: 003C786B
                                                                                                            • SysAllocString.OLEAUT32 ref: 003C788C
                                                                                                            • SysFreeString.OLEAUT32 ref: 003C7895
                                                                                                            • StringFromGUID2.OLE32(?,?,00000028), ref: 003C78AF
                                                                                                            • SysAllocString.OLEAUT32(?), ref: 003C78BD
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                                                                            • String ID:
                                                                                                            • API String ID: 3761583154-0
                                                                                                            • Opcode ID: 7b192d570950fa7a3084a88e6b91079054ae1286d3760c236fc12ec71b563351
                                                                                                            • Instruction ID: 845f0c6aab929cd64bb9c65d78cb9f3613fddda33454c6dfd76a57492cbf5afd
                                                                                                            • Opcode Fuzzy Hash: 7b192d570950fa7a3084a88e6b91079054ae1286d3760c236fc12ec71b563351
                                                                                                            • Instruction Fuzzy Hash: F6217731604208AFDB129FA9DC8DEBA77ECEB09760B118129FA15CB1A1D674DC41CB64
                                                                                                            Function 003D04D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetStdHandle.KERNEL32(0000000C), ref: 003D04F2
                                                                                                            • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 003D052E
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CreateHandlePipe
                                                                                                            • String ID: nul
                                                                                                            • API String ID: 1424370930-2873401336
                                                                                                            • Opcode ID: 453d11f245cc90c90dd0156b329d1846779d08afb61f7e7a63b0a928d0370bf0
                                                                                                            • Instruction ID: 1d9d192c9f1f54a8ff08778f82326b1161e6c7d990f309a97b53b0372f43744e
                                                                                                            • Opcode Fuzzy Hash: 453d11f245cc90c90dd0156b329d1846779d08afb61f7e7a63b0a928d0370bf0
                                                                                                            • Instruction Fuzzy Hash: 2D217176904305EBDF258F29F804B5A77A9AF46B24F204A1AECA1D72E0D7709950CF20
                                                                                                            Function 003D05A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetStdHandle.KERNEL32(000000F6), ref: 003D05C6
                                                                                                            • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 003D0601
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CreateHandlePipe
                                                                                                            • String ID: nul
                                                                                                            • API String ID: 1424370930-2873401336
                                                                                                            • Opcode ID: 239c6b805e7296011aa3e98f428d6c669071413becdf457fdd8e1d6355757191
                                                                                                            • Instruction ID: e865efc01f38fdd26e252f9ac9bcfba31942e94c64f2ae3dcd879536739670fa
                                                                                                            • Opcode Fuzzy Hash: 239c6b805e7296011aa3e98f428d6c669071413becdf457fdd8e1d6355757191
                                                                                                            • Instruction Fuzzy Hash: 892156765003059BDB269F79EC04B5A77E8EF95B20F210A1AF8A1E73D0D770D960CB10
                                                                                                            Function 003F40AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 0036600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0036604C
                                                                                                              • Part of subcall function 0036600E: GetStockObject.GDI32(00000011), ref: 00366060
                                                                                                              • Part of subcall function 0036600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0036606A
                                                                                                            • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 003F4112
                                                                                                            • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 003F411F
                                                                                                            • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 003F412A
                                                                                                            • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 003F4139
                                                                                                            • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 003F4145
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: MessageSend$CreateObjectStockWindow
                                                                                                            • String ID: Msctls_Progress32
                                                                                                            • API String ID: 1025951953-3636473452
                                                                                                            • Opcode ID: d544ca06dba1f5a250192f1d66965d6444b72ecefcac9b70272ad1d20178e480
                                                                                                            • Instruction ID: 9b04555547dc064456b0fcad0f7f2f9533d0aa79b3dddc926687e40e64f7d7d2
                                                                                                            • Opcode Fuzzy Hash: d544ca06dba1f5a250192f1d66965d6444b72ecefcac9b70272ad1d20178e480
                                                                                                            • Instruction Fuzzy Hash: 64118EB215021DBEEB119E64CC86EE77F5DEF08798F014111BB18A6150CB729C21DBA4
                                                                                                            Function 0039D7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 0039D7A3: _free.LIBCMT ref: 0039D7CC
                                                                                                            • _free.LIBCMT ref: 0039D82D
                                                                                                              • Part of subcall function 003929C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0039D7D1,00000000,00000000,00000000,00000000,?,0039D7F8,00000000,00000007,00000000,?,0039DBF5,00000000), ref: 003929DE
                                                                                                              • Part of subcall function 003929C8: GetLastError.KERNEL32(00000000,?,0039D7D1,00000000,00000000,00000000,00000000,?,0039D7F8,00000000,00000007,00000000,?,0039DBF5,00000000,00000000), ref: 003929F0
                                                                                                            • _free.LIBCMT ref: 0039D838
                                                                                                            • _free.LIBCMT ref: 0039D843
                                                                                                            • _free.LIBCMT ref: 0039D897
                                                                                                            • _free.LIBCMT ref: 0039D8A2
                                                                                                            • _free.LIBCMT ref: 0039D8AD
                                                                                                            • _free.LIBCMT ref: 0039D8B8
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: _free$ErrorFreeHeapLast
                                                                                                            • String ID:
                                                                                                            • API String ID: 776569668-0
                                                                                                            • Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
                                                                                                            • Instruction ID: 206ad81c41b3b59a1fb094aa491497d52f2c815d9b8f152883d56d9bb71de3e0
                                                                                                            • Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
                                                                                                            • Instruction Fuzzy Hash: 49119671941B04BAEE22BFF0CC47FCB7BDCAF05700F404825B29DAA592DB76A51586A1
                                                                                                            Function 003CDA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 003CDA74
                                                                                                            • LoadStringW.USER32(00000000), ref: 003CDA7B
                                                                                                            • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 003CDA91
                                                                                                            • LoadStringW.USER32(00000000), ref: 003CDA98
                                                                                                            • MessageBoxW.USER32(00000000,?,?,00011010), ref: 003CDADC
                                                                                                            Strings
                                                                                                            • %s (%d) : ==> %s: %s %s, xrefs: 003CDAB9
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: HandleLoadModuleString$Message
                                                                                                            • String ID: %s (%d) : ==> %s: %s %s
                                                                                                            • API String ID: 4072794657-3128320259
                                                                                                            • Opcode ID: d08729d7a993c02391355604aefcc1a876fa881dd93e26b6ea40d6a73a62bfab
                                                                                                            • Instruction ID: d3046a324a57c335912fa204d1033cbc4995ffb7d02afc95b8be07744aaa19fc
                                                                                                            • Opcode Fuzzy Hash: d08729d7a993c02391355604aefcc1a876fa881dd93e26b6ea40d6a73a62bfab
                                                                                                            • Instruction Fuzzy Hash: DB0186F695020C7FE712ABA49E89FF7736CE708701F4014A6B746E2041E6749E848F74
                                                                                                            Function 003D096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • InterlockedExchange.KERNEL32(0163D3B8,0163D3B8), ref: 003D097B
                                                                                                            • EnterCriticalSection.KERNEL32(0163D398,00000000), ref: 003D098D
                                                                                                            • TerminateThread.KERNEL32(00000000,000001F6), ref: 003D099B
                                                                                                            • WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 003D09A9
                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 003D09B8
                                                                                                            • InterlockedExchange.KERNEL32(0163D3B8,000001F6), ref: 003D09C8
                                                                                                            • LeaveCriticalSection.KERNEL32(0163D398), ref: 003D09CF
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                                                                                                            • String ID:
                                                                                                            • API String ID: 3495660284-0
                                                                                                            • Opcode ID: b498f10d202460c945b014e4dd400eee89d99bd45d921243c1e3ee87a49567f2
                                                                                                            • Instruction ID: 387de74abe77a7e6736ea32198133fc9a7d0fd2827a80a67120c5f7674678471
                                                                                                            • Opcode Fuzzy Hash: b498f10d202460c945b014e4dd400eee89d99bd45d921243c1e3ee87a49567f2
                                                                                                            • Instruction Fuzzy Hash: E6F01D32492506BBDB465B94EF88BE67A39FF01702F402416F101908A0C7749465DF90
                                                                                                            Function 003E1C60 Relevance: 9.3, APIs: 6, Instructions: 298networkCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • __WSAFDIsSet.WSOCK32(00000000,?), ref: 003E1DC0
                                                                                                            • #17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 003E1DE1
                                                                                                            • WSAGetLastError.WSOCK32 ref: 003E1DF2
                                                                                                            • htons.WSOCK32(?), ref: 003E1EDB
                                                                                                            • inet_ntoa.WSOCK32(?), ref: 003E1E8C
                                                                                                              • Part of subcall function 003C39E8: _strlen.LIBCMT ref: 003C39F2
                                                                                                              • Part of subcall function 003E3224: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000000,?,?,?,?,003DEC0C), ref: 003E3240
                                                                                                            • _strlen.LIBCMT ref: 003E1F35
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: _strlen$ByteCharErrorLastMultiWidehtonsinet_ntoa
                                                                                                            • String ID:
                                                                                                            • API String ID: 3203458085-0
                                                                                                            • Opcode ID: 8de0384bba75907b6cbb37c89e5e471645bf3a87d05b18e8a41aaf167abfde69
                                                                                                            • Instruction ID: d7da21ebd55ae0b2875f3953707b26d8c6dee933be20953bda0cde4a7cb44911
                                                                                                            • Opcode Fuzzy Hash: 8de0384bba75907b6cbb37c89e5e471645bf3a87d05b18e8a41aaf167abfde69
                                                                                                            • Instruction Fuzzy Hash: 5AB1D031204390AFC326DF25C885F2A77A5AF84318F548A4CF4569F2E2DB31ED42CB91
                                                                                                            Function 00365D0A Relevance: 9.3, APIs: 6, Instructions: 276COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetClientRect.USER32(?,?), ref: 00365D30
                                                                                                            • GetWindowRect.USER32(?,?), ref: 00365D71
                                                                                                            • ScreenToClient.USER32(?,?), ref: 00365D99
                                                                                                            • GetClientRect.USER32(?,?), ref: 00365ED7
                                                                                                            • GetWindowRect.USER32(?,?), ref: 00365EF8
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Rect$Client$Window$Screen
                                                                                                            • String ID:
                                                                                                            • API String ID: 1296646539-0
                                                                                                            • Opcode ID: 92bd96a1f2363852716283b463839138a7e52e820207f59820a5783db36280f2
                                                                                                            • Instruction ID: 926d8f11fb60fd3bc029079edf27ad717e3bf61e8a7ed409434764399192d92a
                                                                                                            • Opcode Fuzzy Hash: 92bd96a1f2363852716283b463839138a7e52e820207f59820a5783db36280f2
                                                                                                            • Instruction Fuzzy Hash: CBB18734A00B4ADBDB11CFA8C4807EEB7F5FF48310F14842AE8AAD7654DB34AA51CB54
                                                                                                            Function 003901B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • __allrem.LIBCMT ref: 003900BA
                                                                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 003900D6
                                                                                                            • __allrem.LIBCMT ref: 003900ED
                                                                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0039010B
                                                                                                            • __allrem.LIBCMT ref: 00390122
                                                                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00390140
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                                                                                                            • String ID:
                                                                                                            • API String ID: 1992179935-0
                                                                                                            • Opcode ID: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
                                                                                                            • Instruction ID: 6341f7e531c3e89e5e87b3a3fe93e314d2a34f05183ceb984e3d5783c2837c2d
                                                                                                            • Opcode Fuzzy Hash: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
                                                                                                            • Instruction Fuzzy Hash: A881F676A007069FEB26AF68CC41B6FB3E9EF41724F25463AF551DB681E770D9008750
                                                                                                            Function 003961FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,003882D9,003882D9,?,?,?,0039644F,00000001,00000001,8BE85006), ref: 00396258
                                                                                                            • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,0039644F,00000001,00000001,8BE85006,?,?,?), ref: 003962DE
                                                                                                            • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 003963D8
                                                                                                            • __freea.LIBCMT ref: 003963E5
                                                                                                              • Part of subcall function 00393820: RtlAllocateHeap.NTDLL(00000000,?,00431444,?,0037FDF5,?,?,0036A976,00000010,00431440,003613FC,?,003613C6,?,00361129), ref: 00393852
                                                                                                            • __freea.LIBCMT ref: 003963EE
                                                                                                            • __freea.LIBCMT ref: 00396413
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ByteCharMultiWide__freea$AllocateHeap
                                                                                                            • String ID:
                                                                                                            • API String ID: 1414292761-0
                                                                                                            • Opcode ID: 15f4a660cd81beea45909711e8dd98e009e37245ec82d2127acbeb05c972b92e
                                                                                                            • Instruction ID: 4d9a0c7afcc4f0550086c140d5a5ff7c98e531e0febc359b47893d878bb002ec
                                                                                                            • Opcode Fuzzy Hash: 15f4a660cd81beea45909711e8dd98e009e37245ec82d2127acbeb05c972b92e
                                                                                                            • Instruction Fuzzy Hash: E051D172A01216ABEF278F64CDC2EBF77A9EB44750F164629FC05DA160EB34DC50C660
                                                                                                            Function 003EBBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 00369CB3: _wcslen.LIBCMT ref: 00369CBD
                                                                                                              • Part of subcall function 003EC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,003EB6AE,?,?), ref: 003EC9B5
                                                                                                              • Part of subcall function 003EC998: _wcslen.LIBCMT ref: 003EC9F1
                                                                                                              • Part of subcall function 003EC998: _wcslen.LIBCMT ref: 003ECA68
                                                                                                              • Part of subcall function 003EC998: _wcslen.LIBCMT ref: 003ECA9E
                                                                                                            • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 003EBCCA
                                                                                                            • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 003EBD25
                                                                                                            • RegCloseKey.ADVAPI32(00000000), ref: 003EBD6A
                                                                                                            • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 003EBD99
                                                                                                            • RegCloseKey.ADVAPI32(?,?,00000000), ref: 003EBDF3
                                                                                                            • RegCloseKey.ADVAPI32(?), ref: 003EBDFF
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
                                                                                                            • String ID:
                                                                                                            • API String ID: 1120388591-0
                                                                                                            • Opcode ID: e46d18632be01df685c40937485901beeee4daaf3567077658e6ac5e468f37a4
                                                                                                            • Instruction ID: e472c336f6067942f5b1781c14af5c3a75c7c14d9231ec423dbd6e92808b8142
                                                                                                            • Opcode Fuzzy Hash: e46d18632be01df685c40937485901beeee4daaf3567077658e6ac5e468f37a4
                                                                                                            • Instruction Fuzzy Hash: 28817E30118281AFD716DF24C895E2BBBE9FF84308F14856DF5598B2A2DB31ED45CB92
                                                                                                            Function 003BF7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • VariantInit.OLEAUT32(00000035), ref: 003BF7B9
                                                                                                            • SysAllocString.OLEAUT32(00000001), ref: 003BF860
                                                                                                            • VariantCopy.OLEAUT32(003BFA64,00000000), ref: 003BF889
                                                                                                            • VariantClear.OLEAUT32(003BFA64), ref: 003BF8AD
                                                                                                            • VariantCopy.OLEAUT32(003BFA64,00000000), ref: 003BF8B1
                                                                                                            • VariantClear.OLEAUT32(?), ref: 003BF8BB
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Variant$ClearCopy$AllocInitString
                                                                                                            • String ID:
                                                                                                            • API String ID: 3859894641-0
                                                                                                            • Opcode ID: 47a49ee30f4e96ec98db80c801064b3801813fa60598e43820c1c98fc023899b
                                                                                                            • Instruction ID: 8b5c07fc55c48b4dd8f34f8ed093752e6d1abd35136024b5071ae9eca59239da
                                                                                                            • Opcode Fuzzy Hash: 47a49ee30f4e96ec98db80c801064b3801813fa60598e43820c1c98fc023899b
                                                                                                            • Instruction Fuzzy Hash: AE51D531610310BFCF22AB65DC95BA9B3A8EF45718F20A477EA05DFA95DB708C40CB56
                                                                                                            Function 003D910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 00367620: _wcslen.LIBCMT ref: 00367625
                                                                                                              • Part of subcall function 00366B57: _wcslen.LIBCMT ref: 00366B6A
                                                                                                            • GetOpenFileNameW.COMDLG32(00000058), ref: 003D94E5
                                                                                                            • _wcslen.LIBCMT ref: 003D9506
                                                                                                            • _wcslen.LIBCMT ref: 003D952D
                                                                                                            • GetSaveFileNameW.COMDLG32(00000058), ref: 003D9585
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: _wcslen$FileName$OpenSave
                                                                                                            • String ID: X
                                                                                                            • API String ID: 83654149-3081909835
                                                                                                            • Opcode ID: 9876040063a87ed47d0fbf93bb71cc17e8ed34483a8636dbaa058c95c66aa915
                                                                                                            • Instruction ID: 187000445738fc7e0c9b7af85d3eb6cbf15f5ac4a6a78767471fcc483a24dfd4
                                                                                                            • Opcode Fuzzy Hash: 9876040063a87ed47d0fbf93bb71cc17e8ed34483a8636dbaa058c95c66aa915
                                                                                                            • Instruction Fuzzy Hash: 7FE1A2316043009FD726EF24D881B6AB7E5BF85314F15896EF8899B3A2DB31DD05CB92
                                                                                                            Function 0037920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 00379BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00379BB2
                                                                                                            • BeginPaint.USER32(?,?,?), ref: 00379241
                                                                                                            • GetWindowRect.USER32(?,?), ref: 003792A5
                                                                                                            • ScreenToClient.USER32(?,?), ref: 003792C2
                                                                                                            • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 003792D3
                                                                                                            • EndPaint.USER32(?,?,?,?,?), ref: 00379321
                                                                                                            • Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 003B71EA
                                                                                                              • Part of subcall function 00379339: BeginPath.GDI32(00000000), ref: 00379357
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
                                                                                                            • String ID:
                                                                                                            • API String ID: 3050599898-0
                                                                                                            • Opcode ID: 514497dcdcd89e7f8799875d37d8d8328149b6855dfe7952644f7422ffa97147
                                                                                                            • Instruction ID: c78db7cf759708edc09ecd03fd0cac88d5f292a7c1bc1556c1e2a52e3d34aa96
                                                                                                            • Opcode Fuzzy Hash: 514497dcdcd89e7f8799875d37d8d8328149b6855dfe7952644f7422ffa97147
                                                                                                            • Instruction Fuzzy Hash: B841A470104305AFD722DF24CC85FB67BB8EF49324F14466AFA698B2B1C7359845DB61
                                                                                                            Function 003D07EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • InterlockedExchange.KERNEL32(?,000001F5), ref: 003D080C
                                                                                                            • ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 003D0847
                                                                                                            • EnterCriticalSection.KERNEL32(?), ref: 003D0863
                                                                                                            • LeaveCriticalSection.KERNEL32(?), ref: 003D08DC
                                                                                                            • ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 003D08F3
                                                                                                            • InterlockedExchange.KERNEL32(?,000001F6), ref: 003D0921
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
                                                                                                            • String ID:
                                                                                                            • API String ID: 3368777196-0
                                                                                                            • Opcode ID: b3a1156323804c5e39a4050b7ccfda0e0210944f21e08005e43042d7eb6ee5f0
                                                                                                            • Instruction ID: aeb529777da22a99369e67f2d6779a356cc9c23dd60503e53a01c82f04cf1fa4
                                                                                                            • Opcode Fuzzy Hash: b3a1156323804c5e39a4050b7ccfda0e0210944f21e08005e43042d7eb6ee5f0
                                                                                                            • Instruction Fuzzy Hash: 87416A72900209EFDF16AF54DC85A6AB7B8FF04700F1480A9ED049E296D734EE65DBA4
                                                                                                            Function 003F81DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,003BF3AB,00000000,?,?,00000000,?,003B682C,00000004,00000000,00000000), ref: 003F824C
                                                                                                            • EnableWindow.USER32(00000000,00000000), ref: 003F8272
                                                                                                            • ShowWindow.USER32(FFFFFFFF,00000000), ref: 003F82D1
                                                                                                            • ShowWindow.USER32(00000000,00000004), ref: 003F82E5
                                                                                                            • EnableWindow.USER32(00000000,00000001), ref: 003F830B
                                                                                                            • SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 003F832F
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Window$Show$Enable$MessageSend
                                                                                                            • String ID:
                                                                                                            • API String ID: 642888154-0
                                                                                                            • Opcode ID: 1d405f8fabd102ee99b72c84300a1b64de71acdaec1ad60eb4ddde0b15c5ee44
                                                                                                            • Instruction ID: e6a2c7158e89da4c4719397ad0420d9992c2dd7ed936bfc106b69664a240edee
                                                                                                            • Opcode Fuzzy Hash: 1d405f8fabd102ee99b72c84300a1b64de71acdaec1ad60eb4ddde0b15c5ee44
                                                                                                            • Instruction Fuzzy Hash: EB418278601648EFDB1ACF15C999BF87BF0BF0A714F195169E6084F272CB31A845CB54
                                                                                                            Function 003C4C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • IsWindowVisible.USER32(?), ref: 003C4C95
                                                                                                            • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 003C4CB2
                                                                                                            • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 003C4CEA
                                                                                                            • _wcslen.LIBCMT ref: 003C4D08
                                                                                                            • CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 003C4D10
                                                                                                            • _wcsstr.LIBVCRUNTIME ref: 003C4D1A
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
                                                                                                            • String ID:
                                                                                                            • API String ID: 72514467-0
                                                                                                            • Opcode ID: 51e5c24d695325d49b815ce816c58ab234ba64a9f19c7e165383a7ef4705d041
                                                                                                            • Instruction ID: dbb66e1cc9fd9e882d68db8ffacd22438dd98aa8e62b7b601989a97fd9d925b8
                                                                                                            • Opcode Fuzzy Hash: 51e5c24d695325d49b815ce816c58ab234ba64a9f19c7e165383a7ef4705d041
                                                                                                            • Instruction Fuzzy Hash: 9C21FC326042047BEB276B35AD59F7BBB9CDF45750F15806DF809CE192EA65DC00D760
                                                                                                            Function 003D581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 00363AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00363A97,?,?,00362E7F,?,?,?,00000000), ref: 00363AC2
                                                                                                            • _wcslen.LIBCMT ref: 003D587B
                                                                                                            • CoInitialize.OLE32(00000000), ref: 003D5995
                                                                                                            • CoCreateInstance.OLE32(003FFCF8,00000000,00000001,003FFB68,?), ref: 003D59AE
                                                                                                            • CoUninitialize.OLE32 ref: 003D59CC
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
                                                                                                            • String ID: .lnk
                                                                                                            • API String ID: 3172280962-24824748
                                                                                                            • Opcode ID: 018619e3002358709ba510639c5bbc7adfb0c1ec0298f954063b59d6f5eb521c
                                                                                                            • Instruction ID: 40a723964eb8cfafcfc16cd2f7d9c72a17a4b88d2a457df8d908a662242e217f
                                                                                                            • Opcode Fuzzy Hash: 018619e3002358709ba510639c5bbc7adfb0c1ec0298f954063b59d6f5eb521c
                                                                                                            • Instruction Fuzzy Hash: 24D175726047019FC716DF24D490A2ABBE5FF89714F11885EF88A9B361DB31EC45CB92
                                                                                                            Function 003C175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 003C0FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 003C0FCA
                                                                                                              • Part of subcall function 003C0FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 003C0FD6
                                                                                                              • Part of subcall function 003C0FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 003C0FE5
                                                                                                              • Part of subcall function 003C0FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 003C0FEC
                                                                                                              • Part of subcall function 003C0FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 003C1002
                                                                                                            • GetLengthSid.ADVAPI32(?,00000000,003C1335), ref: 003C17AE
                                                                                                            • GetProcessHeap.KERNEL32(00000008,00000000), ref: 003C17BA
                                                                                                            • HeapAlloc.KERNEL32(00000000), ref: 003C17C1
                                                                                                            • CopySid.ADVAPI32(00000000,00000000,?), ref: 003C17DA
                                                                                                            • GetProcessHeap.KERNEL32(00000000,00000000,003C1335), ref: 003C17EE
                                                                                                            • HeapFree.KERNEL32(00000000), ref: 003C17F5
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
                                                                                                            • String ID:
                                                                                                            • API String ID: 3008561057-0
                                                                                                            • Opcode ID: b3ef06dbfa6c079662305e9c7e6dfa2e1026849a3c7c49fdf6bebe71afb39c05
                                                                                                            • Instruction ID: 00e113f696d1cbcdcb0f8a5fc2df4569cd84613f3cadf7883c0205771e2cba7e
                                                                                                            • Opcode Fuzzy Hash: b3ef06dbfa6c079662305e9c7e6dfa2e1026849a3c7c49fdf6bebe71afb39c05
                                                                                                            • Instruction Fuzzy Hash: A4118632660209EFDB229BA4CD49FAE7BA9EF42355F10401CE481E7212C736AD55EB60
                                                                                                            Function 003C14CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 003C14FF
                                                                                                            • OpenProcessToken.ADVAPI32(00000000), ref: 003C1506
                                                                                                            • CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 003C1515
                                                                                                            • CloseHandle.KERNEL32(00000004), ref: 003C1520
                                                                                                            • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 003C154F
                                                                                                            • DestroyEnvironmentBlock.USERENV(00000000), ref: 003C1563
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
                                                                                                            • String ID:
                                                                                                            • API String ID: 1413079979-0
                                                                                                            • Opcode ID: e9e6f36023319f62b96ebbf467a03c62eb0b2334748fc502ba9e742551493a30
                                                                                                            • Instruction ID: 2f46544522af295f78bb8cf055c1c57b09a8f05ce86fd5d933f392f76e449dc7
                                                                                                            • Opcode Fuzzy Hash: e9e6f36023319f62b96ebbf467a03c62eb0b2334748fc502ba9e742551493a30
                                                                                                            • Instruction Fuzzy Hash: E311477250020DABDB128F98DE49FEA7BADEF49744F054029FA05A2160C375CE65EB60
                                                                                                            Function 00383382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetLastError.KERNEL32(?,?,00383379,00382FE5), ref: 00383390
                                                                                                            • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0038339E
                                                                                                            • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 003833B7
                                                                                                            • SetLastError.KERNEL32(00000000,?,00383379,00382FE5), ref: 00383409
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ErrorLastValue___vcrt_
                                                                                                            • String ID:
                                                                                                            • API String ID: 3852720340-0
                                                                                                            • Opcode ID: e8b406b9e0acba9e4de10de353397285fa0b1a063cb0553096aec9d7c6a93850
                                                                                                            • Instruction ID: 9c6134346f0aa13942a0b7674cfdd7df6a2d9ee86520dfd349a51eb41adb7ec6
                                                                                                            • Opcode Fuzzy Hash: e8b406b9e0acba9e4de10de353397285fa0b1a063cb0553096aec9d7c6a93850
                                                                                                            • Instruction Fuzzy Hash: 4B01D836709311BEAA2737B97CC596B2A98EB05B7572102B9F410853F1EF514D029788
                                                                                                            Function 00392D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetLastError.KERNEL32(?,?,00395686,003A3CD6,?,00000000,?,00395B6A,?,?,?,?,?,0038E6D1,?,00428A48), ref: 00392D78
                                                                                                            • _free.LIBCMT ref: 00392DAB
                                                                                                            • _free.LIBCMT ref: 00392DD3
                                                                                                            • SetLastError.KERNEL32(00000000,?,?,?,?,0038E6D1,?,00428A48,00000010,00364F4A,?,?,00000000,003A3CD6), ref: 00392DE0
                                                                                                            • SetLastError.KERNEL32(00000000,?,?,?,?,0038E6D1,?,00428A48,00000010,00364F4A,?,?,00000000,003A3CD6), ref: 00392DEC
                                                                                                            • _abort.LIBCMT ref: 00392DF2
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ErrorLast$_free$_abort
                                                                                                            • String ID:
                                                                                                            • API String ID: 3160817290-0
                                                                                                            • Opcode ID: 3bb41908a30444f7b40654a694591edfbe823ae872b01d2301b66adfdeafb30a
                                                                                                            • Instruction ID: cd9232b02218dbc11202914f5a7fa220ee038bfd16286cdf030421323f38c0fb
                                                                                                            • Opcode Fuzzy Hash: 3bb41908a30444f7b40654a694591edfbe823ae872b01d2301b66adfdeafb30a
                                                                                                            • Instruction Fuzzy Hash: 7BF0C836545E0077CE237738BC06E6F255DAFC27A1F260529F834DA1D2EF24880285A0
                                                                                                            Function 003F8A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 00379639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00379693
                                                                                                              • Part of subcall function 00379639: SelectObject.GDI32(?,00000000), ref: 003796A2
                                                                                                              • Part of subcall function 00379639: BeginPath.GDI32(?), ref: 003796B9
                                                                                                              • Part of subcall function 00379639: SelectObject.GDI32(?,00000000), ref: 003796E2
                                                                                                            • MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 003F8A4E
                                                                                                            • LineTo.GDI32(?,00000003,00000000), ref: 003F8A62
                                                                                                            • MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 003F8A70
                                                                                                            • LineTo.GDI32(?,00000000,00000003), ref: 003F8A80
                                                                                                            • EndPath.GDI32(?), ref: 003F8A90
                                                                                                            • StrokePath.GDI32(?), ref: 003F8AA0
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Path$LineMoveObjectSelect$BeginCreateStroke
                                                                                                            • String ID:
                                                                                                            • API String ID: 43455801-0
                                                                                                            • Opcode ID: d28b1713c1ca44fda514e6518c3cef96ea395edcddd5e1cbd798b20f896cacd8
                                                                                                            • Instruction ID: d25923410462e8bdc6f4e3a5060c8b94aedc421ddf074373e28f07fbac3f6a2b
                                                                                                            • Opcode Fuzzy Hash: d28b1713c1ca44fda514e6518c3cef96ea395edcddd5e1cbd798b20f896cacd8
                                                                                                            • Instruction Fuzzy Hash: 3011097604010DFFEF129F90DC88FAA7F6CEF08364F008022BA199A1A1CB719D55DBA0
                                                                                                            Function 003C51FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetDC.USER32(00000000), ref: 003C5218
                                                                                                            • GetDeviceCaps.GDI32(00000000,00000058), ref: 003C5229
                                                                                                            • GetDeviceCaps.GDI32(00000000,0000005A), ref: 003C5230
                                                                                                            • ReleaseDC.USER32(00000000,00000000), ref: 003C5238
                                                                                                            • MulDiv.KERNEL32(000009EC,?,00000000), ref: 003C524F
                                                                                                            • MulDiv.KERNEL32(000009EC,00000001,?), ref: 003C5261
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CapsDevice$Release
                                                                                                            • String ID:
                                                                                                            • API String ID: 1035833867-0
                                                                                                            • Opcode ID: fbe60edf2c62df20361e59a2b7f0cd8e2509c45f080e49fe981d55557d76605f
                                                                                                            • Instruction ID: 7d63a715a36c93c09d73169d2405a90ad04856b0da63ecee3c7aabd4f17946b5
                                                                                                            • Opcode Fuzzy Hash: fbe60edf2c62df20361e59a2b7f0cd8e2509c45f080e49fe981d55557d76605f
                                                                                                            • Instruction Fuzzy Hash: 14018B75A41708BBEB119BA69D49F6EBFB8EB48351F044065FA04EB380DA709C00CBA0
                                                                                                            Function 00361BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • MapVirtualKeyW.USER32(0000005B,00000000), ref: 00361BF4
                                                                                                            • MapVirtualKeyW.USER32(00000010,00000000), ref: 00361BFC
                                                                                                            • MapVirtualKeyW.USER32(000000A0,00000000), ref: 00361C07
                                                                                                            • MapVirtualKeyW.USER32(000000A1,00000000), ref: 00361C12
                                                                                                            • MapVirtualKeyW.USER32(00000011,00000000), ref: 00361C1A
                                                                                                            • MapVirtualKeyW.USER32(00000012,00000000), ref: 00361C22
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Virtual
                                                                                                            • String ID:
                                                                                                            • API String ID: 4278518827-0
                                                                                                            • Opcode ID: 6083dda1ea64e2440510e60531a412da7cbb20265936bad5130d887c9b6e5b2b
                                                                                                            • Instruction ID: 6bdb2d6e351f833fcc12144d71cffa852c2ed8c964248adc444f5cddd04852ac
                                                                                                            • Opcode Fuzzy Hash: 6083dda1ea64e2440510e60531a412da7cbb20265936bad5130d887c9b6e5b2b
                                                                                                            • Instruction Fuzzy Hash: 6F016CB09427597DE3008F5A8C85B52FFA8FF19354F04411B915C47941C7F5A864CBE5
                                                                                                            Function 003CEB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 003CEB30
                                                                                                            • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 003CEB46
                                                                                                            • GetWindowThreadProcessId.USER32(?,?), ref: 003CEB55
                                                                                                            • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 003CEB64
                                                                                                            • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 003CEB6E
                                                                                                            • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 003CEB75
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
                                                                                                            • String ID:
                                                                                                            • API String ID: 839392675-0
                                                                                                            • Opcode ID: fae7c9406128322743037c7f3b5df1722faf57562fa9813e7c896a708b2fe347
                                                                                                            • Instruction ID: bb3cbd0bc0a2e914f4735dfa2f09b7b13f06c3c1174e4cee8456876e7246f231
                                                                                                            • Opcode Fuzzy Hash: fae7c9406128322743037c7f3b5df1722faf57562fa9813e7c896a708b2fe347
                                                                                                            • Instruction Fuzzy Hash: 87F09A7229011CBBE7225B629D0EEFF7A7CEFCAB11F001158F601D1090DBA01E01D6B4
                                                                                                            Function 003B7439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetClientRect.USER32(?), ref: 003B7452
                                                                                                            • SendMessageW.USER32(?,00001328,00000000,?), ref: 003B7469
                                                                                                            • GetWindowDC.USER32(?), ref: 003B7475
                                                                                                            • GetPixel.GDI32(00000000,?,?), ref: 003B7484
                                                                                                            • ReleaseDC.USER32(?,00000000), ref: 003B7496
                                                                                                            • GetSysColor.USER32(00000005), ref: 003B74B0
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ClientColorMessagePixelRectReleaseSendWindow
                                                                                                            • String ID:
                                                                                                            • API String ID: 272304278-0
                                                                                                            • Opcode ID: 8dd50cd129e076507fb327efb01a0192628360323370872542155c5e604c66a1
                                                                                                            • Instruction ID: 4538ac35bf4a63b6af8a0777b244bdd1cc9f63e89afe5f3bfdd60dc17c342644
                                                                                                            • Opcode Fuzzy Hash: 8dd50cd129e076507fb327efb01a0192628360323370872542155c5e604c66a1
                                                                                                            • Instruction Fuzzy Hash: 4A018B31454209EFEB125F65DD08BFA7BB9FB04312F251160FA19A25A0CB311E51EB10
                                                                                                            Function 003C1874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • WaitForSingleObject.KERNEL32(?,000000FF), ref: 003C187F
                                                                                                            • UnloadUserProfile.USERENV(?,?), ref: 003C188B
                                                                                                            • CloseHandle.KERNEL32(?), ref: 003C1894
                                                                                                            • CloseHandle.KERNEL32(?), ref: 003C189C
                                                                                                            • GetProcessHeap.KERNEL32(00000000,?), ref: 003C18A5
                                                                                                            • HeapFree.KERNEL32(00000000), ref: 003C18AC
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
                                                                                                            • String ID:
                                                                                                            • API String ID: 146765662-0
                                                                                                            • Opcode ID: 35803f39e77f7ef3610f6ef75c23fc266deae72596df1e52fb947f041df35019
                                                                                                            • Instruction ID: eb7be821427a9c050c702c384876cccc5dd9ef0585b6d3559a6a9b41eed286d4
                                                                                                            • Opcode Fuzzy Hash: 35803f39e77f7ef3610f6ef75c23fc266deae72596df1e52fb947f041df35019
                                                                                                            • Instruction Fuzzy Hash: B4E0C236094109BBDA026BA1EE0CD1ABF2DFF49B22B109221F22581070CB329430EB50
                                                                                                            Function 0036BBE0 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 232COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • __Init_thread_footer.LIBCMT ref: 0036BEB3
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Init_thread_footer
                                                                                                            • String ID: D%C$D%C$D%C$D%CD%C
                                                                                                            • API String ID: 1385522511-703329354
                                                                                                            • Opcode ID: 1b128523375cc50038f53ebba798eac6a36eb034a469f29258ba7687ffbb9dca
                                                                                                            • Instruction ID: c67a02133eb2b1de3c12445fb9546d39b6095212f3d027033e6cdac31db0a656
                                                                                                            • Opcode Fuzzy Hash: 1b128523375cc50038f53ebba798eac6a36eb034a469f29258ba7687ffbb9dca
                                                                                                            • Instruction Fuzzy Hash: 2D914775A0020ADFCB19CF58C0906AAFBF5FF58310F25816AD945EB359E771AA81CF90
                                                                                                            Function 003E7B7E Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 230COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 00380242: EnterCriticalSection.KERNEL32(0043070C,00431884,?,?,0037198B,00432518,?,?,?,003612F9,00000000), ref: 0038024D
                                                                                                              • Part of subcall function 00380242: LeaveCriticalSection.KERNEL32(0043070C,?,0037198B,00432518,?,?,?,003612F9,00000000), ref: 0038028A
                                                                                                              • Part of subcall function 00369CB3: _wcslen.LIBCMT ref: 00369CBD
                                                                                                              • Part of subcall function 003800A3: __onexit.LIBCMT ref: 003800A9
                                                                                                            • __Init_thread_footer.LIBCMT ref: 003E7BFB
                                                                                                              • Part of subcall function 003801F8: EnterCriticalSection.KERNEL32(0043070C,?,?,00378747,00432514), ref: 00380202
                                                                                                              • Part of subcall function 003801F8: LeaveCriticalSection.KERNEL32(0043070C,?,00378747,00432514), ref: 00380235
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
                                                                                                            • String ID: +T;$5$G$Variable must be of type 'Object'.
                                                                                                            • API String ID: 535116098-1502520173
                                                                                                            • Opcode ID: ee5d20e19a9d846d03302a8af98b343fcf5bb0af0563a9374b7ea3447187bc67
                                                                                                            • Instruction ID: 0501fa1b58d78db48db48064f83580087fe61cbc4dc4643dfb19b579857574dd
                                                                                                            • Opcode Fuzzy Hash: ee5d20e19a9d846d03302a8af98b343fcf5bb0af0563a9374b7ea3447187bc67
                                                                                                            • Instruction Fuzzy Hash: 3C91BB74A04259EFCB06EF96D9909BEB7B5FF49300F108159F806AB292DB70AE41CB50
                                                                                                            Function 003CC5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 00367620: _wcslen.LIBCMT ref: 00367625
                                                                                                            • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 003CC6EE
                                                                                                            • _wcslen.LIBCMT ref: 003CC735
                                                                                                            • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 003CC79C
                                                                                                            • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 003CC7CA
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ItemMenu$Info_wcslen$Default
                                                                                                            • String ID: 0
                                                                                                            • API String ID: 1227352736-4108050209
                                                                                                            • Opcode ID: bd3691558edda8e14140f2f3077787eb906155fb7bacdbbbff1998dc69f84fe9
                                                                                                            • Instruction ID: 2faa80041428fa433b7f73ecb28539ae39740de212c0706e5088d17cfe7c8072
                                                                                                            • Opcode Fuzzy Hash: bd3691558edda8e14140f2f3077787eb906155fb7bacdbbbff1998dc69f84fe9
                                                                                                            • Instruction Fuzzy Hash: C551CE716243009FD712AF28C985F6BB7E8EF49310F086A2DF999D71A0DB64DC04CB56
                                                                                                            Function 003EAD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • ShellExecuteExW.SHELL32(0000003C), ref: 003EAEA3
                                                                                                              • Part of subcall function 00367620: _wcslen.LIBCMT ref: 00367625
                                                                                                            • GetProcessId.KERNEL32(00000000), ref: 003EAF38
                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 003EAF67
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CloseExecuteHandleProcessShell_wcslen
                                                                                                            • String ID: <$@
                                                                                                            • API String ID: 146682121-1426351568
                                                                                                            • Opcode ID: 0b807866faa94f3b579635d83793b4be2247f8ba8ca261a504e909b5c6d2153c
                                                                                                            • Instruction ID: a3b84965258767a8acdc6c9fb1b2e3518ff75d32a48a5177155dd47dccf12e25
                                                                                                            • Opcode Fuzzy Hash: 0b807866faa94f3b579635d83793b4be2247f8ba8ca261a504e909b5c6d2153c
                                                                                                            • Instruction Fuzzy Hash: D6717774A00668DFCB16EF55C494A9EBBF0BF08304F058599E816AF3A2C774ED45CB91
                                                                                                            Function 003C719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 003C7206
                                                                                                            • SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 003C723C
                                                                                                            • GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 003C724D
                                                                                                            • SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 003C72CF
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ErrorMode$AddressCreateInstanceProc
                                                                                                            • String ID: DllGetClassObject
                                                                                                            • API String ID: 753597075-1075368562
                                                                                                            • Opcode ID: aec2508482de552421e0ca1d5a1c42c41e3638026494db545db0943f5830bd63
                                                                                                            • Instruction ID: 7a9d288110147e8c319a6c1e868bc63b374f535a7b155652769e9b1540e2a3db
                                                                                                            • Opcode Fuzzy Hash: aec2508482de552421e0ca1d5a1c42c41e3638026494db545db0943f5830bd63
                                                                                                            • Instruction Fuzzy Hash: FB41F571A04204ABDB16CF54C984FAA7AA9AF44310B2584ADBD05DF20AD7B1DD45CBA0
                                                                                                            Function 003F3D7C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 003F3E35
                                                                                                            • IsMenu.USER32(?), ref: 003F3E4A
                                                                                                            • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 003F3E92
                                                                                                            • DrawMenuBar.USER32 ref: 003F3EA5
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Menu$Item$DrawInfoInsert
                                                                                                            • String ID: 0
                                                                                                            • API String ID: 3076010158-4108050209
                                                                                                            • Opcode ID: e0d0a18ea70fd5f51ad42f6209f2c45e8ef14a5da2fb782e5649ba8ad9d8654c
                                                                                                            • Instruction ID: c8ed40764793293c97f22a594a89779a64d42bd776bfa1bdc13b401567b95705
                                                                                                            • Opcode Fuzzy Hash: e0d0a18ea70fd5f51ad42f6209f2c45e8ef14a5da2fb782e5649ba8ad9d8654c
                                                                                                            • Instruction Fuzzy Hash: C9415576A0020DAFDF11DF60D884AEABBB9FF59350F054029EA05AB250D730AE44CF60
                                                                                                            Function 003C1DE2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 00369CB3: _wcslen.LIBCMT ref: 00369CBD
                                                                                                              • Part of subcall function 003C3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 003C3CCA
                                                                                                            • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 003C1E66
                                                                                                            • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 003C1E79
                                                                                                            • SendMessageW.USER32(?,00000189,?,00000000), ref: 003C1EA9
                                                                                                              • Part of subcall function 00366B57: _wcslen.LIBCMT ref: 00366B6A
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: MessageSend$_wcslen$ClassName
                                                                                                            • String ID: ComboBox$ListBox
                                                                                                            • API String ID: 2081771294-1403004172
                                                                                                            • Opcode ID: 73e94b36877fa14d5c3c8f90d988656a34c2431058ad54b3c1a4a695963eb0b1
                                                                                                            • Instruction ID: 23889e4b3ee9fb91cb3d388b12104f00cbdcbf2c140c009734ef2a6540b668e0
                                                                                                            • Opcode Fuzzy Hash: 73e94b36877fa14d5c3c8f90d988656a34c2431058ad54b3c1a4a695963eb0b1
                                                                                                            • Instruction Fuzzy Hash: 34210471A40108AADB16AB74DD46EFFB7BCAF42350B14811DF815EB1E1DB384D0AD720
                                                                                                            Function 003F2F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 003F2F8D
                                                                                                            • LoadLibraryW.KERNEL32(?), ref: 003F2F94
                                                                                                            • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 003F2FA9
                                                                                                            • DestroyWindow.USER32(?), ref: 003F2FB1
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: MessageSend$DestroyLibraryLoadWindow
                                                                                                            • String ID: SysAnimate32
                                                                                                            • API String ID: 3529120543-1011021900
                                                                                                            • Opcode ID: b0e87382f0c8a85532fff93cb7ccffce265382f7042b44cb5bc79aa34f09d585
                                                                                                            • Instruction ID: 011aefeca1b14198b7217ad10d36f3ce585e86aa31e745616c80d91ac208136a
                                                                                                            • Opcode Fuzzy Hash: b0e87382f0c8a85532fff93cb7ccffce265382f7042b44cb5bc79aa34f09d585
                                                                                                            • Instruction Fuzzy Hash: 4E21A97222430EEBEB124FA4DC80EBB77BDEB59364F124628FA50D61A0D771DC919760
                                                                                                            Function 00384D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00384D1E,003928E9,?,00384CBE,003928E9,004288B8,0000000C,00384E15,003928E9,00000002), ref: 00384D8D
                                                                                                            • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00384DA0
                                                                                                            • FreeLibrary.KERNEL32(00000000,?,?,?,00384D1E,003928E9,?,00384CBE,003928E9,004288B8,0000000C,00384E15,003928E9,00000002,00000000), ref: 00384DC3
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                            • String ID: CorExitProcess$mscoree.dll
                                                                                                            • API String ID: 4061214504-1276376045
                                                                                                            • Opcode ID: f845d614d9395a46468e7aa0f1ec14da61ee851f5156ed00dee3d051847b5f22
                                                                                                            • Instruction ID: 11a67d328c807c143d13764be78e6fae960877df3c4375c63086129e6c7709fd
                                                                                                            • Opcode Fuzzy Hash: f845d614d9395a46468e7aa0f1ec14da61ee851f5156ed00dee3d051847b5f22
                                                                                                            • Instruction Fuzzy Hash: C0F0C234A5030DBBDB12AF90DC49BADBFB9EF04751F0000A5F805A36A1CB345D44CB94
                                                                                                            Function 00364E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • LoadLibraryA.KERNEL32(kernel32.dll,?,?,00364EDD,?,00431418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00364E9C
                                                                                                            • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00364EAE
                                                                                                            • FreeLibrary.KERNEL32(00000000,?,?,00364EDD,?,00431418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00364EC0
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Library$AddressFreeLoadProc
                                                                                                            • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
                                                                                                            • API String ID: 145871493-3689287502
                                                                                                            • Opcode ID: a239a079f232d1cf4304a931f608f21f35cb95794a08e0d41dea66253cc84392
                                                                                                            • Instruction ID: 47d7f67ec62ce39ce98ac3f36ec86c127f30b76e2085555b7c4bc44ba7c076c6
                                                                                                            • Opcode Fuzzy Hash: a239a079f232d1cf4304a931f608f21f35cb95794a08e0d41dea66253cc84392
                                                                                                            • Instruction Fuzzy Hash: 70E0CD35F525365BD2331B257D18B7FA56CAF82F63F065115FD05D2104DB64CD01C0A0
                                                                                                            Function 00364E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • LoadLibraryA.KERNEL32(kernel32.dll,?,?,003A3CDE,?,00431418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00364E62
                                                                                                            • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00364E74
                                                                                                            • FreeLibrary.KERNEL32(00000000,?,?,003A3CDE,?,00431418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00364E87
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Library$AddressFreeLoadProc
                                                                                                            • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
                                                                                                            • API String ID: 145871493-1355242751
                                                                                                            • Opcode ID: 38c9674d7b001ee23ecbf4e2375d046727b78b942c38282b474ca82a3b3528b5
                                                                                                            • Instruction ID: ae24ec8463239c3bac03e6e66c488d8fc1ca0e1a4bf550dc6681b29412e09810
                                                                                                            • Opcode Fuzzy Hash: 38c9674d7b001ee23ecbf4e2375d046727b78b942c38282b474ca82a3b3528b5
                                                                                                            • Instruction Fuzzy Hash: A1D02B39E526366B46331B247C0CEEF6A2CAF81F113064112F905E2118CF25CD11C1D4
                                                                                                            Function 003D2947 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 003D2C05
                                                                                                            • DeleteFileW.KERNEL32(?), ref: 003D2C87
                                                                                                            • CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 003D2C9D
                                                                                                            • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 003D2CAE
                                                                                                            • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 003D2CC0
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: File$Delete$Copy
                                                                                                            • String ID:
                                                                                                            • API String ID: 3226157194-0
                                                                                                            • Opcode ID: eb0b93be5ee0f3c385743224e050e95866593db6a0b4790b5066a344ae4697d4
                                                                                                            • Instruction ID: 3752e62f90275372aa35fd9c61fe684b9e8e0175f39fa6d434c5247d9f04e482
                                                                                                            • Opcode Fuzzy Hash: eb0b93be5ee0f3c385743224e050e95866593db6a0b4790b5066a344ae4697d4
                                                                                                            • Instruction Fuzzy Hash: 9FB14E72900119ABDF22EBA4DC85EDFB77DEF59350F1040A6F509EB245EA309E448F61
                                                                                                            Function 003EA387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetCurrentProcessId.KERNEL32 ref: 003EA427
                                                                                                            • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 003EA435
                                                                                                            • GetProcessIoCounters.KERNEL32(00000000,?), ref: 003EA468
                                                                                                            • CloseHandle.KERNEL32(?), ref: 003EA63D
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Process$CloseCountersCurrentHandleOpen
                                                                                                            • String ID:
                                                                                                            • API String ID: 3488606520-0
                                                                                                            • Opcode ID: 5bddd96830c8b987f38716d53469f5a16a305c92503e24ba1ccf78b60692dfc9
                                                                                                            • Instruction ID: c9826df560a1941f379bedcdba764067cfac0fb0deadc50756d88385a8285e9f
                                                                                                            • Opcode Fuzzy Hash: 5bddd96830c8b987f38716d53469f5a16a305c92503e24ba1ccf78b60692dfc9
                                                                                                            • Instruction Fuzzy Hash: 52A1AC71604700AFD721DF25C886F2AB7E5AF84714F14895DF99A9F2D2DBB0EC408B92
                                                                                                            Function 0039BB27 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00403700), ref: 0039BB91
                                                                                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,0043121C,000000FF,00000000,0000003F,00000000,?,?), ref: 0039BC09
                                                                                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,00431270,000000FF,?,0000003F,00000000,?), ref: 0039BC36
                                                                                                            • _free.LIBCMT ref: 0039BB7F
                                                                                                              • Part of subcall function 003929C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0039D7D1,00000000,00000000,00000000,00000000,?,0039D7F8,00000000,00000007,00000000,?,0039DBF5,00000000), ref: 003929DE
                                                                                                              • Part of subcall function 003929C8: GetLastError.KERNEL32(00000000,?,0039D7D1,00000000,00000000,00000000,00000000,?,0039D7F8,00000000,00000007,00000000,?,0039DBF5,00000000,00000000), ref: 003929F0
                                                                                                            • _free.LIBCMT ref: 0039BD4B
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
                                                                                                            • String ID:
                                                                                                            • API String ID: 1286116820-0
                                                                                                            • Opcode ID: 28865f76e48c957858fdeb2e0d05ffa7a7168069529fc01c87ce92b4118af65c
                                                                                                            • Instruction ID: e8239f5cae48a1ceca31ff6001c5f991ae5a654473dcce8670e4fd27ff58b5c5
                                                                                                            • Opcode Fuzzy Hash: 28865f76e48c957858fdeb2e0d05ffa7a7168069529fc01c87ce92b4118af65c
                                                                                                            • Instruction Fuzzy Hash: BB51F971900209AFCF12EF65AE819AFF7BCEF44310F1142BAE465E71A1EB709D418B94
                                                                                                            Function 003CE3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 003CDDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,003CCF22,?), ref: 003CDDFD
                                                                                                              • Part of subcall function 003CDDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,003CCF22,?), ref: 003CDE16
                                                                                                              • Part of subcall function 003CE199: GetFileAttributesW.KERNEL32(?,003CCF95), ref: 003CE19A
                                                                                                            • lstrcmpiW.KERNEL32(?,?), ref: 003CE473
                                                                                                            • MoveFileW.KERNEL32(?,?), ref: 003CE4AC
                                                                                                            • _wcslen.LIBCMT ref: 003CE5EB
                                                                                                            • _wcslen.LIBCMT ref: 003CE603
                                                                                                            • SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 003CE650
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
                                                                                                            • String ID:
                                                                                                            • API String ID: 3183298772-0
                                                                                                            • Opcode ID: cbc98f4bbf884d09b2049f5c646e3dfde66e004c5cbdcdad6f74ebe62cddbd5e
                                                                                                            • Instruction ID: 7a52c2456164561b1a42b5e8b80b8962c828009c9e26eeb95b1cd532afe1d4f8
                                                                                                            • Opcode Fuzzy Hash: cbc98f4bbf884d09b2049f5c646e3dfde66e004c5cbdcdad6f74ebe62cddbd5e
                                                                                                            • Instruction Fuzzy Hash: BD5153B24087455BC726EB90DC81EDF73ECAF95340F00492EF589D7191EF74AA888766
                                                                                                            Function 003EB9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 00369CB3: _wcslen.LIBCMT ref: 00369CBD
                                                                                                              • Part of subcall function 003EC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,003EB6AE,?,?), ref: 003EC9B5
                                                                                                              • Part of subcall function 003EC998: _wcslen.LIBCMT ref: 003EC9F1
                                                                                                              • Part of subcall function 003EC998: _wcslen.LIBCMT ref: 003ECA68
                                                                                                              • Part of subcall function 003EC998: _wcslen.LIBCMT ref: 003ECA9E
                                                                                                            • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 003EBAA5
                                                                                                            • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 003EBB00
                                                                                                            • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 003EBB63
                                                                                                            • RegCloseKey.ADVAPI32(?,?), ref: 003EBBA6
                                                                                                            • RegCloseKey.ADVAPI32(00000000), ref: 003EBBB3
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
                                                                                                            • String ID:
                                                                                                            • API String ID: 826366716-0
                                                                                                            • Opcode ID: 21398ef77256a7c6a64526d33e51e31f3a4e49fbdf89874668e4eb2e5b6dd05c
                                                                                                            • Instruction ID: bbd43c167fce882dc869d0a2bda92c0ab96a266675b12af30563eeb9157d02e5
                                                                                                            • Opcode Fuzzy Hash: 21398ef77256a7c6a64526d33e51e31f3a4e49fbdf89874668e4eb2e5b6dd05c
                                                                                                            • Instruction Fuzzy Hash: EF61A231108245AFD716DF15C490E2BBBE9FF84308F14866DF4998B2A2DB31ED45CB92
                                                                                                            Function 003C8BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • VariantInit.OLEAUT32(?), ref: 003C8BCD
                                                                                                            • VariantClear.OLEAUT32 ref: 003C8C3E
                                                                                                            • VariantClear.OLEAUT32 ref: 003C8C9D
                                                                                                            • VariantClear.OLEAUT32(?), ref: 003C8D10
                                                                                                            • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 003C8D3B
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Variant$Clear$ChangeInitType
                                                                                                            • String ID:
                                                                                                            • API String ID: 4136290138-0
                                                                                                            • Opcode ID: 19c52b2bd92f880a969cecc457b87bd93c78d5eb80e6d1a7dc88ede3a66e33a5
                                                                                                            • Instruction ID: fee6f622b2313223a227ec4abe63eb492b0e60a39abbe40d41739e6403e21385
                                                                                                            • Opcode Fuzzy Hash: 19c52b2bd92f880a969cecc457b87bd93c78d5eb80e6d1a7dc88ede3a66e33a5
                                                                                                            • Instruction Fuzzy Hash: C3516AB5A00219EFCB15CF68D884EAAB7F8FF89314F158559E906DB350E730EA11CB90
                                                                                                            Function 003D8AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 003D8BAE
                                                                                                            • GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 003D8BDA
                                                                                                            • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 003D8C32
                                                                                                            • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 003D8C57
                                                                                                            • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 003D8C5F
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: PrivateProfile$SectionWrite$String
                                                                                                            • String ID:
                                                                                                            • API String ID: 2832842796-0
                                                                                                            • Opcode ID: bb295bfc1c4f800c3296c75081cca2876a6120037017e5344120a4bc3d1c7a19
                                                                                                            • Instruction ID: 99f304af4d07731f4dc4597f98479cc17dd39c0231b0f030bbd9fdb6c2aee653
                                                                                                            • Opcode Fuzzy Hash: bb295bfc1c4f800c3296c75081cca2876a6120037017e5344120a4bc3d1c7a19
                                                                                                            • Instruction Fuzzy Hash: 40514D35A10214DFCB16DF64C880A69BBF5FF49314F08C499E949AB362DB35ED51CB90
                                                                                                            Function 003E8EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • LoadLibraryW.KERNEL32(?,00000000,?), ref: 003E8F40
                                                                                                            • GetProcAddress.KERNEL32(00000000,?), ref: 003E8FD0
                                                                                                            • GetProcAddress.KERNEL32(00000000,00000000), ref: 003E8FEC
                                                                                                            • GetProcAddress.KERNEL32(00000000,?), ref: 003E9032
                                                                                                            • FreeLibrary.KERNEL32(00000000), ref: 003E9052
                                                                                                              • Part of subcall function 0037F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,003D1043,?,7644E610), ref: 0037F6E6
                                                                                                              • Part of subcall function 0037F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,003BFA64,00000000,00000000,?,?,003D1043,?,7644E610,?,003BFA64), ref: 0037F70D
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
                                                                                                            • String ID:
                                                                                                            • API String ID: 666041331-0
                                                                                                            • Opcode ID: 48a0bb6464772626f8711e14e65bd82ce120aeda42ebf84529217df5d1b225b0
                                                                                                            • Instruction ID: da10b47593c83c14f869d570b0ead300bbe044a0e6199f9dd78ac21e78b6dbbc
                                                                                                            • Opcode Fuzzy Hash: 48a0bb6464772626f8711e14e65bd82ce120aeda42ebf84529217df5d1b225b0
                                                                                                            • Instruction Fuzzy Hash: 0F515B34A00255DFC712DF55C4849ADBBF5FF49314B058199E80A9F7A2DB31ED86CB90
                                                                                                            Function 003F6B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • SetWindowLongW.USER32(00000002,000000F0,?), ref: 003F6C33
                                                                                                            • SetWindowLongW.USER32(?,000000EC,?), ref: 003F6C4A
                                                                                                            • SendMessageW.USER32(00000002,00001036,00000000,?), ref: 003F6C73
                                                                                                            • ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,003DAB79,00000000,00000000), ref: 003F6C98
                                                                                                            • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 003F6CC7
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Window$Long$MessageSendShow
                                                                                                            • String ID:
                                                                                                            • API String ID: 3688381893-0
                                                                                                            • Opcode ID: cb09e17a6eae7326631f2fe3e5bdd71a2c0b898f38e9a3ecb9b88dc31d5b5197
                                                                                                            • Instruction ID: 98623bd81da7a2f33ff15ff7d93eab184c34cc07f44863d3f313af23b5782d3a
                                                                                                            • Opcode Fuzzy Hash: cb09e17a6eae7326631f2fe3e5bdd71a2c0b898f38e9a3ecb9b88dc31d5b5197
                                                                                                            • Instruction Fuzzy Hash: 6841D43560410CAFD726CF69CD5AFB97BA9EB09350F160228FAD9E72E1C371AD41CA40
                                                                                                            Function 00392051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: _free
                                                                                                            • String ID:
                                                                                                            • API String ID: 269201875-0
                                                                                                            • Opcode ID: 334e28b8724a254f1090c08a8d700dd74b359e07c09bd1bc490cbd585bd7bfe5
                                                                                                            • Instruction ID: 762bdc1cdcdaf0a8056b5f8732b60f711a8d6bf395eb2fd24f91abdecaffd6b0
                                                                                                            • Opcode Fuzzy Hash: 334e28b8724a254f1090c08a8d700dd74b359e07c09bd1bc490cbd585bd7bfe5
                                                                                                            • Instruction Fuzzy Hash: 4341B232A00600AFCF26DF78C881A5EB7A5EF89314F1645A9E515EB351D731AD01CB81
                                                                                                            Function 0037912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetCursorPos.USER32(?), ref: 00379141
                                                                                                            • ScreenToClient.USER32(00000000,?), ref: 0037915E
                                                                                                            • GetAsyncKeyState.USER32(00000001), ref: 00379183
                                                                                                            • GetAsyncKeyState.USER32(00000002), ref: 0037919D
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: AsyncState$ClientCursorScreen
                                                                                                            • String ID:
                                                                                                            • API String ID: 4210589936-0
                                                                                                            • Opcode ID: e8a9c07e21cfc9e9bcdabae10334f64c1f16264099c59bf7c1db33fe2759d91d
                                                                                                            • Instruction ID: 586bf8a22ba6d49f09976a9a6cb5654214332aa8ae5db7db51bf7f979a9e3cd6
                                                                                                            • Opcode Fuzzy Hash: e8a9c07e21cfc9e9bcdabae10334f64c1f16264099c59bf7c1db33fe2759d91d
                                                                                                            • Instruction Fuzzy Hash: 2841707190850AFBDF169F68C844BFEB774FB45324F21831AE529A7290C7345954CB61
                                                                                                            Function 003D3874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetInputState.USER32 ref: 003D38CB
                                                                                                            • TranslateAcceleratorW.USER32(?,00000000,?), ref: 003D3922
                                                                                                            • TranslateMessage.USER32(?), ref: 003D394B
                                                                                                            • DispatchMessageW.USER32(?), ref: 003D3955
                                                                                                            • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 003D3966
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Message$Translate$AcceleratorDispatchInputPeekState
                                                                                                            • String ID:
                                                                                                            • API String ID: 2256411358-0
                                                                                                            • Opcode ID: 2c45dd1b5992b86abf376ca2d33e90b83e22974b17e42e199c92a91e5fc01c89
                                                                                                            • Instruction ID: b6c4fbfc699d47e3e7008fd40c4f5106cd11cca0120ef2812f00ab7445b37106
                                                                                                            • Opcode Fuzzy Hash: 2c45dd1b5992b86abf376ca2d33e90b83e22974b17e42e199c92a91e5fc01c89
                                                                                                            • Instruction Fuzzy Hash: B731D9729043459EEB37CB35B958BB637A8EB05300F05056BE466832A0D3F49E84DB17
                                                                                                            Function 003DCF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,003DC21E,00000000), ref: 003DCF38
                                                                                                            • InternetReadFile.WININET(?,00000000,?,?), ref: 003DCF6F
                                                                                                            • GetLastError.KERNEL32(?,00000000,?,?,?,003DC21E,00000000), ref: 003DCFB4
                                                                                                            • SetEvent.KERNEL32(?,?,00000000,?,?,?,003DC21E,00000000), ref: 003DCFC8
                                                                                                            • SetEvent.KERNEL32(?,?,00000000,?,?,?,003DC21E,00000000), ref: 003DCFF2
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: EventInternet$AvailableDataErrorFileLastQueryRead
                                                                                                            • String ID:
                                                                                                            • API String ID: 3191363074-0
                                                                                                            • Opcode ID: 3d82a9e5409f0820c1d484cf9b41951be677897b5ef9b536678dd22246a35f02
                                                                                                            • Instruction ID: 74e44ab7bb5f35a78293cc3a0885d6ca195d7c3af091f8c19495ecae408b5e58
                                                                                                            • Opcode Fuzzy Hash: 3d82a9e5409f0820c1d484cf9b41951be677897b5ef9b536678dd22246a35f02
                                                                                                            • Instruction Fuzzy Hash: 39314F7252420AAFDB22DFA5E9849ABBBFDFB14350B10542FF506D6241DB30AD44DB60
                                                                                                            Function 003C1901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetWindowRect.USER32(?,?), ref: 003C1915
                                                                                                            • PostMessageW.USER32(00000001,00000201,00000001), ref: 003C19C1
                                                                                                            • Sleep.KERNEL32(00000000,?,?,?), ref: 003C19C9
                                                                                                            • PostMessageW.USER32(00000001,00000202,00000000), ref: 003C19DA
                                                                                                            • Sleep.KERNEL32(00000000,?,?,?,?), ref: 003C19E2
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: MessagePostSleep$RectWindow
                                                                                                            • String ID:
                                                                                                            • API String ID: 3382505437-0
                                                                                                            • Opcode ID: 3b3dcb68edf76912a7b9b82dab8ab2853af5028c00fa2f7d8eecd9a4aa5b7336
                                                                                                            • Instruction ID: e335432c842d17ed3541a64e51aa91ff4f65009debe4c84281cf314b47cddaa9
                                                                                                            • Opcode Fuzzy Hash: 3b3dcb68edf76912a7b9b82dab8ab2853af5028c00fa2f7d8eecd9a4aa5b7336
                                                                                                            • Instruction Fuzzy Hash: 18319E72A00219EFCB11CFA8C999BAE7BB5EB05315F104229F921E72D1C7709D54DB90
                                                                                                            Function 003F5706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • SendMessageW.USER32(?,00001053,000000FF,?), ref: 003F5745
                                                                                                            • SendMessageW.USER32(?,00001074,?,00000001), ref: 003F579D
                                                                                                            • _wcslen.LIBCMT ref: 003F57AF
                                                                                                            • _wcslen.LIBCMT ref: 003F57BA
                                                                                                            • SendMessageW.USER32(?,00001002,00000000,?), ref: 003F5816
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: MessageSend$_wcslen
                                                                                                            • String ID:
                                                                                                            • API String ID: 763830540-0
                                                                                                            • Opcode ID: 82cb0afbf32304a8392ccd99a6a7889f8852f5a75c14d7305e8e13ebed72c4e5
                                                                                                            • Instruction ID: 5e06a9003e6d7442023d6b4c018071defcc7067f4585860717ec275b0807c224
                                                                                                            • Opcode Fuzzy Hash: 82cb0afbf32304a8392ccd99a6a7889f8852f5a75c14d7305e8e13ebed72c4e5
                                                                                                            • Instruction Fuzzy Hash: F621827190461C9ADB22AFA1CC85AFEB7BCFF04724F108256EB29EA190D7708985CF50
                                                                                                            Function 003E0930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • IsWindow.USER32(00000000), ref: 003E0951
                                                                                                            • GetForegroundWindow.USER32 ref: 003E0968
                                                                                                            • GetDC.USER32(00000000), ref: 003E09A4
                                                                                                            • GetPixel.GDI32(00000000,?,00000003), ref: 003E09B0
                                                                                                            • ReleaseDC.USER32(00000000,00000003), ref: 003E09E8
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Window$ForegroundPixelRelease
                                                                                                            • String ID:
                                                                                                            • API String ID: 4156661090-0
                                                                                                            • Opcode ID: 64a08a835bac3cb7f4ca39fb552c98ca5d80ad29d7e7eea909c9266053230e7e
                                                                                                            • Instruction ID: d7a6e607041f1fe4cc5518fddec0abd4ca177328d4807e62d4d3108c40b02d81
                                                                                                            • Opcode Fuzzy Hash: 64a08a835bac3cb7f4ca39fb552c98ca5d80ad29d7e7eea909c9266053230e7e
                                                                                                            • Instruction Fuzzy Hash: BB219036600218AFD705EF65D984AAEBBF9EF49700F048469F84ADB762DB70AC44CB50
                                                                                                            Function 0039CDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetEnvironmentStringsW.KERNEL32 ref: 0039CDC6
                                                                                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0039CDE9
                                                                                                              • Part of subcall function 00393820: RtlAllocateHeap.NTDLL(00000000,?,00431444,?,0037FDF5,?,?,0036A976,00000010,00431440,003613FC,?,003613C6,?,00361129), ref: 00393852
                                                                                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0039CE0F
                                                                                                            • _free.LIBCMT ref: 0039CE22
                                                                                                            • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0039CE31
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                                                                                            • String ID:
                                                                                                            • API String ID: 336800556-0
                                                                                                            • Opcode ID: 1fe248dfa3301a7c01250070e9f04466d9b3890c8af72e8e9474a4e7ec3580cb
                                                                                                            • Instruction ID: 04b49544897f14792c2652b6ac53fdab16c8bbdead9ba1baad6dfa0a861300b0
                                                                                                            • Opcode Fuzzy Hash: 1fe248dfa3301a7c01250070e9f04466d9b3890c8af72e8e9474a4e7ec3580cb
                                                                                                            • Instruction Fuzzy Hash: 9301F772A212157F6B2316B66C8CC7B796DEEC6BA23162129FD06C7200EA608D01C2F0
                                                                                                            Function 00379639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00379693
                                                                                                            • SelectObject.GDI32(?,00000000), ref: 003796A2
                                                                                                            • BeginPath.GDI32(?), ref: 003796B9
                                                                                                            • SelectObject.GDI32(?,00000000), ref: 003796E2
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ObjectSelect$BeginCreatePath
                                                                                                            • String ID:
                                                                                                            • API String ID: 3225163088-0
                                                                                                            • Opcode ID: dd40788d50af75b9f354000a3e3de2d2905131bc1a5d016497868d724e466a7e
                                                                                                            • Instruction ID: 8f6d9e5449b7cf14735f57b2a81228ea72a4c0c9c72ea2b4f5ca2794b1eba3b7
                                                                                                            • Opcode Fuzzy Hash: dd40788d50af75b9f354000a3e3de2d2905131bc1a5d016497868d724e466a7e
                                                                                                            • Instruction Fuzzy Hash: 792180B0812305EFDB229F24DD14BA93BA8BF40735F119326F418A61B0D3749891CB98
                                                                                                            Function 003C5711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: _memcmp
                                                                                                            • String ID:
                                                                                                            • API String ID: 2931989736-0
                                                                                                            • Opcode ID: a068c2ce568d667c8b0acc165b6818a5c90fe803df0c956c5a43f37b4433e8b0
                                                                                                            • Instruction ID: 549219d979a2bf68ad41eb51745ef3aeb1adecca5414259c51342913813672c7
                                                                                                            • Opcode Fuzzy Hash: a068c2ce568d667c8b0acc165b6818a5c90fe803df0c956c5a43f37b4433e8b0
                                                                                                            • Instruction Fuzzy Hash: 68019266641A19BED21A66109E82FFA635C9F21394B004028FE04DE641F760FD9183A4
                                                                                                            Function 00392DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetLastError.KERNEL32(?,?,?,0038F2DE,00393863,00431444,?,0037FDF5,?,?,0036A976,00000010,00431440,003613FC,?,003613C6), ref: 00392DFD
                                                                                                            • _free.LIBCMT ref: 00392E32
                                                                                                            • _free.LIBCMT ref: 00392E59
                                                                                                            • SetLastError.KERNEL32(00000000,00361129), ref: 00392E66
                                                                                                            • SetLastError.KERNEL32(00000000,00361129), ref: 00392E6F
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ErrorLast$_free
                                                                                                            • String ID:
                                                                                                            • API String ID: 3170660625-0
                                                                                                            • Opcode ID: 07780e12c79c8049d1573e1d299a16cfddf9273b815ccc54a8f076953dd8c57a
                                                                                                            • Instruction ID: 1b577bd17704ffe9fcc7201e556ca76da998447679766d95437dfa7d0ff597ce
                                                                                                            • Opcode Fuzzy Hash: 07780e12c79c8049d1573e1d299a16cfddf9273b815ccc54a8f076953dd8c57a
                                                                                                            • Instruction Fuzzy Hash: 3701F476A45E007BCE1377346CC6D3B269DAFC13A5B260429F425A6193EB648C018560
                                                                                                            Function 003C000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,003BFF41,80070057,?,?,?,003C035E), ref: 003C002B
                                                                                                            • ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,003BFF41,80070057,?,?), ref: 003C0046
                                                                                                            • lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,003BFF41,80070057,?,?), ref: 003C0054
                                                                                                            • CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,003BFF41,80070057,?), ref: 003C0064
                                                                                                            • CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,003BFF41,80070057,?,?), ref: 003C0070
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: From$Prog$FreeStringTasklstrcmpi
                                                                                                            • String ID:
                                                                                                            • API String ID: 3897988419-0
                                                                                                            • Opcode ID: fa9763384126f8850fefb727402e690f98f8209e749575dfd46a446d92b656c2
                                                                                                            • Instruction ID: f3ef064204561d03cde1e2fbea8e4f4aa2d42da523c7f28a23e0489aa4b56de5
                                                                                                            • Opcode Fuzzy Hash: fa9763384126f8850fefb727402e690f98f8209e749575dfd46a446d92b656c2
                                                                                                            • Instruction Fuzzy Hash: 1B01D672610228FFDB124F68DC08FAA7AADEB48792F124028F805D2210EB70DD00CBA0
                                                                                                            Function 003CE97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • QueryPerformanceCounter.KERNEL32(?), ref: 003CE997
                                                                                                            • QueryPerformanceFrequency.KERNEL32(?), ref: 003CE9A5
                                                                                                            • Sleep.KERNEL32(00000000), ref: 003CE9AD
                                                                                                            • QueryPerformanceCounter.KERNEL32(?), ref: 003CE9B7
                                                                                                            • Sleep.KERNEL32 ref: 003CE9F3
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: PerformanceQuery$CounterSleep$Frequency
                                                                                                            • String ID:
                                                                                                            • API String ID: 2833360925-0
                                                                                                            • Opcode ID: 36519018e492712d535025f42c8642267330b5e2fdbf427e03963e46f96fe2b3
                                                                                                            • Instruction ID: 1ffc3a27e1d2744c7f4a4b3bad7c1cf1da14b40a4c4fbd96452d83c2643441f9
                                                                                                            • Opcode Fuzzy Hash: 36519018e492712d535025f42c8642267330b5e2fdbf427e03963e46f96fe2b3
                                                                                                            • Instruction Fuzzy Hash: 57015731C1162DDBCF02ABE4DD49AEDBB78FF09300F01055AE502F2240CB389A51CBA2
                                                                                                            Function 003C10F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 003C1114
                                                                                                            • GetLastError.KERNEL32(?,00000000,00000000,?,?,003C0B9B,?,?,?), ref: 003C1120
                                                                                                            • GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,003C0B9B,?,?,?), ref: 003C112F
                                                                                                            • HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,003C0B9B,?,?,?), ref: 003C1136
                                                                                                            • GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 003C114D
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: HeapObjectSecurityUser$AllocErrorLastProcess
                                                                                                            • String ID:
                                                                                                            • API String ID: 842720411-0
                                                                                                            • Opcode ID: d59eb8b0f59357a3c9bf1a60f8dc454e00c989b133d30ee3b7887ca3d1bc8ae6
                                                                                                            • Instruction ID: 94e752e2d1aa0b0ea71b7c0df2492a51b8c59dd1821b71fa4294f6d8c46e328d
                                                                                                            • Opcode Fuzzy Hash: d59eb8b0f59357a3c9bf1a60f8dc454e00c989b133d30ee3b7887ca3d1bc8ae6
                                                                                                            • Instruction Fuzzy Hash: F0016979240209BFDB125FA4DD49E6A3B6EEF8A3A0F250429FA41C3360DB31DC10DB60
                                                                                                            Function 003C0FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 003C0FCA
                                                                                                            • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 003C0FD6
                                                                                                            • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 003C0FE5
                                                                                                            • HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 003C0FEC
                                                                                                            • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 003C1002
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: HeapInformationToken$AllocErrorLastProcess
                                                                                                            • String ID:
                                                                                                            • API String ID: 44706859-0
                                                                                                            • Opcode ID: 038fed4f3cb9a4c54d318014f792bbd36062a4f1b25f1195bb159c0484a22dc7
                                                                                                            • Instruction ID: e5b2546c8fdcd5957d24c70693fa6da62eee565d5d9ddb64ba13bd2ae9855079
                                                                                                            • Opcode Fuzzy Hash: 038fed4f3cb9a4c54d318014f792bbd36062a4f1b25f1195bb159c0484a22dc7
                                                                                                            • Instruction Fuzzy Hash: 43F0CD39240319EBDB220FA4DD4EF663BADEF8A762F110419FA05C7251CA30DC50DB60
                                                                                                            Function 003C1014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 003C102A
                                                                                                            • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 003C1036
                                                                                                            • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 003C1045
                                                                                                            • HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 003C104C
                                                                                                            • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 003C1062
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: HeapInformationToken$AllocErrorLastProcess
                                                                                                            • String ID:
                                                                                                            • API String ID: 44706859-0
                                                                                                            • Opcode ID: 3a1d1729fa017bf2272ff5e9b548b814ea85d710efb069489732af4a146f1f92
                                                                                                            • Instruction ID: c029489336d75f245d669045ecf93e4631c4c7fd6db617cf8613a9aa30f6252a
                                                                                                            • Opcode Fuzzy Hash: 3a1d1729fa017bf2272ff5e9b548b814ea85d710efb069489732af4a146f1f92
                                                                                                            • Instruction Fuzzy Hash: A3F0A939290319ABDB221FA4ED49F663BADEF8A761F110418FA05C6251CA30DC50DA60
                                                                                                            Function 003D030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • CloseHandle.KERNEL32(?,?,?,?,003D017D,?,003D32FC,?,00000001,003A2592,?), ref: 003D0324
                                                                                                            • CloseHandle.KERNEL32(?,?,?,?,003D017D,?,003D32FC,?,00000001,003A2592,?), ref: 003D0331
                                                                                                            • CloseHandle.KERNEL32(?,?,?,?,003D017D,?,003D32FC,?,00000001,003A2592,?), ref: 003D033E
                                                                                                            • CloseHandle.KERNEL32(?,?,?,?,003D017D,?,003D32FC,?,00000001,003A2592,?), ref: 003D034B
                                                                                                            • CloseHandle.KERNEL32(?,?,?,?,003D017D,?,003D32FC,?,00000001,003A2592,?), ref: 003D0358
                                                                                                            • CloseHandle.KERNEL32(?,?,?,?,003D017D,?,003D32FC,?,00000001,003A2592,?), ref: 003D0365
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CloseHandle
                                                                                                            • String ID:
                                                                                                            • API String ID: 2962429428-0
                                                                                                            • Opcode ID: a63a74c4b16e7feface42118a83638d2888ece70d147f1452defd98047cca480
                                                                                                            • Instruction ID: 44a4a40b87fdea0f0bee4cf92d39ea61fb812fbb11943df5364fc2f6ad2aef69
                                                                                                            • Opcode Fuzzy Hash: a63a74c4b16e7feface42118a83638d2888ece70d147f1452defd98047cca480
                                                                                                            • Instruction Fuzzy Hash: 4901E276800B058FC7369F66E880816F7F9BF507053068A3FD19252A30C3B0A954CF80
                                                                                                            Function 0039D73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • _free.LIBCMT ref: 0039D752
                                                                                                              • Part of subcall function 003929C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0039D7D1,00000000,00000000,00000000,00000000,?,0039D7F8,00000000,00000007,00000000,?,0039DBF5,00000000), ref: 003929DE
                                                                                                              • Part of subcall function 003929C8: GetLastError.KERNEL32(00000000,?,0039D7D1,00000000,00000000,00000000,00000000,?,0039D7F8,00000000,00000007,00000000,?,0039DBF5,00000000,00000000), ref: 003929F0
                                                                                                            • _free.LIBCMT ref: 0039D764
                                                                                                            • _free.LIBCMT ref: 0039D776
                                                                                                            • _free.LIBCMT ref: 0039D788
                                                                                                            • _free.LIBCMT ref: 0039D79A
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: _free$ErrorFreeHeapLast
                                                                                                            • String ID:
                                                                                                            • API String ID: 776569668-0
                                                                                                            • Opcode ID: 73213e1327a9cec2245baa49a89f89796f6f5661ce3573b33538095ab248501f
                                                                                                            • Instruction ID: 72526a9929f92cdaca5104856b502351ba4de75c7638aa4caab7a19ab6a00721
                                                                                                            • Opcode Fuzzy Hash: 73213e1327a9cec2245baa49a89f89796f6f5661ce3573b33538095ab248501f
                                                                                                            • Instruction Fuzzy Hash: D7F0FF72644604AB8A22FFA8F9C6C1B77DDBB457117E50815F04CEB501CB30FC8086A4
                                                                                                            Function 003C5C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetDlgItem.USER32(?,000003E9), ref: 003C5C58
                                                                                                            • GetWindowTextW.USER32(00000000,?,00000100), ref: 003C5C6F
                                                                                                            • MessageBeep.USER32(00000000), ref: 003C5C87
                                                                                                            • KillTimer.USER32(?,0000040A), ref: 003C5CA3
                                                                                                            • EndDialog.USER32(?,00000001), ref: 003C5CBD
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: BeepDialogItemKillMessageTextTimerWindow
                                                                                                            • String ID:
                                                                                                            • API String ID: 3741023627-0
                                                                                                            • Opcode ID: c289fb343401d8fd72ada7c97221cb3f6e200fc7acb64c939cb858b4d018d062
                                                                                                            • Instruction ID: f4956bc4456f78ce5b5652108a38d3da928fdc1834130ecac2002116e3e57031
                                                                                                            • Opcode Fuzzy Hash: c289fb343401d8fd72ada7c97221cb3f6e200fc7acb64c939cb858b4d018d062
                                                                                                            • Instruction Fuzzy Hash: 4C016D30550B08ABEB225B10DE4EFA67BBCBB00B05F04555DA592E14E1DBF4BD88CB90
                                                                                                            Function 003922A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • _free.LIBCMT ref: 003922BE
                                                                                                              • Part of subcall function 003929C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0039D7D1,00000000,00000000,00000000,00000000,?,0039D7F8,00000000,00000007,00000000,?,0039DBF5,00000000), ref: 003929DE
                                                                                                              • Part of subcall function 003929C8: GetLastError.KERNEL32(00000000,?,0039D7D1,00000000,00000000,00000000,00000000,?,0039D7F8,00000000,00000007,00000000,?,0039DBF5,00000000,00000000), ref: 003929F0
                                                                                                            • _free.LIBCMT ref: 003922D0
                                                                                                            • _free.LIBCMT ref: 003922E3
                                                                                                            • _free.LIBCMT ref: 003922F4
                                                                                                            • _free.LIBCMT ref: 00392305
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: _free$ErrorFreeHeapLast
                                                                                                            • String ID:
                                                                                                            • API String ID: 776569668-0
                                                                                                            • Opcode ID: 77cf67ad82ffc426924c5310ea75c886e52857793ceffca0d930ad3df3ebdaec
                                                                                                            • Instruction ID: cfab99adf10f2dc3aeafda5e737839a5914c645577f964d485a48e1a98566e57
                                                                                                            • Opcode Fuzzy Hash: 77cf67ad82ffc426924c5310ea75c886e52857793ceffca0d930ad3df3ebdaec
                                                                                                            • Instruction Fuzzy Hash: E3F05E70900920AB8E23FF54BC4180E3B64F719761741666BF414EA2B1C7310922EFEC
                                                                                                            Function 003795C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • EndPath.GDI32(?), ref: 003795D4
                                                                                                            • StrokeAndFillPath.GDI32(?,?,003B71F7,00000000,?,?,?), ref: 003795F0
                                                                                                            • SelectObject.GDI32(?,00000000), ref: 00379603
                                                                                                            • DeleteObject.GDI32 ref: 00379616
                                                                                                            • StrokePath.GDI32(?), ref: 00379631
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Path$ObjectStroke$DeleteFillSelect
                                                                                                            • String ID:
                                                                                                            • API String ID: 2625713937-0
                                                                                                            • Opcode ID: 276f0eb8abfb31232b60d20b786aaaeb533c479df70d26b8444bd2ea01dd6dd9
                                                                                                            • Instruction ID: 5b18693d6ebbac4176334fe3c205853eff7a556c27de246f2c56fd32dd2006ef
                                                                                                            • Opcode Fuzzy Hash: 276f0eb8abfb31232b60d20b786aaaeb533c479df70d26b8444bd2ea01dd6dd9
                                                                                                            • Instruction Fuzzy Hash: 20F03174045609DBE7235F55ED1CB743B65AB01332F049325F459550F0CB388955DF24
                                                                                                            Function 00390F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: __freea$_free
                                                                                                            • String ID: a/p$am/pm
                                                                                                            • API String ID: 3432400110-3206640213
                                                                                                            • Opcode ID: 352165e79fb9cde6a0d4691a77563df3bb26857f4b58d7edcd3d0245d5f81403
                                                                                                            • Instruction ID: 17b37246b8fc980aed64151d669c3e120e275e1b5d96716f70c3c50b3551df6a
                                                                                                            • Opcode Fuzzy Hash: 352165e79fb9cde6a0d4691a77563df3bb26857f4b58d7edcd3d0245d5f81403
                                                                                                            • Instruction Fuzzy Hash: CDD1F239A00207DADF2B9F68C885BFEB7B4EF05300F2A4159E945BBA50D3759D80CB91
                                                                                                            Function 003E61D0 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 324COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 00380242: EnterCriticalSection.KERNEL32(0043070C,00431884,?,?,0037198B,00432518,?,?,?,003612F9,00000000), ref: 0038024D
                                                                                                              • Part of subcall function 00380242: LeaveCriticalSection.KERNEL32(0043070C,?,0037198B,00432518,?,?,?,003612F9,00000000), ref: 0038028A
                                                                                                              • Part of subcall function 003800A3: __onexit.LIBCMT ref: 003800A9
                                                                                                            • __Init_thread_footer.LIBCMT ref: 003E6238
                                                                                                              • Part of subcall function 003801F8: EnterCriticalSection.KERNEL32(0043070C,?,?,00378747,00432514), ref: 00380202
                                                                                                              • Part of subcall function 003801F8: LeaveCriticalSection.KERNEL32(0043070C,?,00378747,00432514), ref: 00380235
                                                                                                              • Part of subcall function 003D359C: LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 003D35E4
                                                                                                              • Part of subcall function 003D359C: LoadStringW.USER32(00432390,?,00000FFF,?), ref: 003D360A
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CriticalSection$EnterLeaveLoadString$Init_thread_footer__onexit
                                                                                                            • String ID: x#C$x#C$x#C
                                                                                                            • API String ID: 1072379062-1947026528
                                                                                                            • Opcode ID: 6992ce570ee32c490ea083bbabb83f2b3d4c2a38f341d512e78376903de6c9f8
                                                                                                            • Instruction ID: 10d57d535ff9ca013d54670cf80a1dd15e4fc3f1f969a65c2ba8747385320271
                                                                                                            • Opcode Fuzzy Hash: 6992ce570ee32c490ea083bbabb83f2b3d4c2a38f341d512e78376903de6c9f8
                                                                                                            • Instruction Fuzzy Hash: 24C1CE71A00215AFCB16DF59C891EBEB7B9FF58340F118169F905AB291DB70ED44CB90
                                                                                                            Function 00395AA9 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 186COMMONLIBRARYCODE
                                                                                                            Download Yara Rule
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: JO6
                                                                                                            • API String ID: 0-974591831
                                                                                                            • Opcode ID: 76545d0a592594112d8f73a586320708ae2b643522123a920b5a4e7b235973cc
                                                                                                            • Instruction ID: 7280be606035a80181042bba1526a62d57db580497d60446aa9b1b833662c434
                                                                                                            • Opcode Fuzzy Hash: 76545d0a592594112d8f73a586320708ae2b643522123a920b5a4e7b235973cc
                                                                                                            • Instruction Fuzzy Hash: CC51C175E00709AFDF23AFA4C845FEEBBB8AF05310F15015AF405AB291D7719A81CB61
                                                                                                            Function 00398A61 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 124COMMONLIBRARYCODE
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000002,00000000,?,?,?,00000000,?,?,?,?), ref: 00398B6E
                                                                                                            • GetLastError.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,00000000,00001000,?), ref: 00398B7A
                                                                                                            • __dosmaperr.LIBCMT ref: 00398B81
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ByteCharErrorLastMultiWide__dosmaperr
                                                                                                            • String ID: .8
                                                                                                            • API String ID: 2434981716-2175067728
                                                                                                            • Opcode ID: 5f82c2f16ca16fa383e00e4c566fe322cee08a57e9a461fd676817a1964cf957
                                                                                                            • Instruction ID: 0718f7a75b55c32451c9c2c43a37e1266e6f23d5bd22a7110e57671da02b4217
                                                                                                            • Opcode Fuzzy Hash: 5f82c2f16ca16fa383e00e4c566fe322cee08a57e9a461fd676817a1964cf957
                                                                                                            • Instruction Fuzzy Hash: 27415B71604145AFDF269F28C890A7D7FA9DFC7304F2D45A9F4858B542DE318C12C794
                                                                                                            Function 003C2716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 003CB403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,003C21D0,?,?,00000034,00000800,?,00000034), ref: 003CB42D
                                                                                                            • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 003C2760
                                                                                                              • Part of subcall function 003CB3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,003C21FF,?,?,00000800,?,00001073,00000000,?,?), ref: 003CB3F8
                                                                                                              • Part of subcall function 003CB32A: GetWindowThreadProcessId.USER32(?,?), ref: 003CB355
                                                                                                              • Part of subcall function 003CB32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,003C2194,00000034,?,?,00001004,00000000,00000000), ref: 003CB365
                                                                                                              • Part of subcall function 003CB32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,003C2194,00000034,?,?,00001004,00000000,00000000), ref: 003CB37B
                                                                                                            • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 003C27CD
                                                                                                            • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 003C281A
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
                                                                                                            • String ID: @
                                                                                                            • API String ID: 4150878124-2766056989
                                                                                                            • Opcode ID: 07a08c7929977d2b82b4e59037bdcc17b7dafcce699e6b3a8726a414f2a9b47c
                                                                                                            • Instruction ID: 523ffdb599fc646bb9af50dcec6f8de436e3583f1c6a28eacaf4773eee790582
                                                                                                            • Opcode Fuzzy Hash: 07a08c7929977d2b82b4e59037bdcc17b7dafcce699e6b3a8726a414f2a9b47c
                                                                                                            • Instruction Fuzzy Hash: A1411C76900218AFDB11DBA4CD86FEEBBB8EF09700F144059FA55BB181DB706E45CBA1
                                                                                                            Function 0039172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.exe,00000104), ref: 00391769
                                                                                                            • _free.LIBCMT ref: 00391834
                                                                                                            • _free.LIBCMT ref: 0039183E
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: _free$FileModuleName
                                                                                                            • String ID: C:\Users\user\Desktop\rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.exe
                                                                                                            • API String ID: 2506810119-495327736
                                                                                                            • Opcode ID: 39df67ae92a2ec39f6fece7fa1e20706a3eb61566bbd8cf165705ddd8618510e
                                                                                                            • Instruction ID: 5f9cb0028192ac48f32a4319a8410232ac1c9ad518d51b46cd7f0d9f510eb9f2
                                                                                                            • Opcode Fuzzy Hash: 39df67ae92a2ec39f6fece7fa1e20706a3eb61566bbd8cf165705ddd8618510e
                                                                                                            • Instruction Fuzzy Hash: 29316075A0421AAFDF22DB99D885D9FBBFCEB85310B1541A6F804AB211D7708E40DBA0
                                                                                                            Function 003CC27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 003CC306
                                                                                                            • DeleteMenu.USER32(?,00000007,00000000), ref: 003CC34C
                                                                                                            • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00431990,0164C0A8), ref: 003CC395
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Menu$Delete$InfoItem
                                                                                                            • String ID: 0
                                                                                                            • API String ID: 135850232-4108050209
                                                                                                            • Opcode ID: 9de90a16517570b1e10b6d7183b1cafe097d32ea2fc68731f1af29b12992886a
                                                                                                            • Instruction ID: 12067bc15192bcfc664d7dcfa3f80b1593278cc515f28d74f05de01c059b9f69
                                                                                                            • Opcode Fuzzy Hash: 9de90a16517570b1e10b6d7183b1cafe097d32ea2fc68731f1af29b12992886a
                                                                                                            • Instruction Fuzzy Hash: 7F41BF352143419FD722DF25E844F2ABBE8AB85310F119A1EF8A9DB291C734ED04CB52
                                                                                                            Function 003F4416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,003FCC08,00000000,?,?,?,?), ref: 003F44AA
                                                                                                            • GetWindowLongW.USER32 ref: 003F44C7
                                                                                                            • SetWindowLongW.USER32(?,000000F0,00000000), ref: 003F44D7
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Window$Long
                                                                                                            • String ID: SysTreeView32
                                                                                                            • API String ID: 847901565-1698111956
                                                                                                            • Opcode ID: 232667cd493de3485714d4c897523fc2f6ab3c70488c2cf8e03a0580cf0070f2
                                                                                                            • Instruction ID: 11e44999d87b7c7c3321241aa635b4c68601ceae74a376e09dbe4271e38c4867
                                                                                                            • Opcode Fuzzy Hash: 232667cd493de3485714d4c897523fc2f6ab3c70488c2cf8e03a0580cf0070f2
                                                                                                            • Instruction Fuzzy Hash: 9F31CD31254209AFDB229E38DC45BEB77A9EB09334F218325FA79A21E0D770EC509B50
                                                                                                            Function 003C6E71 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 92memoryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • SysReAllocString.OLEAUT32(?,?), ref: 003C6EED
                                                                                                            • VariantCopyInd.OLEAUT32(?,?), ref: 003C6F08
                                                                                                            • VariantClear.OLEAUT32(?), ref: 003C6F12
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Variant$AllocClearCopyString
                                                                                                            • String ID: *j<
                                                                                                            • API String ID: 2173805711-2061952398
                                                                                                            • Opcode ID: 90002f35b0e2ab2f044e23137fa0746cf36f14f113a9683bbac2236d96fb7db0
                                                                                                            • Instruction ID: 3e956573a2d933a2e5eb344cac6cd0abd354a921b4e35e4fdd657746bfe313d1
                                                                                                            • Opcode Fuzzy Hash: 90002f35b0e2ab2f044e23137fa0746cf36f14f113a9683bbac2236d96fb7db0
                                                                                                            • Instruction Fuzzy Hash: A0317072604245DBCB07AF64E852EBD7779EF8A304B1054ADFA02CF2A1C7749D62DB90
                                                                                                            Function 003E304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 003E335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,003E3077,?,?), ref: 003E3378
                                                                                                            • inet_addr.WSOCK32(?), ref: 003E307A
                                                                                                            • _wcslen.LIBCMT ref: 003E309B
                                                                                                            • htons.WSOCK32(00000000), ref: 003E3106
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ByteCharMultiWide_wcslenhtonsinet_addr
                                                                                                            • String ID: 255.255.255.255
                                                                                                            • API String ID: 946324512-2422070025
                                                                                                            • Opcode ID: 4583c5286b20fa2c867e56003f6d3438a0e7ff3c1d9c075c4d27ad5cc2f15d21
                                                                                                            • Instruction ID: 28b96f7a41a39cfe4b211d12a73b30cccafcbb3a45fbf9ace33f06c183fcf893
                                                                                                            • Opcode Fuzzy Hash: 4583c5286b20fa2c867e56003f6d3438a0e7ff3c1d9c075c4d27ad5cc2f15d21
                                                                                                            • Instruction Fuzzy Hash: 7431F5352042959FCB22DF2AC589E6977E4EF54318F268299E8168F7D2C732EE41C760
                                                                                                            Function 003F4653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • SendMessageW.USER32(00000000,00000469,?,00000000), ref: 003F4705
                                                                                                            • SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 003F4713
                                                                                                            • DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 003F471A
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: MessageSend$DestroyWindow
                                                                                                            • String ID: msctls_updown32
                                                                                                            • API String ID: 4014797782-2298589950
                                                                                                            • Opcode ID: 07527ca7b6759a126d38f506b1804913571f832f8daad99f71467a9038f4e8ce
                                                                                                            • Instruction ID: 1cdc581118f0c3d2acdb8bdfdac5bf2134abb8e1c48e6f2ee12b6ffa966d453e
                                                                                                            • Opcode Fuzzy Hash: 07527ca7b6759a126d38f506b1804913571f832f8daad99f71467a9038f4e8ce
                                                                                                            • Instruction Fuzzy Hash: D4213EB5604209AFDB12DF64DC81DB737ADEF9A398B150059FA109B261CB71EC15CA60
                                                                                                            Function 003C95AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: _wcslen
                                                                                                            • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
                                                                                                            • API String ID: 176396367-2734436370
                                                                                                            • Opcode ID: 89913813304c5be71038f71e7f4438c83d0909c4256ebae3d90fb12f2c9c6477
                                                                                                            • Instruction ID: 6265c966db240d4424ba6341f5b8af9000a478e39c926a63fdfdb10d95f611d2
                                                                                                            • Opcode Fuzzy Hash: 89913813304c5be71038f71e7f4438c83d0909c4256ebae3d90fb12f2c9c6477
                                                                                                            • Instruction Fuzzy Hash: 312138322046116AD333BB24DC0AFB7739CAF55324F52402FF949DB581EB61AD55C395
                                                                                                            Function 003F37B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 003F3840
                                                                                                            • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 003F3850
                                                                                                            • MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 003F3876
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: MessageSend$MoveWindow
                                                                                                            • String ID: Listbox
                                                                                                            • API String ID: 3315199576-2633736733
                                                                                                            • Opcode ID: e80f04cb3d073b1b368671fe41c0b41fbd1f124f2ddc31cc82b40b2fe0143b71
                                                                                                            • Instruction ID: 0fc8f502778e08702970c8be6e043fa977d5bccbb42a5ffc6ca7f76a5db6b3cc
                                                                                                            • Opcode Fuzzy Hash: e80f04cb3d073b1b368671fe41c0b41fbd1f124f2ddc31cc82b40b2fe0143b71
                                                                                                            • Instruction Fuzzy Hash: 74218E7265021CBBEB229F64DC85FBB376EEF897A0F118124FA049B190C675DC56C7A0
                                                                                                            Function 003D49F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • SetErrorMode.KERNEL32(00000001), ref: 003D4A08
                                                                                                            • GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 003D4A5C
                                                                                                            • SetErrorMode.KERNEL32(00000000,?,?,003FCC08), ref: 003D4AD0
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ErrorMode$InformationVolume
                                                                                                            • String ID: %lu
                                                                                                            • API String ID: 2507767853-685833217
                                                                                                            • Opcode ID: e6c5a5e23932afe5d3c8a5cf0e240d5129e67f83067e55b806029ec5389a1ce9
                                                                                                            • Instruction ID: aa0e936b42fdd7d1a149d89ffcf20537c51e5457cb4715ab2f20083bd1eba7c3
                                                                                                            • Opcode Fuzzy Hash: e6c5a5e23932afe5d3c8a5cf0e240d5129e67f83067e55b806029ec5389a1ce9
                                                                                                            • Instruction Fuzzy Hash: CF314C75A40108AFDB11DF54C985EAA7BF8EF08308F1480A9F909DF252D771ED45CB61
                                                                                                            Function 003F41EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 003F424F
                                                                                                            • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 003F4264
                                                                                                            • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 003F4271
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: MessageSend
                                                                                                            • String ID: msctls_trackbar32
                                                                                                            • API String ID: 3850602802-1010561917
                                                                                                            • Opcode ID: caf33a4cd054ff696cf107080bfa2f08cc4d66d50cd7332a2bf6066e2fe17e7e
                                                                                                            • Instruction ID: 5863154779ccd046fe47ebb2d1db3354268e73a5a92657a2564ee81c3d3c8eb9
                                                                                                            • Opcode Fuzzy Hash: caf33a4cd054ff696cf107080bfa2f08cc4d66d50cd7332a2bf6066e2fe17e7e
                                                                                                            • Instruction Fuzzy Hash: 1511E031240248BEEF225F28CC06FBB7BACEF85B64F120525FA55E60A0D271D811DB24
                                                                                                            Function 003C2F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 00366B57: _wcslen.LIBCMT ref: 00366B6A
                                                                                                              • Part of subcall function 003C2DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 003C2DC5
                                                                                                              • Part of subcall function 003C2DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 003C2DD6
                                                                                                              • Part of subcall function 003C2DA7: GetCurrentThreadId.KERNEL32 ref: 003C2DDD
                                                                                                              • Part of subcall function 003C2DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 003C2DE4
                                                                                                            • GetFocus.USER32 ref: 003C2F78
                                                                                                              • Part of subcall function 003C2DEE: GetParent.USER32(00000000), ref: 003C2DF9
                                                                                                            • GetClassNameW.USER32(?,?,00000100), ref: 003C2FC3
                                                                                                            • EnumChildWindows.USER32(?,003C303B), ref: 003C2FEB
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
                                                                                                            • String ID: %s%d
                                                                                                            • API String ID: 1272988791-1110647743
                                                                                                            • Opcode ID: f61621a1082abc887ed0459ce661b34dfe8155d3c6fe72bce64973526df21f86
                                                                                                            • Instruction ID: 1d902a77791d0283c2f4c5d4926e95f0653214f95d68b60843182717404b3db5
                                                                                                            • Opcode Fuzzy Hash: f61621a1082abc887ed0459ce661b34dfe8155d3c6fe72bce64973526df21f86
                                                                                                            • Instruction Fuzzy Hash: B811D271200209ABCF127F649C9AFFE376AAF94304F048079F90ADB192DE709D09CB60
                                                                                                            Function 003F5882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 003F58C1
                                                                                                            • SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 003F58EE
                                                                                                            • DrawMenuBar.USER32(?), ref: 003F58FD
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Menu$InfoItem$Draw
                                                                                                            • String ID: 0
                                                                                                            • API String ID: 3227129158-4108050209
                                                                                                            • Opcode ID: bb05fc7c2ca08c3bcd87fd5250c44ce896c1d25909314e56ba7b966c51d57f13
                                                                                                            • Instruction ID: e16fe9391914fff463e682aafa2611dfc5f9e1dede20363d810716177c2fc811
                                                                                                            • Opcode Fuzzy Hash: bb05fc7c2ca08c3bcd87fd5250c44ce896c1d25909314e56ba7b966c51d57f13
                                                                                                            • Instruction Fuzzy Hash: C0010C3151421CEEDB229F11D844BABBBB8BF45361F108099EA49DA161DB748A94DF21
                                                                                                            Function 003BD3A0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 30libraryloaderCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetProcAddress.KERNEL32(?,GetSystemWow64DirectoryW), ref: 003BD3BF
                                                                                                            • FreeLibrary.KERNEL32 ref: 003BD3E5
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: AddressFreeLibraryProc
                                                                                                            • String ID: GetSystemWow64DirectoryW$X64
                                                                                                            • API String ID: 3013587201-2590602151
                                                                                                            • Opcode ID: 8e41dab2552537c9294a0c331163d02db7822e55706d6eba28aada945d8d3dd8
                                                                                                            • Instruction ID: baa9f46916ccbb668c467a00a800f85bbd024e98b3f9939972c4de4d198342b5
                                                                                                            • Opcode Fuzzy Hash: 8e41dab2552537c9294a0c331163d02db7822e55706d6eba28aada945d8d3dd8
                                                                                                            • Instruction Fuzzy Hash: C7F0552D981A259BD33302104C64AF97328AF00709F5AE92AEA0BE9C06F738CC448682
                                                                                                            Function 003C007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 309857a9acab12d4da067491baea14b12cc3def246ad26a820e945fab92ae9e1
                                                                                                            • Instruction ID: e1eec7e650e2398933b16ebd1ca68c490f90d7ec043dda355b989154f0d9faf9
                                                                                                            • Opcode Fuzzy Hash: 309857a9acab12d4da067491baea14b12cc3def246ad26a820e945fab92ae9e1
                                                                                                            • Instruction Fuzzy Hash: 58C14775A0025AEFCB09CFA8C894FAAB7B9FF48304F158598E505EB251C731EE41CB90
                                                                                                            Function 003E342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Variant$ClearInitInitializeUninitialize
                                                                                                            • String ID:
                                                                                                            • API String ID: 1998397398-0
                                                                                                            • Opcode ID: 181430b6d76d08a397fa0836730cfcfeab0e4809eccc70664587f0755b6da822
                                                                                                            • Instruction ID: 52f06f75828dc3f7b8aced36df59a1223f05badab6495332e69467fd76bfadf1
                                                                                                            • Opcode Fuzzy Hash: 181430b6d76d08a397fa0836730cfcfeab0e4809eccc70664587f0755b6da822
                                                                                                            • Instruction Fuzzy Hash: C6A16B752142109FC712DF29C485A2ABBE9FF89714F058959F98A9F3A2DB30EE01CB51
                                                                                                            Function 003C0436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,003FFC08,?), ref: 003C05F0
                                                                                                            • CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,003FFC08,?), ref: 003C0608
                                                                                                            • CLSIDFromProgID.OLE32(?,?,00000000,003FCC40,000000FF,?,00000000,00000800,00000000,?,003FFC08,?), ref: 003C062D
                                                                                                            • _memcmp.LIBVCRUNTIME ref: 003C064E
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: FromProg$FreeTask_memcmp
                                                                                                            • String ID:
                                                                                                            • API String ID: 314563124-0
                                                                                                            • Opcode ID: b134bfc99b4937bcdc6a8f2266ea4a9844673ec99e69820db13004ad9790fc17
                                                                                                            • Instruction ID: c12042ba6701dbdff4ed6a1de7328af25588ea64eaf663cfd4a50be1b709de1a
                                                                                                            • Opcode Fuzzy Hash: b134bfc99b4937bcdc6a8f2266ea4a9844673ec99e69820db13004ad9790fc17
                                                                                                            • Instruction Fuzzy Hash: 7881D675A00109EFCB05DFA4C984EEEB7B9FF89315F204598E516EB250DB71AE06CB60
                                                                                                            Function 003A1391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: _free
                                                                                                            • String ID:
                                                                                                            • API String ID: 269201875-0
                                                                                                            • Opcode ID: ab8987037e806c366eb6ca6d29b1251a7b1cfe4bf77bf8aa6aabf43c86455526
                                                                                                            • Instruction ID: 2710b7782b5485bde446ba9d0fc61273b43bbdb78faee4353f6d065d539efcfa
                                                                                                            • Opcode Fuzzy Hash: ab8987037e806c366eb6ca6d29b1251a7b1cfe4bf77bf8aa6aabf43c86455526
                                                                                                            • Instruction Fuzzy Hash: FE415D35A00614AFDF23BBBE8C45ABE3AB8EF4B370F150665F418DE191E774484153A1
                                                                                                            Function 003F6278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetWindowRect.USER32(0164FE50,?), ref: 003F62E2
                                                                                                            • ScreenToClient.USER32(?,?), ref: 003F6315
                                                                                                            • MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 003F6382
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Window$ClientMoveRectScreen
                                                                                                            • String ID:
                                                                                                            • API String ID: 3880355969-0
                                                                                                            • Opcode ID: fba7738399d2d86d486c34221ef54b49cf30cb5930790c9a909256d6575bb930
                                                                                                            • Instruction ID: a29de2cd2775726332a804f5144880c351eedae7f1ba6fd12569881726ae65da
                                                                                                            • Opcode Fuzzy Hash: fba7738399d2d86d486c34221ef54b49cf30cb5930790c9a909256d6575bb930
                                                                                                            • Instruction Fuzzy Hash: 79514A74A00209EFCB12DF68D881ABE7BB5EF55360F11856AF9159B2A1D730ED41CB50
                                                                                                            Function 003E1AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • socket.WSOCK32(00000002,00000002,00000011), ref: 003E1AFD
                                                                                                            • WSAGetLastError.WSOCK32 ref: 003E1B0B
                                                                                                            • #21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 003E1B8A
                                                                                                            • WSAGetLastError.WSOCK32 ref: 003E1B94
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ErrorLast$socket
                                                                                                            • String ID:
                                                                                                            • API String ID: 1881357543-0
                                                                                                            • Opcode ID: bcbb42ec2655f5844d4998d0bbf17fb632245027b9fe3e5335e0a10378ee38e7
                                                                                                            • Instruction ID: f7db133529546f28a9bef5158a2142364540703fb48d43a129ca2bc049cff9bc
                                                                                                            • Opcode Fuzzy Hash: bcbb42ec2655f5844d4998d0bbf17fb632245027b9fe3e5335e0a10378ee38e7
                                                                                                            • Instruction Fuzzy Hash: 2841D334640211AFE722AF25C886F3A77E5AB44718F54C588F91A9F3D2D7B2ED41CB90
                                                                                                            Function 0039B41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 019e8827770b1bec5c766d9c58db7eeb7678fb464a62b51583fd1cc75ec0fa9c
                                                                                                            • Instruction ID: 58686563eea8f0793a2ea75049a4bf144ea95c454f4f65b08992a7a864f7ebfe
                                                                                                            • Opcode Fuzzy Hash: 019e8827770b1bec5c766d9c58db7eeb7678fb464a62b51583fd1cc75ec0fa9c
                                                                                                            • Instruction Fuzzy Hash: 3C412675A00704BFDB26AF79DD41BAAFBE9EF88710F10852AF101DF692D37199018780
                                                                                                            Function 003D56D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 003D5783
                                                                                                            • GetLastError.KERNEL32(?,00000000), ref: 003D57A9
                                                                                                            • DeleteFileW.KERNEL32(00000002,?,00000000), ref: 003D57CE
                                                                                                            • CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 003D57FA
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CreateHardLink$DeleteErrorFileLast
                                                                                                            • String ID:
                                                                                                            • API String ID: 3321077145-0
                                                                                                            • Opcode ID: 84953b3532cdf0b6946de8e00d0461f2f84ef8fdb14243f8b1dd787a9bbb76e7
                                                                                                            • Instruction ID: 161994d8cfbf4600e79cdc810aa8ee27ae96616bb32562c5c2af7467450fc7f6
                                                                                                            • Opcode Fuzzy Hash: 84953b3532cdf0b6946de8e00d0461f2f84ef8fdb14243f8b1dd787a9bbb76e7
                                                                                                            • Instruction Fuzzy Hash: 1F414D36210610DFCB12DF15C544A5DBBE2EF49724B19C489E94A9F366CB30FD50CB91
                                                                                                            Function 0039D8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • MultiByteToWideChar.KERNEL32(?,00000000,?,00386D71,00000000,00000000,003882D9,?,003882D9,?,00000001,00386D71,?,00000001,003882D9,003882D9), ref: 0039D910
                                                                                                            • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0039D999
                                                                                                            • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 0039D9AB
                                                                                                            • __freea.LIBCMT ref: 0039D9B4
                                                                                                              • Part of subcall function 00393820: RtlAllocateHeap.NTDLL(00000000,?,00431444,?,0037FDF5,?,?,0036A976,00000010,00431440,003613FC,?,003613C6,?,00361129), ref: 00393852
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ByteCharMultiWide$AllocateHeapStringType__freea
                                                                                                            • String ID:
                                                                                                            • API String ID: 2652629310-0
                                                                                                            • Opcode ID: cec28a1a94ed1fce0049948e9ffc2f4b6eaa9cc4a9409093123af98f409634a0
                                                                                                            • Instruction ID: 1919f9c20047b6b8957fba62e00c719824cb89ea0c3f0834760771bea110592c
                                                                                                            • Opcode Fuzzy Hash: cec28a1a94ed1fce0049948e9ffc2f4b6eaa9cc4a9409093123af98f409634a0
                                                                                                            • Instruction Fuzzy Hash: 9D31C372A0020AABDF26EF64DC42EAF7BA5EB41310F164169FC04DB150E739CD54CB90
                                                                                                            Function 003F52C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • SendMessageW.USER32(?,00001024,00000000,?), ref: 003F5352
                                                                                                            • GetWindowLongW.USER32(?,000000F0), ref: 003F5375
                                                                                                            • SetWindowLongW.USER32(?,000000F0,00000000), ref: 003F5382
                                                                                                            • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 003F53A8
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: LongWindow$InvalidateMessageRectSend
                                                                                                            • String ID:
                                                                                                            • API String ID: 3340791633-0
                                                                                                            • Opcode ID: ad2b26c4ac99cdb00ff2f1d516cdb0ab1586e5b262237f3a2a89d26c1a1d3792
                                                                                                            • Instruction ID: 56f692a6f89562891d73064d6c8a9406aa3e1bc63b2ba040b04eb597f8fe743a
                                                                                                            • Opcode Fuzzy Hash: ad2b26c4ac99cdb00ff2f1d516cdb0ab1586e5b262237f3a2a89d26c1a1d3792
                                                                                                            • Instruction Fuzzy Hash: EF31A238A55A0CEFEB339E1CCC45BF877AAAB05390F595113FB11961E1C7B09940DB42
                                                                                                            Function 003CAB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetKeyboardState.USER32(?,7694C0D0,?,00008000), ref: 003CABF1
                                                                                                            • SetKeyboardState.USER32(00000080,?,00008000), ref: 003CAC0D
                                                                                                            • PostMessageW.USER32(00000000,00000101,00000000), ref: 003CAC74
                                                                                                            • SendInput.USER32(00000001,?,0000001C,7694C0D0,?,00008000), ref: 003CACC6
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: KeyboardState$InputMessagePostSend
                                                                                                            • String ID:
                                                                                                            • API String ID: 432972143-0
                                                                                                            • Opcode ID: f83ec0ede71d2e56b6240b83038451d25399d3fb0d75cc20ef1931bccdecc3c2
                                                                                                            • Instruction ID: dbf3d1d5746f398ecbfa3037b6cf7b386c9d324a2579f8044f2c38d49e354720
                                                                                                            • Opcode Fuzzy Hash: f83ec0ede71d2e56b6240b83038451d25399d3fb0d75cc20ef1931bccdecc3c2
                                                                                                            • Instruction Fuzzy Hash: 21312870A44A1C6FEF37CB658C08FFA7BA9AB45318F09821EE485D61D1C3758D858792
                                                                                                            Function 003F7674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • ClientToScreen.USER32(?,?), ref: 003F769A
                                                                                                            • GetWindowRect.USER32(?,?), ref: 003F7710
                                                                                                            • PtInRect.USER32(?,?,003F8B89), ref: 003F7720
                                                                                                            • MessageBeep.USER32(00000000), ref: 003F778C
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Rect$BeepClientMessageScreenWindow
                                                                                                            • String ID:
                                                                                                            • API String ID: 1352109105-0
                                                                                                            • Opcode ID: 5b180e158259be423f1255d4b437339990a7bc4b33f7ab573014b7574ce2a6a5
                                                                                                            • Instruction ID: 1dc1c3520ffa24b7accc0c8156a9036cd2fb8a55f408efae29a3153ed5293c4e
                                                                                                            • Opcode Fuzzy Hash: 5b180e158259be423f1255d4b437339990a7bc4b33f7ab573014b7574ce2a6a5
                                                                                                            • Instruction Fuzzy Hash: 46419A74A19218DFCB12EF59C994EB9B7F5BF49344F1A40A8EA149B261C330E949CB90
                                                                                                            Function 003F16DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetForegroundWindow.USER32 ref: 003F16EB
                                                                                                              • Part of subcall function 003C3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 003C3A57
                                                                                                              • Part of subcall function 003C3A3D: GetCurrentThreadId.KERNEL32 ref: 003C3A5E
                                                                                                              • Part of subcall function 003C3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,003C25B3), ref: 003C3A65
                                                                                                            • GetCaretPos.USER32(?), ref: 003F16FF
                                                                                                            • ClientToScreen.USER32(00000000,?), ref: 003F174C
                                                                                                            • GetForegroundWindow.USER32 ref: 003F1752
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                                                                                                            • String ID:
                                                                                                            • API String ID: 2759813231-0
                                                                                                            • Opcode ID: 569197f53d76306ce4ae5b16d181b4e254d670004d7c619c5cd4b5d0e61b17da
                                                                                                            • Instruction ID: 88327df5a5c31527d3f475e804ec7ab81e21be927dfa7c6202ccf1bcc6dd75ca
                                                                                                            • Opcode Fuzzy Hash: 569197f53d76306ce4ae5b16d181b4e254d670004d7c619c5cd4b5d0e61b17da
                                                                                                            • Instruction Fuzzy Hash: 2D315075D10149AFC701EFA9C981CBEBBFDEF48304B50806AE455EB211D6719E45CBA0
                                                                                                            Function 003CD4DC Relevance: 6.1, APIs: 4, Instructions: 86processCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • CreateToolhelp32Snapshot.KERNEL32 ref: 003CD501
                                                                                                            • Process32FirstW.KERNEL32(00000000,?), ref: 003CD50F
                                                                                                            • Process32NextW.KERNEL32(00000000,?), ref: 003CD52F
                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 003CD5DC
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                                                                                                            • String ID:
                                                                                                            • API String ID: 420147892-0
                                                                                                            • Opcode ID: 6286ca5deaf5fc332b729c57833862549de9cf5d03d1ce7b7bcacc16e3526e9b
                                                                                                            • Instruction ID: 581e7f000000895f69d31527b144cc19ce274871e3753f40981914e5791b71af
                                                                                                            • Opcode Fuzzy Hash: 6286ca5deaf5fc332b729c57833862549de9cf5d03d1ce7b7bcacc16e3526e9b
                                                                                                            • Instruction Fuzzy Hash: DA3181711083049FD302EF54C881FAFBBE8EF99354F14492DF585971A1EB719948CB92
                                                                                                            Function 003F8FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 00379BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00379BB2
                                                                                                            • GetCursorPos.USER32(?), ref: 003F9001
                                                                                                            • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,003B7711,?,?,?,?,?), ref: 003F9016
                                                                                                            • GetCursorPos.USER32(?), ref: 003F905E
                                                                                                            • DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,003B7711,?,?,?), ref: 003F9094
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Cursor$LongMenuPopupProcTrackWindow
                                                                                                            • String ID:
                                                                                                            • API String ID: 2864067406-0
                                                                                                            • Opcode ID: 15d0940f6019e8563126f926093d9cdc090b7ad6286ad4d7b62f87e83cfc1cae
                                                                                                            • Instruction ID: 9211291d77518d14d36f91bdb489edf8f3b0ae55428ffc5d169a343fa1ac91cf
                                                                                                            • Opcode Fuzzy Hash: 15d0940f6019e8563126f926093d9cdc090b7ad6286ad4d7b62f87e83cfc1cae
                                                                                                            • Instruction Fuzzy Hash: 1E21803560001CEFDB268F95C958FFA7BB9EF4A350F0441A6F6054B2A1C7359990DF64
                                                                                                            Function 003CD2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetFileAttributesW.KERNEL32(?,003FCB68), ref: 003CD2FB
                                                                                                            • GetLastError.KERNEL32 ref: 003CD30A
                                                                                                            • CreateDirectoryW.KERNEL32(?,00000000), ref: 003CD319
                                                                                                            • CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,003FCB68), ref: 003CD376
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CreateDirectory$AttributesErrorFileLast
                                                                                                            • String ID:
                                                                                                            • API String ID: 2267087916-0
                                                                                                            • Opcode ID: 1e8dbec88f8218b9de0fbe98b5ed56db5f00e8403b557c0699662d9444612b1f
                                                                                                            • Instruction ID: cfd7288497d00ca17d624287ea1a5b13febf3cec64975d3c56bead37edcbf36e
                                                                                                            • Opcode Fuzzy Hash: 1e8dbec88f8218b9de0fbe98b5ed56db5f00e8403b557c0699662d9444612b1f
                                                                                                            • Instruction Fuzzy Hash: 7F21B2785483059FC702DF28C9819AEB7E8EE56364F104A2EF499C72A1D731DD4ACB93
                                                                                                            Function 003C1571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 003C1014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 003C102A
                                                                                                              • Part of subcall function 003C1014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 003C1036
                                                                                                              • Part of subcall function 003C1014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 003C1045
                                                                                                              • Part of subcall function 003C1014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 003C104C
                                                                                                              • Part of subcall function 003C1014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 003C1062
                                                                                                            • LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 003C15BE
                                                                                                            • _memcmp.LIBVCRUNTIME ref: 003C15E1
                                                                                                            • GetProcessHeap.KERNEL32(00000000,00000000), ref: 003C1617
                                                                                                            • HeapFree.KERNEL32(00000000), ref: 003C161E
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
                                                                                                            • String ID:
                                                                                                            • API String ID: 1592001646-0
                                                                                                            • Opcode ID: 45a733473f4bb8616a0fab3343eb6dc2385a9e613ef687673d7e23ba19526ffe
                                                                                                            • Instruction ID: 0e8feb4332b5f3af759e07c140435f9ba7b5839ad7cb74cbb7bb39c4c81570b7
                                                                                                            • Opcode Fuzzy Hash: 45a733473f4bb8616a0fab3343eb6dc2385a9e613ef687673d7e23ba19526ffe
                                                                                                            • Instruction Fuzzy Hash: 16219A31E40108AFDB01DFA4C944FEEB7B8EF42344F194459E881EB242E731AE05EBA0
                                                                                                            Function 003F2782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetWindowLongW.USER32(?,000000EC), ref: 003F280A
                                                                                                            • SetWindowLongW.USER32(?,000000EC,00000000), ref: 003F2824
                                                                                                            • SetWindowLongW.USER32(?,000000EC,00000000), ref: 003F2832
                                                                                                            • SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 003F2840
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Window$Long$AttributesLayered
                                                                                                            • String ID:
                                                                                                            • API String ID: 2169480361-0
                                                                                                            • Opcode ID: ed6543bc9657e7c4359d4c97e5ddb6b414b3a6036031478e92cf36eff95542b0
                                                                                                            • Instruction ID: ae13787ce3eae0d1870418ecb30c2f33e099f108428cb31657a1390b2c2e9e65
                                                                                                            • Opcode Fuzzy Hash: ed6543bc9657e7c4359d4c97e5ddb6b414b3a6036031478e92cf36eff95542b0
                                                                                                            • Instruction Fuzzy Hash: 7821E031204519EFD7169B24C844FBA7B99AF46324F148158F5268F6E2CB71EC82CB90
                                                                                                            Function 003C78F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 003C8D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,003C790A,?,000000FF,?,003C8754,00000000,?,0000001C,?,?), ref: 003C8D8C
                                                                                                              • Part of subcall function 003C8D7D: lstrcpyW.KERNEL32(00000000,?,?,003C790A,?,000000FF,?,003C8754,00000000,?,0000001C,?,?,00000000), ref: 003C8DB2
                                                                                                              • Part of subcall function 003C8D7D: lstrcmpiW.KERNEL32(00000000,?,003C790A,?,000000FF,?,003C8754,00000000,?,0000001C,?,?), ref: 003C8DE3
                                                                                                            • lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,003C8754,00000000,?,0000001C,?,?,00000000), ref: 003C7923
                                                                                                            • lstrcpyW.KERNEL32(00000000,?,?,003C8754,00000000,?,0000001C,?,?,00000000), ref: 003C7949
                                                                                                            • lstrcmpiW.KERNEL32(00000002,cdecl,?,003C8754,00000000,?,0000001C,?,?,00000000), ref: 003C7984
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: lstrcmpilstrcpylstrlen
                                                                                                            • String ID: cdecl
                                                                                                            • API String ID: 4031866154-3896280584
                                                                                                            • Opcode ID: e67fb9822e6fc44b9d538555e0ffaac2fdf56ed77009d22314ed8d6bff61b6e1
                                                                                                            • Instruction ID: da0de47aae7b82d3bcd94bbad0cd25f69670d95a11e5c3e813d43827f515b3e9
                                                                                                            • Opcode Fuzzy Hash: e67fb9822e6fc44b9d538555e0ffaac2fdf56ed77009d22314ed8d6bff61b6e1
                                                                                                            • Instruction Fuzzy Hash: C511D63A200205AFCB269F34D845E7A77A9FF45350B50402EFD46CB264EB319D11CB61
                                                                                                            Function 003F7CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetWindowLongW.USER32(?,000000F0), ref: 003F7D0B
                                                                                                            • SetWindowLongW.USER32(00000000,000000F0,?), ref: 003F7D2A
                                                                                                            • SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 003F7D42
                                                                                                            • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,003DB7AD,00000000), ref: 003F7D6B
                                                                                                              • Part of subcall function 00379BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00379BB2
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Window$Long
                                                                                                            • String ID:
                                                                                                            • API String ID: 847901565-0
                                                                                                            • Opcode ID: d76a87360df673be322cd9bb7f3cf8c63baed6f535556ed552f20e5aa0346598
                                                                                                            • Instruction ID: d04effbdf5a9ecb21581cce7c47af64193f83b2c78cfa353c21927b0179962e9
                                                                                                            • Opcode Fuzzy Hash: d76a87360df673be322cd9bb7f3cf8c63baed6f535556ed552f20e5aa0346598
                                                                                                            • Instruction Fuzzy Hash: 2611AF31618619AFCB129F28CC04EB63BA9AF46360F569734F939CB2F0D7309951CB50
                                                                                                            Function 003F5660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • SendMessageW.USER32(?,00001060,?,00000004), ref: 003F56BB
                                                                                                            • _wcslen.LIBCMT ref: 003F56CD
                                                                                                            • _wcslen.LIBCMT ref: 003F56D8
                                                                                                            • SendMessageW.USER32(?,00001002,00000000,?), ref: 003F5816
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: MessageSend_wcslen
                                                                                                            • String ID:
                                                                                                            • API String ID: 455545452-0
                                                                                                            • Opcode ID: d713c5f1ee37846eeaf07993d5ce38060140c461cc9ed9ce84663cabc688131f
                                                                                                            • Instruction ID: a94e39294ed1958c7fd0f0c7fd55cf73b595655ee51342f9352e0636696214d5
                                                                                                            • Opcode Fuzzy Hash: d713c5f1ee37846eeaf07993d5ce38060140c461cc9ed9ce84663cabc688131f
                                                                                                            • Instruction Fuzzy Hash: 1611D37560460C96DB22AF61CC85AFE77BCEF11760F10406AFB15D6081EBB0CA84CB64
                                                                                                            Function 00391D09 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: cda80becd9b2255f37aae388892f3839e025375dcffada6d59101ccc97777d3c
                                                                                                            • Instruction ID: c6e3a1d9c363b93a29b8b42501cda4ec1941379b02bc879960e88982a4f1860a
                                                                                                            • Opcode Fuzzy Hash: cda80becd9b2255f37aae388892f3839e025375dcffada6d59101ccc97777d3c
                                                                                                            • Instruction Fuzzy Hash: 770128B2209A1A7EEE2226786CC1F77665DDF423B8B351325B521A51D2DB608C109160
                                                                                                            Function 003C1A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • SendMessageW.USER32(?,000000B0,?,?), ref: 003C1A47
                                                                                                            • SendMessageW.USER32(?,000000C9,?,00000000), ref: 003C1A59
                                                                                                            • SendMessageW.USER32(?,000000C9,?,00000000), ref: 003C1A6F
                                                                                                            • SendMessageW.USER32(?,000000C9,?,00000000), ref: 003C1A8A
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: MessageSend
                                                                                                            • String ID:
                                                                                                            • API String ID: 3850602802-0
                                                                                                            • Opcode ID: eef1df6eff339f7cad8b31294917357a5e9574bcd54b5584ec2df69b40c34c20
                                                                                                            • Instruction ID: 930b3474c66b2be2af4f8257fc6ef360be2c8a7191a10ab350a314b213868b86
                                                                                                            • Opcode Fuzzy Hash: eef1df6eff339f7cad8b31294917357a5e9574bcd54b5584ec2df69b40c34c20
                                                                                                            • Instruction Fuzzy Hash: 3A11393AD01219FFEB11DBA4CD85FADFB78EB08750F200095EA00B7290D671AE50EB94
                                                                                                            Function 003CE1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetCurrentThreadId.KERNEL32 ref: 003CE1FD
                                                                                                            • MessageBoxW.USER32(?,?,?,?), ref: 003CE230
                                                                                                            • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 003CE246
                                                                                                            • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 003CE24D
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CloseCurrentHandleMessageObjectSingleThreadWait
                                                                                                            • String ID:
                                                                                                            • API String ID: 2880819207-0
                                                                                                            • Opcode ID: f281db6a4643b6311f6cf153222109b3b5b9811d93f5db1f4a3ed907fce43afb
                                                                                                            • Instruction ID: 55a2e931aedd06209296d276f795bbb88557e1944fea135bc20fad05a934bc3d
                                                                                                            • Opcode Fuzzy Hash: f281db6a4643b6311f6cf153222109b3b5b9811d93f5db1f4a3ed907fce43afb
                                                                                                            • Instruction Fuzzy Hash: B611DB76904258BFD702AFA8DD05FAE7FACEB45320F044669F924D3291D674DD1487A0
                                                                                                            Function 0038D1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • CreateThread.KERNEL32(00000000,?,0038CFF9,00000000,00000004,00000000), ref: 0038D218
                                                                                                            • GetLastError.KERNEL32 ref: 0038D224
                                                                                                            • __dosmaperr.LIBCMT ref: 0038D22B
                                                                                                            • ResumeThread.KERNEL32(00000000), ref: 0038D249
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Thread$CreateErrorLastResume__dosmaperr
                                                                                                            • String ID:
                                                                                                            • API String ID: 173952441-0
                                                                                                            • Opcode ID: 8f8fc2c82bea5d610184816b869d5df1eb85f69a41e5dd72bb279588c7e40dc7
                                                                                                            • Instruction ID: db62866f2f26ca16b57f06f6ec94c33169dd2e635a4126604a32c3c9428054d6
                                                                                                            • Opcode Fuzzy Hash: 8f8fc2c82bea5d610184816b869d5df1eb85f69a41e5dd72bb279588c7e40dc7
                                                                                                            • Instruction Fuzzy Hash: DB01D6364153087BDB137BA5DC09BAE7B6DEF81330F110699F925961E0CB708901C7A0
                                                                                                            Function 0036600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0036604C
                                                                                                            • GetStockObject.GDI32(00000011), ref: 00366060
                                                                                                            • SendMessageW.USER32(00000000,00000030,00000000), ref: 0036606A
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CreateMessageObjectSendStockWindow
                                                                                                            • String ID:
                                                                                                            • API String ID: 3970641297-0
                                                                                                            • Opcode ID: c31e4dfd5e3056fcb1bc2ec2413cdc117c90fcd5a2f60b682b6976c11630a65c
                                                                                                            • Instruction ID: 94525cfc19f007f262e41db4e26e7ef7f4d776efb303e42141d2708c1bfee743
                                                                                                            • Opcode Fuzzy Hash: c31e4dfd5e3056fcb1bc2ec2413cdc117c90fcd5a2f60b682b6976c11630a65c
                                                                                                            • Instruction Fuzzy Hash: 1D11AD72105508BFEF135FA48C49EEABF6DEF083A4F055225FA0552020C7329C60DBA0
                                                                                                            Function 00383B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • ___BuildCatchObject.LIBVCRUNTIME ref: 00383B56
                                                                                                              • Part of subcall function 00383AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 00383AD2
                                                                                                              • Part of subcall function 00383AA3: ___AdjustPointer.LIBCMT ref: 00383AED
                                                                                                            • _UnwindNestedFrames.LIBCMT ref: 00383B6B
                                                                                                            • __FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00383B7C
                                                                                                            • CallCatchBlock.LIBVCRUNTIME ref: 00383BA4
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
                                                                                                            • String ID:
                                                                                                            • API String ID: 737400349-0
                                                                                                            • Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
                                                                                                            • Instruction ID: e10e1982d9b732b1c4fb08e112fc0407435aed2480e800a640ff77415ea5d0b3
                                                                                                            • Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
                                                                                                            • Instruction Fuzzy Hash: F0012972100249BBDF136E95CC42EEB3F69EF88B54F054094FE485A221D732E961DBA0
                                                                                                            Function 00393073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,003613C6,00000000,00000000,?,0039301A,003613C6,00000000,00000000,00000000,?,0039328B,00000006,FlsSetValue), ref: 003930A5
                                                                                                            • GetLastError.KERNEL32(?,0039301A,003613C6,00000000,00000000,00000000,?,0039328B,00000006,FlsSetValue,00402290,FlsSetValue,00000000,00000364,?,00392E46), ref: 003930B1
                                                                                                            • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0039301A,003613C6,00000000,00000000,00000000,?,0039328B,00000006,FlsSetValue,00402290,FlsSetValue,00000000), ref: 003930BF
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: LibraryLoad$ErrorLast
                                                                                                            • String ID:
                                                                                                            • API String ID: 3177248105-0
                                                                                                            • Opcode ID: fee6981a6eeb4aed3e64ed4ff481802a34ba5442ecef833336f7088af7a10b82
                                                                                                            • Instruction ID: ee0efaa845180a6d0c2840dcac340a4b5e9166fe5f396f96671bd9ef7d12eec6
                                                                                                            • Opcode Fuzzy Hash: fee6981a6eeb4aed3e64ed4ff481802a34ba5442ecef833336f7088af7a10b82
                                                                                                            • Instruction Fuzzy Hash: EF01F772352226ABCF334B789C449677B9CAF05BA1B120620F917E3340C721DD05C6E0
                                                                                                            Function 003C7464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 003C747F
                                                                                                            • LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 003C7497
                                                                                                            • RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 003C74AC
                                                                                                            • RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 003C74CA
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Type$Register$FileLoadModuleNameUser
                                                                                                            • String ID:
                                                                                                            • API String ID: 1352324309-0
                                                                                                            • Opcode ID: 094c087bc389c39c857efa237b30c7ba94aa8532811acc1b49ad7c3d3f8de1dc
                                                                                                            • Instruction ID: 120b61a48a9da7ccf53509feda1842f69a6f3a9d813eeb3f79789266b77e098f
                                                                                                            • Opcode Fuzzy Hash: 094c087bc389c39c857efa237b30c7ba94aa8532811acc1b49ad7c3d3f8de1dc
                                                                                                            • Instruction Fuzzy Hash: E811ADB1255314ABE7228F16DD09FA2BFFCEB00B00F10856DAA26D6591D7B0ED04DF60
                                                                                                            Function 003CB0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,003CACD3,?,00008000), ref: 003CB0C4
                                                                                                            • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,003CACD3,?,00008000), ref: 003CB0E9
                                                                                                            • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,003CACD3,?,00008000), ref: 003CB0F3
                                                                                                            • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,003CACD3,?,00008000), ref: 003CB126
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CounterPerformanceQuerySleep
                                                                                                            • String ID:
                                                                                                            • API String ID: 2875609808-0
                                                                                                            • Opcode ID: 58d1aeb904c166e3cf16a35aa89dd31f6794225eaebc8a4a1540134bc8f83452
                                                                                                            • Instruction ID: d4dbe275110f37088b27d965a2db7301740bd6ef5fead76b8d9a907a682971d3
                                                                                                            • Opcode Fuzzy Hash: 58d1aeb904c166e3cf16a35aa89dd31f6794225eaebc8a4a1540134bc8f83452
                                                                                                            • Instruction Fuzzy Hash: 5E112731D0152CE7CF12AFA4E95ABFEFB78BF09711F114099D981B2281CB305A60CB52
                                                                                                            Function 003F7E14 Relevance: 6.0, APIs: 4, Instructions: 46COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetWindowRect.USER32(?,?), ref: 003F7E33
                                                                                                            • ScreenToClient.USER32(?,?), ref: 003F7E4B
                                                                                                            • ScreenToClient.USER32(?,?), ref: 003F7E6F
                                                                                                            • InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 003F7E8A
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ClientRectScreen$InvalidateWindow
                                                                                                            • String ID:
                                                                                                            • API String ID: 357397906-0
                                                                                                            • Opcode ID: b3c57078d6ecbd51aa402315081505fd0e9812cc2ec818b4d57ebc785cf139e7
                                                                                                            • Instruction ID: 2932c5192ab97904a7f014329cf1d532d812bfa85991354e77648425fb982c41
                                                                                                            • Opcode Fuzzy Hash: b3c57078d6ecbd51aa402315081505fd0e9812cc2ec818b4d57ebc785cf139e7
                                                                                                            • Instruction Fuzzy Hash: 951140B9D0420EAFDB41DF98C984AEEBBF9FB18310F509066E915E2210D735AA54CF90
                                                                                                            Function 003C2DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 003C2DC5
                                                                                                            • GetWindowThreadProcessId.USER32(?,00000000), ref: 003C2DD6
                                                                                                            • GetCurrentThreadId.KERNEL32 ref: 003C2DDD
                                                                                                            • AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 003C2DE4
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
                                                                                                            • String ID:
                                                                                                            • API String ID: 2710830443-0
                                                                                                            • Opcode ID: 98aa8cbb67db75301bd9e6487673a3a29e15466a1212d18cb253f8bfb7235738
                                                                                                            • Instruction ID: c6e8dcb02a5704ddd1c0ea7926216e3e0817f0ea9b0d453f2f23f1a9428b5a0b
                                                                                                            • Opcode Fuzzy Hash: 98aa8cbb67db75301bd9e6487673a3a29e15466a1212d18cb253f8bfb7235738
                                                                                                            • Instruction Fuzzy Hash: 7CE06D71155228BAD7221B629D0DFFB3E6CEF52BA1F041019B106D1080DAA48840C6B0
                                                                                                            Function 003F8863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 00379639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00379693
                                                                                                              • Part of subcall function 00379639: SelectObject.GDI32(?,00000000), ref: 003796A2
                                                                                                              • Part of subcall function 00379639: BeginPath.GDI32(?), ref: 003796B9
                                                                                                              • Part of subcall function 00379639: SelectObject.GDI32(?,00000000), ref: 003796E2
                                                                                                            • MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 003F8887
                                                                                                            • LineTo.GDI32(?,?,?), ref: 003F8894
                                                                                                            • EndPath.GDI32(?), ref: 003F88A4
                                                                                                            • StrokePath.GDI32(?), ref: 003F88B2
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
                                                                                                            • String ID:
                                                                                                            • API String ID: 1539411459-0
                                                                                                            • Opcode ID: 384293d0809fbfab36499a7a2f030df604cb8a092f5eb1dd9d0a06612e40c1ee
                                                                                                            • Instruction ID: 9dfb39a4e90ee15e487b25ec7a7af44dda0755df4edbacfc3d30e0a045907ebe
                                                                                                            • Opcode Fuzzy Hash: 384293d0809fbfab36499a7a2f030df604cb8a092f5eb1dd9d0a06612e40c1ee
                                                                                                            • Instruction Fuzzy Hash: CDF03A36081259BAEB135F94AD09FEA3E59AF0A320F048101FA11651E1CB795521CBA9
                                                                                                            Function 003798B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetSysColor.USER32(00000008), ref: 003798CC
                                                                                                            • SetTextColor.GDI32(?,?), ref: 003798D6
                                                                                                            • SetBkMode.GDI32(?,00000001), ref: 003798E9
                                                                                                            • GetStockObject.GDI32(00000005), ref: 003798F1
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Color$ModeObjectStockText
                                                                                                            • String ID:
                                                                                                            • API String ID: 4037423528-0
                                                                                                            • Opcode ID: 6a96d77967c7ed477f01504e0de00003278fcf960c6a82d3049998e083fe78ef
                                                                                                            • Instruction ID: f997a04099c8e1c4228b66e70330b0610b1ec5973a7f40626960ab2f6b663996
                                                                                                            • Opcode Fuzzy Hash: 6a96d77967c7ed477f01504e0de00003278fcf960c6a82d3049998e083fe78ef
                                                                                                            • Instruction Fuzzy Hash: EFE06531294248AADB225B75AD09BF83F14EB52336F14821AF7F9580E1C3714650DB10
                                                                                                            Function 003C162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetCurrentThread.KERNEL32 ref: 003C1634
                                                                                                            • OpenThreadToken.ADVAPI32(00000000,?,?,?,003C11D9), ref: 003C163B
                                                                                                            • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,003C11D9), ref: 003C1648
                                                                                                            • OpenProcessToken.ADVAPI32(00000000,?,?,?,003C11D9), ref: 003C164F
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CurrentOpenProcessThreadToken
                                                                                                            • String ID:
                                                                                                            • API String ID: 3974789173-0
                                                                                                            • Opcode ID: 57e69f4f95e78cb314c0ea45a269df372bf5f6d56834c117b887690606e59b75
                                                                                                            • Instruction ID: 36e5deac30c818ecff038d8e19d14f7db4c15149aa3f8b4dc23a52f0c8fcd58f
                                                                                                            • Opcode Fuzzy Hash: 57e69f4f95e78cb314c0ea45a269df372bf5f6d56834c117b887690606e59b75
                                                                                                            • Instruction Fuzzy Hash: F8E08632651215EBD7212FB09F0DF663B7CFF45791F154818F645C9080DA348445D750
                                                                                                            Function 003BD858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetDesktopWindow.USER32 ref: 003BD858
                                                                                                            • GetDC.USER32(00000000), ref: 003BD862
                                                                                                            • GetDeviceCaps.GDI32(00000000,0000000C), ref: 003BD882
                                                                                                            • ReleaseDC.USER32(?), ref: 003BD8A3
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CapsDesktopDeviceReleaseWindow
                                                                                                            • String ID:
                                                                                                            • API String ID: 2889604237-0
                                                                                                            • Opcode ID: 6310307fb08d3e120dfac23817539ae11a0508247ad202e62c3645301098ad12
                                                                                                            • Instruction ID: 1158aaba6c53c46f9ef5b56538adc1ba5ca8aab77ee492793d94592fbfd60c31
                                                                                                            • Opcode Fuzzy Hash: 6310307fb08d3e120dfac23817539ae11a0508247ad202e62c3645301098ad12
                                                                                                            • Instruction Fuzzy Hash: 8FE01AB0854209DFCB429FA0DA08A7DBBB9FB08311F14A419E846E7350CB788901EF40
                                                                                                            Function 003BD86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetDesktopWindow.USER32 ref: 003BD86C
                                                                                                            • GetDC.USER32(00000000), ref: 003BD876
                                                                                                            • GetDeviceCaps.GDI32(00000000,0000000C), ref: 003BD882
                                                                                                            • ReleaseDC.USER32(?), ref: 003BD8A3
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CapsDesktopDeviceReleaseWindow
                                                                                                            • String ID:
                                                                                                            • API String ID: 2889604237-0
                                                                                                            • Opcode ID: b027efbbbf54e791582b1b77c1ee7c22cd29147b0ab72e790caa94b779e831ef
                                                                                                            • Instruction ID: 97d371e30dd9e2a25ec02242d648e75aecccec3c1985d980c2e34bac465ef8fa
                                                                                                            • Opcode Fuzzy Hash: b027efbbbf54e791582b1b77c1ee7c22cd29147b0ab72e790caa94b779e831ef
                                                                                                            • Instruction Fuzzy Hash: BBE01A70854208DFCB529FA0D90867DBBB9BB08310F14A418E84AE7350CB785901DF40
                                                                                                            Function 003D4D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 00367620: _wcslen.LIBCMT ref: 00367625
                                                                                                            • WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 003D4ED4
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Connection_wcslen
                                                                                                            • String ID: *$LPT
                                                                                                            • API String ID: 1725874428-3443410124
                                                                                                            • Opcode ID: 417601fec9073eec95691c7770628ccd21d65ee57ac4067b9e66c923b2f568a7
                                                                                                            • Instruction ID: 5dfb5a90c1adbb2529482388964ef2282864feb6d062fd844ae08a39e3515e34
                                                                                                            • Opcode Fuzzy Hash: 417601fec9073eec95691c7770628ccd21d65ee57ac4067b9e66c923b2f568a7
                                                                                                            • Instruction Fuzzy Hash: 99919476A00244DFCB16DF54D484EA9BBF5BF44304F19809AE40A9F762D735ED85CB90
                                                                                                            Function 003E7771 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • CharUpperBuffW.USER32(003B569E,00000000,?,003FCC08,?,00000000,00000000), ref: 003E78DD
                                                                                                              • Part of subcall function 00366B57: _wcslen.LIBCMT ref: 00366B6A
                                                                                                            • CharUpperBuffW.USER32(003B569E,00000000,?,003FCC08,00000000,?,00000000,00000000), ref: 003E783B
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: BuffCharUpper$_wcslen
                                                                                                            • String ID: <sB
                                                                                                            • API String ID: 3544283678-1324404591
                                                                                                            • Opcode ID: 9cc2663c8d32dd759ed5b4ab0ea0b6ad491034acf34134e11c36f1e08555a0eb
                                                                                                            • Instruction ID: a4011519a5555387cdb610bdb1385382ed21cbb43c7cba960549be6bf5028a5d
                                                                                                            • Opcode Fuzzy Hash: 9cc2663c8d32dd759ed5b4ab0ea0b6ad491034acf34134e11c36f1e08555a0eb
                                                                                                            • Instruction Fuzzy Hash: 5F616336914168EACF06EBE5CC91DFDB3B8BF14300B548125F542BB196EF345A05DBA0
                                                                                                            Function 0037E187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON
                                                                                                            Download Yara Rule
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: #
                                                                                                            • API String ID: 0-1885708031
                                                                                                            • Opcode ID: b21e3616f8949380d0433ee7c19aafbf753c4fae49e125f74c2b7863b33e88b0
                                                                                                            • Instruction ID: 5d841904f1951291ab4f94ce9808bd690e791dd3a36869db88030c29d2bbe01e
                                                                                                            • Opcode Fuzzy Hash: b21e3616f8949380d0433ee7c19aafbf753c4fae49e125f74c2b7863b33e88b0
                                                                                                            • Instruction Fuzzy Hash: 86519635504306EFDB27EF68C0826FA7BA8EF19314F248099ED919B6D1DB349D42DB90
                                                                                                            Function 0037F291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • Sleep.KERNEL32(00000000), ref: 0037F2A2
                                                                                                            • GlobalMemoryStatusEx.KERNEL32(?), ref: 0037F2BB
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: GlobalMemorySleepStatus
                                                                                                            • String ID: @
                                                                                                            • API String ID: 2783356886-2766056989
                                                                                                            • Opcode ID: 9564bd71c5c02d7ae4c8b05e8c13423a6517784ea3b5ef859550bb533df8096b
                                                                                                            • Instruction ID: 3c8188c7a9ecd63f62884d1d9ac38cc116a5cfac4106188f589c8a199b161f59
                                                                                                            • Opcode Fuzzy Hash: 9564bd71c5c02d7ae4c8b05e8c13423a6517784ea3b5ef859550bb533df8096b
                                                                                                            • Instruction Fuzzy Hash: 905175714187449BD321AF50D886BAFBBF8FF84704F81885CF2D9450A9EB718529CB66
                                                                                                            Function 003E5745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 003E57E0
                                                                                                            • _wcslen.LIBCMT ref: 003E57EC
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: BuffCharUpper_wcslen
                                                                                                            • String ID: CALLARGARRAY
                                                                                                            • API String ID: 157775604-1150593374
                                                                                                            • Opcode ID: 95a453f00a75a74c3bda8bab306dd4cc7508caea832bb59d52234f0f9b6e5814
                                                                                                            • Instruction ID: 456a58d0bc9d575d523bf7252885a51d16136628757937f3682628626d80ab6b
                                                                                                            • Opcode Fuzzy Hash: 95a453f00a75a74c3bda8bab306dd4cc7508caea832bb59d52234f0f9b6e5814
                                                                                                            • Instruction Fuzzy Hash: 6441E231E00229DFCB15DFAAC8819BEBBB4FF59314F118269E505EB291E7309D81CB90
                                                                                                            Function 003DD0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • _wcslen.LIBCMT ref: 003DD130
                                                                                                            • InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 003DD13A
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CrackInternet_wcslen
                                                                                                            • String ID: |
                                                                                                            • API String ID: 596671847-2343686810
                                                                                                            • Opcode ID: 784fb7de3aeaa2197edc269ef42a81e0e2b69cd9d8eabebf6de61f684a04192f
                                                                                                            • Instruction ID: 2bab2004a411232899ee73005dcc1ce62f0e72ff7cd20ef86f1da48c09dbe1fa
                                                                                                            • Opcode Fuzzy Hash: 784fb7de3aeaa2197edc269ef42a81e0e2b69cd9d8eabebf6de61f684a04192f
                                                                                                            • Instruction Fuzzy Hash: 7D313071D00209ABCF16EFA4DD85AEEBFB9FF04340F004159F815AA266D731AA16DB90
                                                                                                            Function 003F356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • DestroyWindow.USER32(?,?,?,?), ref: 003F3621
                                                                                                            • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 003F365C
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Window$DestroyMove
                                                                                                            • String ID: static
                                                                                                            • API String ID: 2139405536-2160076837
                                                                                                            • Opcode ID: 156b9cfff1e54ea711e7cb8371a46b813ebe5f8863e4af2c3fc278fe56fde490
                                                                                                            • Instruction ID: 5a969f62b0104b48e829ab785ebe8522f3c538e0cc7315109e57615c98ccbbcc
                                                                                                            • Opcode Fuzzy Hash: 156b9cfff1e54ea711e7cb8371a46b813ebe5f8863e4af2c3fc278fe56fde490
                                                                                                            • Instruction Fuzzy Hash: 8531B071110208AEDB159F68CC80EFB73A9FF88720F019619F9A5D7290DA34ED81C760
                                                                                                            Function 003F4537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • SendMessageW.USER32(?,00001132,00000000,?), ref: 003F461F
                                                                                                            • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 003F4634
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: MessageSend
                                                                                                            • String ID: '
                                                                                                            • API String ID: 3850602802-1997036262
                                                                                                            • Opcode ID: a4da95940717ceaebae1e05b5ae90bce0082ff4db08a7ee0984595bbb6af5c71
                                                                                                            • Instruction ID: 567919e6e582bf134261a0a9bfc2fb2f65c3084b6f794052980bd27917f2b6c5
                                                                                                            • Opcode Fuzzy Hash: a4da95940717ceaebae1e05b5ae90bce0082ff4db08a7ee0984595bbb6af5c71
                                                                                                            • Instruction Fuzzy Hash: A7310774A0120D9FDB15DF69C990BEABBB5FF49300F15406AEA05EB351D770A941CF90
                                                                                                            Function 003F31EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 003F327C
                                                                                                            • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 003F3287
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: MessageSend
                                                                                                            • String ID: Combobox
                                                                                                            • API String ID: 3850602802-2096851135
                                                                                                            • Opcode ID: 0e13ce818f225c17f8dff933c9710c46be34aebed426bb3de15b8a534d43ae6b
                                                                                                            • Instruction ID: 66c6d5cc219ed436805db1843f84b0f96f68d272a90409275406b0f604d47273
                                                                                                            • Opcode Fuzzy Hash: 0e13ce818f225c17f8dff933c9710c46be34aebed426bb3de15b8a534d43ae6b
                                                                                                            • Instruction Fuzzy Hash: 7C11B27130420C7FFF269F54DC81EBB376AEB943A4F114925FA189B290D631DD519760
                                                                                                            Function 003F3710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 0036600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0036604C
                                                                                                              • Part of subcall function 0036600E: GetStockObject.GDI32(00000011), ref: 00366060
                                                                                                              • Part of subcall function 0036600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0036606A
                                                                                                            • GetWindowRect.USER32(00000000,?), ref: 003F377A
                                                                                                            • GetSysColor.USER32(00000012), ref: 003F3794
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Window$ColorCreateMessageObjectRectSendStock
                                                                                                            • String ID: static
                                                                                                            • API String ID: 1983116058-2160076837
                                                                                                            • Opcode ID: 377c3bb5313a168403966c5d852563dbf07079923e7c3f637a4141f19c6f1ca9
                                                                                                            • Instruction ID: dc59ce257e04d3f575d0b31ef393a8205674be363227e7daa45597916eb6c0f2
                                                                                                            • Opcode Fuzzy Hash: 377c3bb5313a168403966c5d852563dbf07079923e7c3f637a4141f19c6f1ca9
                                                                                                            • Instruction Fuzzy Hash: 241129B261020DAFDB02EFA8CC46EFA7BB8EB08354F015924FA55E2250D735E855DB50
                                                                                                            Function 003DCD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 003DCD7D
                                                                                                            • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 003DCDA6
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Internet$OpenOption
                                                                                                            • String ID: <local>
                                                                                                            • API String ID: 942729171-4266983199
                                                                                                            • Opcode ID: 798d9e4f47e963c49253cb02e1899df0e636e82bfe35c4e4dfd6afdec9646956
                                                                                                            • Instruction ID: d7d9fb1a1dee3e2dab74826d39fdb7d3676b0dd2dc19a72646162fe483c3a132
                                                                                                            • Opcode Fuzzy Hash: 798d9e4f47e963c49253cb02e1899df0e636e82bfe35c4e4dfd6afdec9646956
                                                                                                            • Instruction Fuzzy Hash: 6B11E3722316367ED72A4A66AC44EF3BE6EEF127A4F005227B10983680D2609844D6F0
                                                                                                            Function 003F3429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetWindowTextLengthW.USER32(00000000), ref: 003F34AB
                                                                                                            • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 003F34BA
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: LengthMessageSendTextWindow
                                                                                                            • String ID: edit
                                                                                                            • API String ID: 2978978980-2167791130
                                                                                                            • Opcode ID: e6ac962715dbe8d5151a2fe077fb6f9bdfa50b66f4dcde61e6bebbcbd41233a6
                                                                                                            • Instruction ID: dd6accd98b69adc5f844432f485cbef242d6754782ac90bbd4b712ebb54398a2
                                                                                                            • Opcode Fuzzy Hash: e6ac962715dbe8d5151a2fe077fb6f9bdfa50b66f4dcde61e6bebbcbd41233a6
                                                                                                            • Instruction Fuzzy Hash: 25116A7110020CAAEB138E65DC44ABB376AEB05374F514724FA65971E0C771DC519B64
                                                                                                            Function 003C6C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 00369CB3: _wcslen.LIBCMT ref: 00369CBD
                                                                                                            • CharUpperBuffW.USER32(?,?,?), ref: 003C6CB6
                                                                                                            • _wcslen.LIBCMT ref: 003C6CC2
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: _wcslen$BuffCharUpper
                                                                                                            • String ID: STOP
                                                                                                            • API String ID: 1256254125-2411985666
                                                                                                            • Opcode ID: b4057b6b6a5f595ae43400f098d0b7f1e4578cd8a196c4750176252f84ad4776
                                                                                                            • Instruction ID: cc80c3f05ffdcb42a4af29e713336800eaf7c1d17f34b56876259627cde3de78
                                                                                                            • Opcode Fuzzy Hash: b4057b6b6a5f595ae43400f098d0b7f1e4578cd8a196c4750176252f84ad4776
                                                                                                            • Instruction Fuzzy Hash: 060104326009268BCB22AFBDDC86EBF33B8EA61710B02453DE862D7194EB31DC00C750
                                                                                                            Function 003C1CDE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 00369CB3: _wcslen.LIBCMT ref: 00369CBD
                                                                                                              • Part of subcall function 003C3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 003C3CCA
                                                                                                            • SendMessageW.USER32(?,000001A2,000000FF,?), ref: 003C1D4C
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ClassMessageNameSend_wcslen
                                                                                                            • String ID: ComboBox$ListBox
                                                                                                            • API String ID: 624084870-1403004172
                                                                                                            • Opcode ID: 14a9efabf40e79067a31789a115802f3b4dae8d75d3b8cf462e076766d2765c3
                                                                                                            • Instruction ID: d2c98ef9c4ad2e949bb601ceb92457a875a01529c167ae554059d8f2175f5ed3
                                                                                                            • Opcode Fuzzy Hash: 14a9efabf40e79067a31789a115802f3b4dae8d75d3b8cf462e076766d2765c3
                                                                                                            • Instruction Fuzzy Hash: B001F571640218ABCB06EBA0CD15EFE776CEB13350B14490EB8239B2C6EA309D08D760
                                                                                                            Function 003C1BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 00369CB3: _wcslen.LIBCMT ref: 00369CBD
                                                                                                              • Part of subcall function 003C3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 003C3CCA
                                                                                                            • SendMessageW.USER32(?,00000180,00000000,?), ref: 003C1C46
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ClassMessageNameSend_wcslen
                                                                                                            • String ID: ComboBox$ListBox
                                                                                                            • API String ID: 624084870-1403004172
                                                                                                            • Opcode ID: 582e56f0a4a7685ed45bb4ec4e261e7e0b53fb42edbe42bf5b05512d3d71e5ac
                                                                                                            • Instruction ID: caac36e2d2a9c251806793fe5716ced18e24044132c6bd4cd43c5af43e3531b4
                                                                                                            • Opcode Fuzzy Hash: 582e56f0a4a7685ed45bb4ec4e261e7e0b53fb42edbe42bf5b05512d3d71e5ac
                                                                                                            • Instruction Fuzzy Hash: 6301A77578110867CB06FB90DA51FFF77AC9B12340F14801EB406AB286EA349E18E7B1
                                                                                                            Function 003C1C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 00369CB3: _wcslen.LIBCMT ref: 00369CBD
                                                                                                              • Part of subcall function 003C3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 003C3CCA
                                                                                                            • SendMessageW.USER32(?,00000182,?,00000000), ref: 003C1CC8
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ClassMessageNameSend_wcslen
                                                                                                            • String ID: ComboBox$ListBox
                                                                                                            • API String ID: 624084870-1403004172
                                                                                                            • Opcode ID: d47a459cff5ca035390405d72e3397ac86f3e92cd8ebf3e2a4ad17591fa209ff
                                                                                                            • Instruction ID: a6d434e449de9f11e2af984ef3e3a30b6fb433cc388e0d75779563fc517a0601
                                                                                                            • Opcode Fuzzy Hash: d47a459cff5ca035390405d72e3397ac86f3e92cd8ebf3e2a4ad17591fa209ff
                                                                                                            • Instruction Fuzzy Hash: 5801A27178011867CB06EBA0CB11FFE77AC9B12340F54801AB802F7286EA349F18E771
                                                                                                            Function 0037A4D6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • __Init_thread_footer.LIBCMT ref: 0037A529
                                                                                                              • Part of subcall function 00369CB3: _wcslen.LIBCMT ref: 00369CBD
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Init_thread_footer_wcslen
                                                                                                            • String ID: ,%C$3y;
                                                                                                            • API String ID: 2551934079-2613605041
                                                                                                            • Opcode ID: abdec19870568d1902ad35f0d61301c5e620e9c099bc130396d4553d6fa4ca73
                                                                                                            • Instruction ID: 818750b06b2cf01b3da53b173192408d1b48acad941f4f5bb4b4eec0881d1154
                                                                                                            • Opcode Fuzzy Hash: abdec19870568d1902ad35f0d61301c5e620e9c099bc130396d4553d6fa4ca73
                                                                                                            • Instruction Fuzzy Hash: D5017B31740B1497C527F378D91BBAD3358CB8A720F408065F5095F2C2DE685E05879B
                                                                                                            Function 003C1D68 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 00369CB3: _wcslen.LIBCMT ref: 00369CBD
                                                                                                              • Part of subcall function 003C3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 003C3CCA
                                                                                                            • SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 003C1DD3
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ClassMessageNameSend_wcslen
                                                                                                            • String ID: ComboBox$ListBox
                                                                                                            • API String ID: 624084870-1403004172
                                                                                                            • Opcode ID: a9a6fda27083a9e9cba745e0b9c1a5a7f680bed6479024f0b225e98e7faa718c
                                                                                                            • Instruction ID: c0ba2d7aef3ac931db09b2ae99656ed5070d8f54e5f7b31deb6e56fa298973cc
                                                                                                            • Opcode Fuzzy Hash: a9a6fda27083a9e9cba745e0b9c1a5a7f680bed6479024f0b225e98e7faa718c
                                                                                                            • Instruction Fuzzy Hash: 47F0F471B4021867CB06F7A4DD56FFE777CAB02340F04091AB822EB2C6DA705D089360
                                                                                                            Function 003F8172 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40processCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00433018,0043305C), ref: 003F81BF
                                                                                                            • CloseHandle.KERNEL32 ref: 003F81D1
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CloseCreateHandleProcess
                                                                                                            • String ID: \0C
                                                                                                            • API String ID: 3712363035-2859739167
                                                                                                            • Opcode ID: 5956d518e04830f34f4e712751d7e946231001eea7397b33a633f0857eda0f7c
                                                                                                            • Instruction ID: 1098abd9b568d4f0e6fd11df2c2208f3bb85d25645d5872783d89145628a8ce4
                                                                                                            • Opcode Fuzzy Hash: 5956d518e04830f34f4e712751d7e946231001eea7397b33a633f0857eda0f7c
                                                                                                            • Instruction Fuzzy Hash: 85F05EB5A40304BAF2256F61AC45FB73AACDB09752F005471BB08D91A2D6798E0497BC
                                                                                                            Function 003E747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: _wcslen
                                                                                                            • String ID: 3, 3, 16, 1
                                                                                                            • API String ID: 176396367-3042988571
                                                                                                            • Opcode ID: bc00f18dc6533c73b96d30c4ce7850e40b6f46bfe3c997a3a5e24ab501496d7f
                                                                                                            • Instruction ID: 3d96d0766c0a8c5c2755d12428aebaaa1b18e13fda6c6b7f1a8c00decde6a9c4
                                                                                                            • Opcode Fuzzy Hash: bc00f18dc6533c73b96d30c4ce7850e40b6f46bfe3c997a3a5e24ab501496d7f
                                                                                                            • Instruction Fuzzy Hash: 59E06102305371109333327BECC5A7F5689CFC9790710182BF985C62E6EB94CD9193A0
                                                                                                            Function 003C0B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 003C0B23
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Message
                                                                                                            • String ID: AutoIt$Error allocating memory.
                                                                                                            • API String ID: 2030045667-4017498283
                                                                                                            • Opcode ID: f88c05b55b31e30390aabbbd41bf27fff4a8fa46d6ceb6f0b7b8680311784371
                                                                                                            • Instruction ID: d9fa27850179d1f96bbbd978ab54a24f7913cc8fb750f5d5a8c88c43473d1817
                                                                                                            • Opcode Fuzzy Hash: f88c05b55b31e30390aabbbd41bf27fff4a8fa46d6ceb6f0b7b8680311784371
                                                                                                            • Instruction Fuzzy Hash: A3E0D8312C431C2ED22636947D03FD97A849F05B50F10442AF748994C3CBE1689087E9
                                                                                                            Function 00380D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 0037F7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00380D71,?,?,?,0036100A), ref: 0037F7CE
                                                                                                            • IsDebuggerPresent.KERNEL32(?,?,?,0036100A), ref: 00380D75
                                                                                                            • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0036100A), ref: 00380D84
                                                                                                            Strings
                                                                                                            • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00380D7F
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
                                                                                                            • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
                                                                                                            • API String ID: 55579361-631824599
                                                                                                            • Opcode ID: a59d5ae525511e2434c49913b0058a68330aa36daf9436969be545c343d68b50
                                                                                                            • Instruction ID: b0cf665cee1b45655c98de9bbf580fa81e4986d011939591b828924a928045ec
                                                                                                            • Opcode Fuzzy Hash: a59d5ae525511e2434c49913b0058a68330aa36daf9436969be545c343d68b50
                                                                                                            • Instruction Fuzzy Hash: 10E06D742003418FE776AFB8D5047A27BE4AF10740F008D6DE886C6661DBB4E44CCB91
                                                                                                            Function 0037E398 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • __Init_thread_footer.LIBCMT ref: 0037E3D5
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Init_thread_footer
                                                                                                            • String ID: 0%C$8%C
                                                                                                            • API String ID: 1385522511-2134081724
                                                                                                            • Opcode ID: 29d01d97b36e2a5a7989ad7c253b7311f4d25721a6d7fe6a42104128414742e7
                                                                                                            • Instruction ID: ddfaac78569a69e8e7b8ccea9b6dfc5260d74cfff6132beec9a3543c1de40a23
                                                                                                            • Opcode Fuzzy Hash: 29d01d97b36e2a5a7989ad7c253b7311f4d25721a6d7fe6a42104128414742e7
                                                                                                            • Instruction Fuzzy Hash: 26E02036400A10EBD61AE718B654B4D3355AB0C320B90A1F5E2458B1D19BB81A41874C
                                                                                                            Function 003D3017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetTempPathW.KERNEL32(00000104,?,00000001), ref: 003D302F
                                                                                                            • GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 003D3044
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Temp$FileNamePath
                                                                                                            • String ID: aut
                                                                                                            • API String ID: 3285503233-3010740371
                                                                                                            • Opcode ID: 2aa3938c92d4fb0ebd69ec96e7d1188f3bf5625ccf59738e64fc3b0504be4be2
                                                                                                            • Instruction ID: 457a049de3d82c7a6d6df8351eb259551b3d1cc2b1b955a02e9a3b5577ad5163
                                                                                                            • Opcode Fuzzy Hash: 2aa3938c92d4fb0ebd69ec96e7d1188f3bf5625ccf59738e64fc3b0504be4be2
                                                                                                            • Instruction Fuzzy Hash: D9D05E72540328B7DE20A7A4AD0EFDB3A6CDB05750F4006A2B655E2092DBB49984CAD0
                                                                                                            Function 003BD21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: LocalTime
                                                                                                            • String ID: %.3d$X64
                                                                                                            • API String ID: 481472006-1077770165
                                                                                                            • Opcode ID: 642739f93237c296d37a36abf991a15220689604dab1bc0288391844dcb81f22
                                                                                                            • Instruction ID: 656b5a6ad5a9167835c3760b975c8f0c1ce1e1ba087a6cf8ecd7a1cf57f25667
                                                                                                            • Opcode Fuzzy Hash: 642739f93237c296d37a36abf991a15220689604dab1bc0288391844dcb81f22
                                                                                                            • Instruction Fuzzy Hash: F6D01261C09158E9CB5296D0DC459F9B37CFB48305F608C62FA0A95C41F638C508AB61
                                                                                                            Function 003F2322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 003F232C
                                                                                                            • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 003F233F
                                                                                                              • Part of subcall function 003CE97B: Sleep.KERNEL32 ref: 003CE9F3
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: FindMessagePostSleepWindow
                                                                                                            • String ID: Shell_TrayWnd
                                                                                                            • API String ID: 529655941-2988720461
                                                                                                            • Opcode ID: 95140c347251cd53da3b3a53a24dae9d93dff1ef647dabbfff7c2108c17ce754
                                                                                                            • Instruction ID: 25afd1a1fc288518abb2051ff1397c5344e1fe780f52fce3c7c10153834dd0c6
                                                                                                            • Opcode Fuzzy Hash: 95140c347251cd53da3b3a53a24dae9d93dff1ef647dabbfff7c2108c17ce754
                                                                                                            • Instruction Fuzzy Hash: C0D022323E4310B7E264B330EC0FFD6FA189B00B00F0009267309EA0D0C9F8A800CB08
                                                                                                            Function 003F2356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 003F236C
                                                                                                            • PostMessageW.USER32(00000000), ref: 003F2373
                                                                                                              • Part of subcall function 003CE97B: Sleep.KERNEL32 ref: 003CE9F3
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: FindMessagePostSleepWindow
                                                                                                            • String ID: Shell_TrayWnd
                                                                                                            • API String ID: 529655941-2988720461
                                                                                                            • Opcode ID: 1d2484cbca94d8df4989f094d2e5d89e5d6371d85d7b815401ef3913b1433679
                                                                                                            • Instruction ID: 5c6713339d6c7fd18acf355a302b21f0dbfae68964b3e1bc397489b1818dc6e9
                                                                                                            • Opcode Fuzzy Hash: 1d2484cbca94d8df4989f094d2e5d89e5d6371d85d7b815401ef3913b1433679
                                                                                                            • Instruction Fuzzy Hash: 61D0A9323D03107AE265A330AC0FFC6A6189B01B00F0009267205EA0D0C9B8A800CA08
                                                                                                            Function 0039BDFD Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 0039BE93
                                                                                                            • GetLastError.KERNEL32 ref: 0039BEA1
                                                                                                            • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0039BEFC
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2227402896.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2227359682.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.00000000003FC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227634593.0000000000422000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227705640.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2227731311.0000000000434000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_360000_rRFQ_BIDLET-PO772917811_PROPOSL_BG_AD____PDF.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ByteCharMultiWide$ErrorLast
                                                                                                            • String ID:
                                                                                                            • API String ID: 1717984340-0
                                                                                                            • Opcode ID: d484eeacb8aa5d99561b9c1096794bd224d2c04190f63f2ea826008bcd178c1c
                                                                                                            • Instruction ID: 68899742ee1fd928ba1b427edca59b90827ae54247791a0a8906a1598c6f8082
                                                                                                            • Opcode Fuzzy Hash: d484eeacb8aa5d99561b9c1096794bd224d2c04190f63f2ea826008bcd178c1c
                                                                                                            • Instruction Fuzzy Hash: F741FD3460420AEFCF239F65EE44ABAFBB9EF41710F154169F95A9B1A1DB708D01CB50