Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Bonifico 2692024pdf.exe

Overview

General Information

Sample name:Bonifico 2692024pdf.exe
Analysis ID:1519629
MD5:ab5a5fadd9a58b412281fa7c040c54ef
SHA1:d67c6a5fb65869cbb381c0a8276dea5e30ecfed1
SHA256:e4d1f88b5db146a70bce062886dd60b15d13bda9b325535ef4d3ffcb484981ec
Tags:D3LabexeFormBookSPAM-ITAuser-JAMESWT_MHT
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected FormBook
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
C2 URLs / IPs found in malware configuration
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Switches to a custom stack to bypass stack traces
Tries to detect virtualization through RDTSC time measurements
Tries to resolve many domain names, but no domain seems valid
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found decision node followed by non-executed suspicious APIs
Found evasive API chain (date check)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Uncommon Svchost Parent Process
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • Bonifico 2692024pdf.exe (PID: 6084 cmdline: "C:\Users\user\Desktop\Bonifico 2692024pdf.exe" MD5: AB5A5FADD9A58B412281FA7C040C54EF)
    • svchost.exe (PID: 1900 cmdline: "C:\Users\user\Desktop\Bonifico 2692024pdf.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
      • explorer.exe (PID: 1028 cmdline: C:\Windows\Explorer.EXE MD5: 662F4F92FDE3557E86D110526BB578D5)
        • colorcpl.exe (PID: 6184 cmdline: "C:\Windows\SysWOW64\colorcpl.exe" MD5: DB71E132EBF1FEB6E93E8A2A0F0C903D)
          • cmd.exe (PID: 5252 cmdline: /c del "C:\Windows\SysWOW64\svchost.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
            • conhost.exe (PID: 6048 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.reakinggroundtherapy.pro/e23y/"], "decoy": ["stiloeconforto.shop", "79nn470gl.autos", "ffg.autos", "elix-saaac.buzz", "tlasbet88win.sbs", "inoliga.app", "777.fun", "avada-ga-3.press", "avandakitchen.online", "61ep864tr.autos", "igitalonlineseva.online", "ar-deals-15908.bond", "sqqpkv.pro", "368i8rnoy.xyz", "lxspinsenin.lol", "9y204r7eo.sbs", "toptalkingaboutit.net", "eeplab.xyz", "filmyhit.vip", "athroom-remodeling-59089.bond", "hwqcoiu.xyz", "ome-care-76206.bond", "tudioalberto.online", "anfocusedviews.shop", "ibrarygym.online", "emosjumpers.net", "mg-marketing.online", "19bet.xyz", "7556r.club", "sed-cars-35796.bond", "liveiraeletro.online", "iangshen56.cloud", "aeempreendora.online", "bets.net", "sychology-degree-69585.bond", "est-arthritis-therapy-9711.buzz", "zkirv.top", "8015.xyz", "uwueriudsjkdjnfjkdjnkxzk.vip", "etausaha.online", "crubber-brush-64789.bond", "iversitiendaplus.shop", "wrzlak.buzz", "b-999.top", "ower-bank-za-4886348.world", "2361.asia", "believehim.net", "leeconcerned.info", "oland-flight-deal.today", "c-marketing.net", "wgxb.top", "pboardresult.net", "nitednationsofindia.net", "oupondhakel.shop", "elationship-coach-72450.bond", "ounjaronaturaloferta.online", "wpgs2448.vip", "8080734.xyz", "mvqimnpwkxcixccaeafmibpiq.top", "arpediemwireless.net", "eth-paaad.buzz", "renvillemarianne.net", "tephsmith.info", "opinformation.net"]}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000002.4500748393.0000000004EF0000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000004.00000002.4500748393.0000000004EF0000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000004.00000002.4500748393.0000000004EF0000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
      • 0x6251:$a1: 3C 30 50 4F 53 54 74 09 40
      • 0x1cb90:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
      • 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
      • 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
      00000004.00000002.4500748393.0000000004EF0000.00000004.00000800.00020000.00000000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b8f7:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c8fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      00000004.00000002.4500748393.0000000004EF0000.00000004.00000800.00020000.00000000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
      • 0x18819:$sqlite3step: 68 34 1C 7B E1
      • 0x1892c:$sqlite3step: 68 34 1C 7B E1
      • 0x18848:$sqlite3text: 68 38 2A 90 C5
      • 0x1896d:$sqlite3text: 68 38 2A 90 C5
      • 0x1885b:$sqlite3blob: 68 53 D8 7F 8C
      • 0x18983:$sqlite3blob: 68 53 D8 7F 8C
      Click to see the 34 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      0.2.Bonifico 2692024pdf.exe.f60000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        0.2.Bonifico 2692024pdf.exe.f60000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          0.2.Bonifico 2692024pdf.exe.f60000.0.raw.unpackWindows_Trojan_Formbook_1112e116unknownunknown
          • 0x6251:$a1: 3C 30 50 4F 53 54 74 09 40
          • 0x1cb90:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
          • 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
          • 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
          0.2.Bonifico 2692024pdf.exe.f60000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1b8f7:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1c8fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          0.2.Bonifico 2692024pdf.exe.f60000.0.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
          • 0x18819:$sqlite3step: 68 34 1C 7B E1
          • 0x1892c:$sqlite3step: 68 34 1C 7B E1
          • 0x18848:$sqlite3text: 68 38 2A 90 C5
          • 0x1896d:$sqlite3text: 68 38 2A 90 C5
          • 0x1885b:$sqlite3blob: 68 53 D8 7F 8C
          • 0x18983:$sqlite3blob: 68 53 D8 7F 8C
          Click to see the 15 entries

          Sigma Signatures

          System Summary

          barindex
          Sigma detected: Uncommon Svchost Parent Process
          Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\Bonifico 2692024pdf.exe", CommandLine: "C:\Users\user\Desktop\Bonifico 2692024pdf.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\Bonifico 2692024pdf.exe", ParentImage: C:\Users\user\Desktop\Bonifico 2692024pdf.exe, ParentProcessId: 6084, ParentProcessName: Bonifico 2692024pdf.exe, ProcessCommandLine: "C:\Users\user\Desktop\Bonifico 2692024pdf.exe", ProcessId: 1900, ProcessName: svchost.exe
          Sigma detected: Windows Processes Suspicious Parent Directory
          Source: Process startedAuthor: vburov: Data: Command: "C:\Users\user\Desktop\Bonifico 2692024pdf.exe", CommandLine: "C:\Users\user\Desktop\Bonifico 2692024pdf.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\Bonifico 2692024pdf.exe", ParentImage: C:\Users\user\Desktop\Bonifico 2692024pdf.exe, ParentProcessId: 6084, ParentProcessName: Bonifico 2692024pdf.exe, ProcessCommandLine: "C:\Users\user\Desktop\Bonifico 2692024pdf.exe", ProcessId: 1900, ProcessName: svchost.exe

          Suricata Signatures

          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2024-09-26T18:55:18.936371+020020314531Malware Command and Control Activity Detected192.168.2.562804195.85.59.6180TCP

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Found malware configuration
          Source: 00000004.00000002.4500748393.0000000004EF0000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.reakinggroundtherapy.pro/e23y/"], "decoy": ["stiloeconforto.shop", "79nn470gl.autos", "ffg.autos", "elix-saaac.buzz", "tlasbet88win.sbs", "inoliga.app", "777.fun", "avada-ga-3.press", "avandakitchen.online", "61ep864tr.autos", "igitalonlineseva.online", "ar-deals-15908.bond", "sqqpkv.pro", "368i8rnoy.xyz", "lxspinsenin.lol", "9y204r7eo.sbs", "toptalkingaboutit.net", "eeplab.xyz", "filmyhit.vip", "athroom-remodeling-59089.bond", "hwqcoiu.xyz", "ome-care-76206.bond", "tudioalberto.online", "anfocusedviews.shop", "ibrarygym.online", "emosjumpers.net", "mg-marketing.online", "19bet.xyz", "7556r.club", "sed-cars-35796.bond", "liveiraeletro.online", "iangshen56.cloud", "aeempreendora.online", "bets.net", "sychology-degree-69585.bond", "est-arthritis-therapy-9711.buzz", "zkirv.top", "8015.xyz", "uwueriudsjkdjnfjkdjnkxzk.vip", "etausaha.online", "crubber-brush-64789.bond", "iversitiendaplus.shop", "wrzlak.buzz", "b-999.top", "ower-bank-za-4886348.world", "2361.asia", "believehim.net", "leeconcerned.info", "oland-flight-deal.today", "c-marketing.net", "wgxb.top", "pboardresult.net", "nitednationsofindia.net", "oupondhakel.shop", "elationship-coach-72450.bond", "ounjaronaturaloferta.online", "wpgs2448.vip", "8080734.xyz", "mvqimnpwkxcixccaeafmibpiq.top", "arpediemwireless.net", "eth-paaad.buzz", "renvillemarianne.net", "tephsmith.info", "opinformation.net"]}
          Multi AV Scanner detection for submitted file
          Source: Bonifico 2692024pdf.exeReversingLabs: Detection: 42%
          Yara detected FormBook
          Source: Yara matchFile source: 0.2.Bonifico 2692024pdf.exe.f60000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Bonifico 2692024pdf.exe.f60000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000004.00000002.4500748393.0000000004EF0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.2101569543.0000000002FA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.2101179285.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.2101452453.0000000000EE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.4500674089.0000000004EC0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.4500108224.0000000003260000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.2043224034.0000000000F60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          AI detected suspicious sample
          Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
          Machine Learning detection for sample
          Source: Bonifico 2692024pdf.exeJoe Sandbox ML: detected
          Source: Bonifico 2692024pdf.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
          Source: Binary string: colorcpl.pdbGCTL source: svchost.exe, 00000002.00000003.2100988646.000000000341B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2101004918.0000000003430000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2102673772.0000000005620000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 00000002.00000003.2100887491.000000000341C000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000004.00000002.4499924950.0000000000C50000.00000040.80000000.00040000.00000000.sdmp
          Source: Binary string: colorcpl.pdb source: svchost.exe, 00000002.00000003.2100988646.000000000341B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2101004918.0000000003430000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2102673772.0000000005620000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 00000002.00000003.2100887491.000000000341C000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, colorcpl.exe, 00000004.00000002.4499924950.0000000000C50000.00000040.80000000.00040000.00000000.sdmp
          Source: Binary string: wntdll.pdbUGP source: Bonifico 2692024pdf.exe, 00000000.00000003.2041580738.00000000038D0000.00000004.00001000.00020000.00000000.sdmp, Bonifico 2692024pdf.exe, 00000000.00000003.2042095302.0000000003DC0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2042804509.0000000003600000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2044608415.0000000003800000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2101958762.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2101958762.0000000003B9E000.00000040.00001000.00020000.00000000.sdmp, colorcpl.exe, 00000004.00000003.2101721514.0000000004DB6000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000004.00000002.4501025868.00000000052AE000.00000040.00001000.00020000.00000000.sdmp, colorcpl.exe, 00000004.00000003.2103406264.0000000004F61000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000004.00000002.4501025868.0000000005110000.00000040.00001000.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: Bonifico 2692024pdf.exe, 00000000.00000003.2041580738.00000000038D0000.00000004.00001000.00020000.00000000.sdmp, Bonifico 2692024pdf.exe, 00000000.00000003.2042095302.0000000003DC0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000003.2042804509.0000000003600000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2044608415.0000000003800000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2101958762.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2101958762.0000000003B9E000.00000040.00001000.00020000.00000000.sdmp, colorcpl.exe, colorcpl.exe, 00000004.00000003.2101721514.0000000004DB6000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000004.00000002.4501025868.00000000052AE000.00000040.00001000.00020000.00000000.sdmp, colorcpl.exe, 00000004.00000003.2103406264.0000000004F61000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000004.00000002.4501025868.0000000005110000.00000040.00001000.00020000.00000000.sdmp
          Source: Binary string: svchost.pdb source: explorer.exe, 00000003.00000002.4513780603.0000000010CBF000.00000004.80000000.00040000.00000000.sdmp, colorcpl.exe, 00000004.00000002.4500309363.000000000330E000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000004.00000002.4501809903.000000000565F000.00000004.10000000.00040000.00000000.sdmp
          Source: Binary string: svchost.pdbUGP source: explorer.exe, 00000003.00000002.4513780603.0000000010CBF000.00000004.80000000.00040000.00000000.sdmp, colorcpl.exe, 00000004.00000002.4500309363.000000000330E000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000004.00000002.4501809903.000000000565F000.00000004.10000000.00040000.00000000.sdmp
          Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exeCode function: 0_2_01024696 GetFileAttributesW,FindFirstFileW,FindClose,0_2_01024696
          Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exeCode function: 0_2_0102C93C FindFirstFileW,FindClose,0_2_0102C93C
          Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exeCode function: 0_2_0102C9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_0102C9C7
          Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exeCode function: 0_2_0102F35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0102F35D
          Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exeCode function: 0_2_0102F200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0102F200
          Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exeCode function: 0_2_0102F65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_0102F65E
          Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exeCode function: 0_2_01023A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_01023A2B
          Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exeCode function: 0_2_01023D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_01023D4E
          Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exeCode function: 0_2_0102BF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_0102BF27
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4x nop then pop esi2_2_004172F0
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 4x nop then pop esi4_2_032772F0
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 4x nop then pop ebx4_2_03267B1B

          Networking

          barindex
          Suricata IDS alerts for network traffic
          Source: Network trafficSuricata IDS: 2031412 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.5:62804 -> 195.85.59.61:80
          Source: Network trafficSuricata IDS: 2031449 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.5:62804 -> 195.85.59.61:80
          Source: Network trafficSuricata IDS: 2031453 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.5:62804 -> 195.85.59.61:80
          C2 URLs / IPs found in malware configuration
          Source: Malware configuration extractorURLs: www.reakinggroundtherapy.pro/e23y/
          Performs DNS queries to domains with low reputation
          Source: DNS query: www.eeplab.xyz
          Tries to resolve many domain names, but no domain seems valid
          Source: unknownDNS traffic detected: query: www.emosjumpers.net replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: 241.42.69.40.in-addr.arpa replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.ome-care-76206.bond replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.oland-flight-deal.today replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.ower-bank-za-4886348.world replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.arpediemwireless.net replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.eeplab.xyz replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.zkirv.top replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.reakinggroundtherapy.pro replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.believehim.net replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.inoliga.app replaycode: Name error (3)
          Source: global trafficHTTP traffic detected: GET /e23y/?t8UP=DwtvniUQLpu3MRUm2IfWFG9b5evRRAGuG0irUgkzEgTLOHOkkfBziq8rt1/3cMlKaUc0&9r4Hc=GdSL HTTP/1.1Host: www.bets.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewASN Name: DANISCODK DANISCODK
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exeCode function: 0_2_010325E2 InternetReadFile,InternetQueryDataAvailable,InternetReadFile,0_2_010325E2
          Source: global trafficHTTP traffic detected: GET /e23y/?t8UP=DwtvniUQLpu3MRUm2IfWFG9b5evRRAGuG0irUgkzEgTLOHOkkfBziq8rt1/3cMlKaUc0&9r4Hc=GdSL HTTP/1.1Host: www.bets.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficDNS traffic detected: DNS query: 241.42.69.40.in-addr.arpa
          Source: global trafficDNS traffic detected: DNS query: www.eeplab.xyz
          Source: global trafficDNS traffic detected: DNS query: www.inoliga.app
          Source: global trafficDNS traffic detected: DNS query: www.ower-bank-za-4886348.world
          Source: global trafficDNS traffic detected: DNS query: www.zkirv.top
          Source: global trafficDNS traffic detected: DNS query: www.bets.net
          Source: global trafficDNS traffic detected: DNS query: www.emosjumpers.net
          Source: global trafficDNS traffic detected: DNS query: www.arpediemwireless.net
          Source: global trafficDNS traffic detected: DNS query: www.believehim.net
          Source: global trafficDNS traffic detected: DNS query: www.reakinggroundtherapy.pro
          Source: global trafficDNS traffic detected: DNS query: www.oland-flight-deal.today
          Source: global trafficDNS traffic detected: DNS query: www.ome-care-76206.bond
          Source: explorer.exe, 00000003.00000002.4506883763.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2059229241.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2059229241.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4506883763.0000000009AF9000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
          Source: explorer.exe, 00000003.00000000.2053555947.0000000000F13000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4500060295.0000000000F13000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.v
          Source: explorer.exe, 00000003.00000002.4506883763.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2059229241.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2059229241.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4506883763.0000000009AF9000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
          Source: explorer.exe, 00000003.00000002.4506883763.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2059229241.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2059229241.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4506883763.0000000009AF9000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
          Source: explorer.exe, 00000003.00000002.4506883763.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2059229241.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2059229241.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4506883763.0000000009AF9000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
          Source: explorer.exe, 00000003.00000000.2059229241.00000000099C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4506883763.00000000099C0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
          Source: explorer.exe, 00000003.00000002.4506223697.0000000008890000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.2058010233.0000000007DC0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.2058557156.0000000008870000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://schemas.micro
          Source: explorer.exe, 00000003.00000003.3096614317.0000000003531000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097468777.000000000353F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097489630.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4502170784.0000000003545000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.8015.xyz
          Source: explorer.exe, 00000003.00000003.3096614317.0000000003531000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097468777.000000000353F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097489630.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4502170784.0000000003545000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.8015.xyz/e23y/
          Source: explorer.exe, 00000003.00000003.3096614317.0000000003531000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097468777.000000000353F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097489630.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4502170784.0000000003545000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.8015.xyz/e23y/www.b-999.top
          Source: explorer.exe, 00000003.00000003.3096614317.0000000003531000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097468777.000000000353F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097489630.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4502170784.0000000003545000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.8015.xyzReferer:
          Source: explorer.exe, 00000003.00000003.3096614317.0000000003531000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097468777.000000000353F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097489630.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4502170784.0000000003545000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ar-deals-15908.bond
          Source: explorer.exe, 00000003.00000003.3096614317.0000000003531000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097468777.000000000353F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097489630.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4502170784.0000000003545000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ar-deals-15908.bond/e23y/
          Source: explorer.exe, 00000003.00000003.3096614317.0000000003531000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097468777.000000000353F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097489630.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4502170784.0000000003545000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ar-deals-15908.bond/e23y/www.wgxb.top
          Source: explorer.exe, 00000003.00000003.3096614317.0000000003531000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097468777.000000000353F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097489630.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4502170784.0000000003545000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ar-deals-15908.bondReferer:
          Source: explorer.exe, 00000003.00000003.3096614317.0000000003531000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097468777.000000000353F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097489630.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4502170784.0000000003545000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.arpediemwireless.net
          Source: explorer.exe, 00000003.00000003.3096614317.0000000003531000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097468777.000000000353F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097489630.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4502170784.0000000003545000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.arpediemwireless.net/e23y/
          Source: explorer.exe, 00000003.00000003.3096614317.0000000003531000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097468777.000000000353F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097489630.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4502170784.0000000003545000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.arpediemwireless.net/e23y/www.believehim.net
          Source: explorer.exe, 00000003.00000003.3096614317.0000000003531000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097468777.000000000353F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097489630.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4502170784.0000000003545000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.arpediemwireless.netReferer:
          Source: explorer.exe, 00000003.00000003.3096614317.0000000003531000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097468777.000000000353F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097489630.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4502170784.0000000003545000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.b-999.top
          Source: explorer.exe, 00000003.00000003.3096614317.0000000003531000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097468777.000000000353F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097489630.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4502170784.0000000003545000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.b-999.top/e23y/
          Source: explorer.exe, 00000003.00000003.3096614317.0000000003531000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097468777.000000000353F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097489630.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4502170784.0000000003545000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.b-999.top/e23y/h
          Source: explorer.exe, 00000003.00000003.3096614317.0000000003531000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097468777.000000000353F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097489630.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4502170784.0000000003545000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.b-999.topReferer:
          Source: explorer.exe, 00000003.00000003.3096614317.0000000003531000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097468777.000000000353F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097489630.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4502170784.0000000003545000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.believehim.net
          Source: explorer.exe, 00000003.00000003.3096614317.0000000003531000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097468777.000000000353F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097489630.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4502170784.0000000003545000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.believehim.net/e23y/
          Source: explorer.exe, 00000003.00000003.3096614317.0000000003531000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097468777.000000000353F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097489630.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4502170784.0000000003545000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.believehim.net/e23y/www.reakinggroundtherapy.pro
          Source: explorer.exe, 00000003.00000003.3096614317.0000000003531000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097468777.000000000353F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097489630.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4502170784.0000000003545000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.believehim.netReferer:
          Source: explorer.exe, 00000003.00000003.3096614317.0000000003531000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097468777.000000000353F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097489630.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4502170784.0000000003545000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.bets.net
          Source: explorer.exe, 00000003.00000003.3096614317.0000000003531000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097468777.000000000353F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097489630.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4502170784.0000000003545000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.bets.net/e23y/
          Source: explorer.exe, 00000003.00000003.3096614317.0000000003531000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097468777.000000000353F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097489630.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4502170784.0000000003545000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.bets.net/e23y/www.emosjumpers.net
          Source: explorer.exe, 00000003.00000003.3096614317.0000000003531000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097468777.000000000353F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097489630.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4502170784.0000000003545000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.bets.netReferer:
          Source: explorer.exe, 00000003.00000003.3096614317.0000000003531000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097468777.000000000353F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097489630.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4502170784.0000000003545000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.eeplab.xyz
          Source: explorer.exe, 00000003.00000003.3096614317.0000000003531000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097468777.000000000353F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097489630.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4502170784.0000000003545000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.eeplab.xyz/e23y/
          Source: explorer.exe, 00000003.00000003.3096614317.0000000003531000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097468777.000000000353F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097489630.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4502170784.0000000003545000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.eeplab.xyz/e23y/www.inoliga.app
          Source: explorer.exe, 00000003.00000003.3096614317.0000000003531000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097468777.000000000353F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097489630.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4502170784.0000000003545000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.eeplab.xyzReferer:
          Source: explorer.exe, 00000003.00000003.3096614317.0000000003531000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097468777.000000000353F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097489630.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4502170784.0000000003545000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.emosjumpers.net
          Source: explorer.exe, 00000003.00000003.3096614317.0000000003531000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097468777.000000000353F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097489630.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4502170784.0000000003545000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.emosjumpers.net/e23y/
          Source: explorer.exe, 00000003.00000003.3096614317.0000000003531000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097468777.000000000353F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097489630.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4502170784.0000000003545000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.emosjumpers.net/e23y/www.arpediemwireless.net
          Source: explorer.exe, 00000003.00000003.3096614317.0000000003531000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097468777.000000000353F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097489630.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4502170784.0000000003545000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.emosjumpers.netReferer:
          Source: explorer.exe, 00000003.00000003.3096614317.0000000003531000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097468777.000000000353F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097489630.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4502170784.0000000003545000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.hwqcoiu.xyz
          Source: explorer.exe, 00000003.00000003.3096614317.0000000003531000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097468777.000000000353F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097489630.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4502170784.0000000003545000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.hwqcoiu.xyz/e23y/
          Source: explorer.exe, 00000003.00000003.3096614317.0000000003531000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097468777.000000000353F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097489630.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4502170784.0000000003545000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.hwqcoiu.xyz/e23y/www.bets.net
          Source: explorer.exe, 00000003.00000003.3096614317.0000000003531000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097468777.000000000353F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097489630.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4502170784.0000000003545000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.hwqcoiu.xyzReferer:
          Source: explorer.exe, 00000003.00000003.3096614317.0000000003531000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097468777.000000000353F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097489630.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4502170784.0000000003545000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.inoliga.app
          Source: explorer.exe, 00000003.00000003.3096614317.0000000003531000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097468777.000000000353F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097489630.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4502170784.0000000003545000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.inoliga.app/e23y/
          Source: explorer.exe, 00000003.00000003.3096614317.0000000003531000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097468777.000000000353F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097489630.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4502170784.0000000003545000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.inoliga.app/e23y/www.ower-bank-za-4886348.world
          Source: explorer.exe, 00000003.00000003.3096614317.0000000003531000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097468777.000000000353F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097489630.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4502170784.0000000003545000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.inoliga.appReferer:
          Source: explorer.exe, 00000003.00000003.3096614317.0000000003531000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097468777.000000000353F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097489630.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4502170784.0000000003545000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.oland-flight-deal.today
          Source: explorer.exe, 00000003.00000003.3096614317.0000000003531000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097468777.000000000353F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097489630.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4502170784.0000000003545000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.oland-flight-deal.today/e23y/
          Source: explorer.exe, 00000003.00000003.3096614317.0000000003531000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097468777.000000000353F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097489630.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4502170784.0000000003545000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.oland-flight-deal.today/e23y/www.ome-care-76206.bond
          Source: explorer.exe, 00000003.00000003.3096614317.0000000003531000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097468777.000000000353F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097489630.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4502170784.0000000003545000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.oland-flight-deal.todayReferer:
          Source: explorer.exe, 00000003.00000003.3096614317.0000000003531000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097468777.000000000353F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097489630.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4502170784.0000000003545000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ome-care-76206.bond
          Source: explorer.exe, 00000003.00000003.3096614317.0000000003531000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097468777.000000000353F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097489630.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4502170784.0000000003545000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ome-care-76206.bond/e23y/
          Source: explorer.exe, 00000003.00000003.3096614317.0000000003531000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097468777.000000000353F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097489630.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4502170784.0000000003545000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ome-care-76206.bond/e23y/www.ar-deals-15908.bond
          Source: explorer.exe, 00000003.00000003.3096614317.0000000003531000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097468777.000000000353F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097489630.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4502170784.0000000003545000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ome-care-76206.bondReferer:
          Source: explorer.exe, 00000003.00000003.3096614317.0000000003531000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097468777.000000000353F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097489630.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4502170784.0000000003545000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ower-bank-za-4886348.world
          Source: explorer.exe, 00000003.00000003.3096614317.0000000003531000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097468777.000000000353F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097489630.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4502170784.0000000003545000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ower-bank-za-4886348.world/e23y/
          Source: explorer.exe, 00000003.00000003.3096614317.0000000003531000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097468777.000000000353F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097489630.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4502170784.0000000003545000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ower-bank-za-4886348.world/e23y/www.zkirv.top
          Source: explorer.exe, 00000003.00000003.3096614317.0000000003531000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097468777.000000000353F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097489630.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4502170784.0000000003545000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ower-bank-za-4886348.worldReferer:
          Source: explorer.exe, 00000003.00000003.3096614317.0000000003531000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097468777.000000000353F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097489630.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4502170784.0000000003545000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.reakinggroundtherapy.pro
          Source: explorer.exe, 00000003.00000003.3096614317.0000000003531000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097468777.000000000353F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097489630.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4502170784.0000000003545000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.reakinggroundtherapy.pro/e23y/
          Source: explorer.exe, 00000003.00000003.3096614317.0000000003531000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097468777.000000000353F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097489630.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4502170784.0000000003545000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.reakinggroundtherapy.pro/e23y/www.oland-flight-deal.today
          Source: explorer.exe, 00000003.00000003.3096614317.0000000003531000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097468777.000000000353F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097489630.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4502170784.0000000003545000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.reakinggroundtherapy.proReferer:
          Source: explorer.exe, 00000003.00000003.3096614317.0000000003531000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097468777.000000000353F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097489630.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4502170784.0000000003545000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.wgxb.top
          Source: explorer.exe, 00000003.00000003.3096614317.0000000003531000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097468777.000000000353F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097489630.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4502170784.0000000003545000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.wgxb.top/e23y/
          Source: explorer.exe, 00000003.00000003.3096614317.0000000003531000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097468777.000000000353F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097489630.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4502170784.0000000003545000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.wgxb.top/e23y/www.8015.xyz
          Source: explorer.exe, 00000003.00000003.3096614317.0000000003531000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097468777.000000000353F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097489630.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4502170784.0000000003545000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.wgxb.topReferer:
          Source: explorer.exe, 00000003.00000003.3096614317.0000000003531000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097468777.000000000353F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097489630.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4502170784.0000000003545000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.zkirv.top
          Source: explorer.exe, 00000003.00000003.3096614317.0000000003531000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097468777.000000000353F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097489630.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4502170784.0000000003545000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.zkirv.top/e23y/
          Source: explorer.exe, 00000003.00000003.3096614317.0000000003531000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097468777.000000000353F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097489630.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4502170784.0000000003545000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.zkirv.top/e23y/www.hwqcoiu.xyz
          Source: explorer.exe, 00000003.00000003.3096614317.0000000003531000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097468777.000000000353F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097489630.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4502170784.0000000003545000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.zkirv.topReferer:
          Source: explorer.exe, 00000003.00000002.4510678695.000000000C4DC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2061812730.000000000C4DC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe
          Source: explorer.exe, 00000003.00000003.3825137778.00000000076F8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2056882234.00000000076F8000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://android.notify.windows.com/iOS
          Source: explorer.exe, 00000003.00000002.4506883763.0000000009ADB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2059229241.0000000009ADB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/
          Source: explorer.exe, 00000003.00000000.2056882234.0000000007637000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4504170102.0000000007637000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
          Source: explorer.exe, 00000003.00000002.4502198824.00000000035FA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097030243.00000000035FA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2054700448.00000000035FA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://arc.msn.coml
          Source: explorer.exe, 00000003.00000003.3097566585.0000000009C21000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4507885872.0000000009C22000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3095576604.0000000009B79000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2059229241.0000000009B79000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://excel.office.com
          Source: explorer.exe, 00000003.00000003.3096282137.0000000009C92000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3095576604.0000000009B79000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2059229241.0000000009B79000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4507951422.0000000009D42000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://outlook.com
          Source: explorer.exe, 00000003.00000000.2061812730.000000000C460000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4510678695.000000000C460000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://powerpoint.office.comcember
          Source: explorer.exe, 00000003.00000000.2059229241.00000000099C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4506883763.00000000099C0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://wns.windows.com/)s
          Source: explorer.exe, 00000003.00000000.2059229241.00000000099C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4506883763.00000000099C0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://word.office.comon
          Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exeCode function: 0_2_0103425A OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_0103425A
          Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exeCode function: 0_2_01034458 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_01034458
          Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exeCode function: 0_2_0103425A OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_0103425A
          Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exeCode function: 0_2_01020219 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,0_2_01020219
          Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exeCode function: 0_2_0104CDAC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_0104CDAC

          E-Banking Fraud

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 0.2.Bonifico 2692024pdf.exe.f60000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Bonifico 2692024pdf.exe.f60000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000004.00000002.4500748393.0000000004EF0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.2101569543.0000000002FA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.2101179285.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.2101452453.0000000000EE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.4500674089.0000000004EC0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.4500108224.0000000003260000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.2043224034.0000000000F60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

          System Summary

          barindex
          Malicious sample detected (through community Yara rule)
          Source: 0.2.Bonifico 2692024pdf.exe.f60000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 0.2.Bonifico 2692024pdf.exe.f60000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.Bonifico 2692024pdf.exe.f60000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.Bonifico 2692024pdf.exe.f60000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 0.2.Bonifico 2692024pdf.exe.f60000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.Bonifico 2692024pdf.exe.f60000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000002.4500748393.0000000004EF0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000004.00000002.4500748393.0000000004EF0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.4500748393.0000000004EF0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.2101569543.0000000002FA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000002.00000002.2101569543.0000000002FA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.2101569543.0000000002FA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000002.4512445617.000000000E583000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_772cc62d Author: unknown
          Source: 00000002.00000002.2101179285.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000002.00000002.2101179285.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.2101179285.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.2101452453.0000000000EE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000002.00000002.2101452453.0000000000EE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.2101452453.0000000000EE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000002.4500674089.0000000004EC0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000004.00000002.4500674089.0000000004EC0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.4500674089.0000000004EC0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000002.4500108224.0000000003260000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000004.00000002.4500108224.0000000003260000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.4500108224.0000000003260000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.2043224034.0000000000F60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000000.00000002.2043224034.0000000000F60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.2043224034.0000000000F60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: Process Memory Space: Bonifico 2692024pdf.exe PID: 6084, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: Process Memory Space: svchost.exe PID: 1900, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: Process Memory Space: colorcpl.exe PID: 6184, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Binary is likely a compiled AutoIt script file
          Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exeCode function: This is a third-party compiled AutoIt script.0_2_00FC3B4C
          Source: Bonifico 2692024pdf.exeString found in binary or memory: This is a third-party compiled AutoIt script.
          Source: Bonifico 2692024pdf.exe, 00000000.00000000.2030744951.0000000001075000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_f036cb80-1
          Source: Bonifico 2692024pdf.exe, 00000000.00000000.2030744951.0000000001075000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_dd97cbd1-0
          Source: Bonifico 2692024pdf.exeString found in binary or memory: This is a third-party compiled AutoIt script.memstr_53916b9b-7
          Source: Bonifico 2692024pdf.exeString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_94766f23-f
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041A330 NtCreateFile,2_2_0041A330
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041A3E0 NtReadFile,2_2_0041A3E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041A460 NtClose,2_2_0041A460
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041A510 NtAllocateVirtualMemory,2_2_0041A510
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041A3DA NtReadFile,2_2_0041A3DA
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041A385 NtCreateFile,2_2_0041A385
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041A45B NtClose,2_2_0041A45B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041A50B NtAllocateVirtualMemory,2_2_0041A50B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72BF0 NtAllocateVirtualMemory,LdrInitializeThunk,2_2_03A72BF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72B60 NtClose,LdrInitializeThunk,2_2_03A72B60
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72AD0 NtReadFile,LdrInitializeThunk,2_2_03A72AD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72FB0 NtResumeThread,LdrInitializeThunk,2_2_03A72FB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72F90 NtProtectVirtualMemory,LdrInitializeThunk,2_2_03A72F90
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72FE0 NtCreateFile,LdrInitializeThunk,2_2_03A72FE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72F30 NtCreateSection,LdrInitializeThunk,2_2_03A72F30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72EA0 NtAdjustPrivilegesToken,LdrInitializeThunk,2_2_03A72EA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72E80 NtReadVirtualMemory,LdrInitializeThunk,2_2_03A72E80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72DF0 NtQuerySystemInformation,LdrInitializeThunk,2_2_03A72DF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72DD0 NtDelayExecution,LdrInitializeThunk,2_2_03A72DD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72D30 NtUnmapViewOfSection,LdrInitializeThunk,2_2_03A72D30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72D10 NtMapViewOfSection,LdrInitializeThunk,2_2_03A72D10
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72CA0 NtQueryInformationToken,LdrInitializeThunk,2_2_03A72CA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A74340 NtSetContextThread,2_2_03A74340
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A74650 NtSuspendThread,2_2_03A74650
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72BA0 NtEnumerateValueKey,2_2_03A72BA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72B80 NtQueryInformationFile,2_2_03A72B80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72BE0 NtQueryValueKey,2_2_03A72BE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72AB0 NtWaitForSingleObject,2_2_03A72AB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72AF0 NtWriteFile,2_2_03A72AF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72FA0 NtQuerySection,2_2_03A72FA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72F60 NtCreateProcessEx,2_2_03A72F60
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72EE0 NtQueueApcThread,2_2_03A72EE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72E30 NtWriteVirtualMemory,2_2_03A72E30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72DB0 NtEnumerateKey,2_2_03A72DB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72D00 NtSetInformationFile,2_2_03A72D00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72CF0 NtOpenProcess,2_2_03A72CF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72CC0 NtQueryVirtualMemory,2_2_03A72CC0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72C00 NtQueryInformationProcess,2_2_03A72C00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72C60 NtCreateKey,2_2_03A72C60
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72C70 NtFreeVirtualMemory,2_2_03A72C70
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A73090 NtSetValueKey,2_2_03A73090
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A73010 NtOpenDirectoryObject,2_2_03A73010
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A735C0 NtCreateMutant,2_2_03A735C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A739B0 NtGetContextThread,2_2_03A739B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A73D10 NtOpenProcessToken,2_2_03A73D10
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A73D70 NtOpenThread,2_2_03A73D70
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FEA036 NtQueryInformationProcess,NtSuspendThread,NtSetContextThread,NtQueueApcThread,NtResumeThread,NtClose,2_2_02FEA036
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FEA042 NtQueryInformationProcess,2_2_02FEA042
          Source: C:\Windows\explorer.exeCode function: 3_2_0E56CE12 NtProtectVirtualMemory,3_2_0E56CE12
          Source: C:\Windows\explorer.exeCode function: 3_2_0E56B232 NtCreateFile,3_2_0E56B232
          Source: C:\Windows\explorer.exeCode function: 3_2_0E56CE0A NtProtectVirtualMemory,3_2_0E56CE0A
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 4_2_05182D10 NtMapViewOfSection,LdrInitializeThunk,4_2_05182D10
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 4_2_05182DD0 NtDelayExecution,LdrInitializeThunk,4_2_05182DD0
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 4_2_05182DF0 NtQuerySystemInformation,LdrInitializeThunk,4_2_05182DF0
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 4_2_05182C70 NtFreeVirtualMemory,LdrInitializeThunk,4_2_05182C70
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 4_2_05182C60 NtCreateKey,LdrInitializeThunk,4_2_05182C60
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 4_2_05182CA0 NtQueryInformationToken,LdrInitializeThunk,4_2_05182CA0
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 4_2_05182F30 NtCreateSection,LdrInitializeThunk,4_2_05182F30
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 4_2_05182FE0 NtCreateFile,LdrInitializeThunk,4_2_05182FE0
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 4_2_05182EA0 NtAdjustPrivilegesToken,LdrInitializeThunk,4_2_05182EA0
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 4_2_05182B60 NtClose,LdrInitializeThunk,4_2_05182B60
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 4_2_05182BF0 NtAllocateVirtualMemory,LdrInitializeThunk,4_2_05182BF0
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 4_2_05182BE0 NtQueryValueKey,LdrInitializeThunk,4_2_05182BE0
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 4_2_05182AD0 NtReadFile,LdrInitializeThunk,4_2_05182AD0
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 4_2_051835C0 NtCreateMutant,LdrInitializeThunk,4_2_051835C0
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 4_2_05184650 NtSuspendThread,4_2_05184650
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 4_2_05184340 NtSetContextThread,4_2_05184340
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 4_2_05182D00 NtSetInformationFile,4_2_05182D00
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 4_2_05182D30 NtUnmapViewOfSection,4_2_05182D30
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 4_2_05182DB0 NtEnumerateKey,4_2_05182DB0
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 4_2_05182C00 NtQueryInformationProcess,4_2_05182C00
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 4_2_05182CC0 NtQueryVirtualMemory,4_2_05182CC0
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 4_2_05182CF0 NtOpenProcess,4_2_05182CF0
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 4_2_05182F60 NtCreateProcessEx,4_2_05182F60
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 4_2_05182F90 NtProtectVirtualMemory,4_2_05182F90
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 4_2_05182FB0 NtResumeThread,4_2_05182FB0
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 4_2_05182FA0 NtQuerySection,4_2_05182FA0
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 4_2_05182E30 NtWriteVirtualMemory,4_2_05182E30
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 4_2_05182E80 NtReadVirtualMemory,4_2_05182E80
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 4_2_05182EE0 NtQueueApcThread,4_2_05182EE0
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 4_2_05182B80 NtQueryInformationFile,4_2_05182B80
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 4_2_05182BA0 NtEnumerateValueKey,4_2_05182BA0
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 4_2_05182AB0 NtWaitForSingleObject,4_2_05182AB0
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 4_2_05182AF0 NtWriteFile,4_2_05182AF0
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 4_2_05183010 NtOpenDirectoryObject,4_2_05183010
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 4_2_05183090 NtSetValueKey,4_2_05183090
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 4_2_05183D10 NtOpenProcessToken,4_2_05183D10
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 4_2_05183D70 NtOpenThread,4_2_05183D70
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 4_2_051839B0 NtGetContextThread,4_2_051839B0
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 4_2_0327A330 NtCreateFile,4_2_0327A330
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 4_2_0327A3E0 NtReadFile,4_2_0327A3E0
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 4_2_0327A510 NtAllocateVirtualMemory,4_2_0327A510
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 4_2_0327A460 NtClose,4_2_0327A460
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 4_2_0327A385 NtCreateFile,4_2_0327A385
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 4_2_0327A3DA NtReadFile,4_2_0327A3DA
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 4_2_0327A50B NtAllocateVirtualMemory,4_2_0327A50B
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 4_2_0327A45B NtClose,4_2_0327A45B
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 4_2_04FCA036 NtQueryInformationProcess,NtSuspendThread,NtSetContextThread,NtQueueApcThread,NtResumeThread,4_2_04FCA036
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 4_2_04FC9BAF NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtUnmapViewOfSection,NtClose,4_2_04FC9BAF
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 4_2_04FCA042 NtQueryInformationProcess,4_2_04FCA042
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 4_2_04FC9BB2 NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,4_2_04FC9BB2
          Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exeCode function: 0_2_01024021: CreateFileW,DeviceIoControl,CloseHandle,0_2_01024021
          Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exeCode function: 0_2_01018858 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_01018858
          Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exeCode function: 0_2_0102545F ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,0_2_0102545F
          Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exeCode function: 0_2_00FCE8000_2_00FCE800
          Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exeCode function: 0_2_00FEDBB50_2_00FEDBB5
          Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exeCode function: 0_2_00FCE0600_2_00FCE060
          Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exeCode function: 0_2_0104804A0_2_0104804A
          Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exeCode function: 0_2_00FD41400_2_00FD4140
          Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exeCode function: 0_2_00FE24050_2_00FE2405
          Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exeCode function: 0_2_00FF65220_2_00FF6522
          Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exeCode function: 0_2_00FF267E0_2_00FF267E
          Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exeCode function: 0_2_010406650_2_01040665
          Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exeCode function: 0_2_00FD68430_2_00FD6843
          Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exeCode function: 0_2_00FE283A0_2_00FE283A
          Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exeCode function: 0_2_00FF89DF0_2_00FF89DF
          Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exeCode function: 0_2_0101EB070_2_0101EB07
          Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exeCode function: 0_2_01028B130_2_01028B13
          Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exeCode function: 0_2_00FF6A940_2_00FF6A94
          Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exeCode function: 0_2_00FD8A0E0_2_00FD8A0E
          Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exeCode function: 0_2_01040AE20_2_01040AE2
          Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exeCode function: 0_2_00FECD610_2_00FECD61
          Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exeCode function: 0_2_00FF70060_2_00FF7006
          Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exeCode function: 0_2_00FD31900_2_00FD3190
          Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exeCode function: 0_2_00FD710E0_2_00FD710E
          Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exeCode function: 0_2_00FC12870_2_00FC1287
          Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exeCode function: 0_2_00FE33C70_2_00FE33C7
          Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exeCode function: 0_2_00FEF4190_2_00FEF419
          Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exeCode function: 0_2_00FE16C40_2_00FE16C4
          Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exeCode function: 0_2_00FD56800_2_00FD5680
          Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exeCode function: 0_2_00FE78D30_2_00FE78D3
          Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exeCode function: 0_2_00FD58C00_2_00FD58C0
          Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exeCode function: 0_2_00FE1BB80_2_00FE1BB8
          Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exeCode function: 0_2_00FF9D050_2_00FF9D05
          Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exeCode function: 0_2_00FCFE400_2_00FCFE40
          Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exeCode function: 0_2_00FEBFE60_2_00FEBFE6
          Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exeCode function: 0_2_00FE1FD00_2_00FE1FD0
          Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exeCode function: 0_2_00E536600_2_00E53660
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004010272_2_00401027
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004010302_2_00401030
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041E3262_2_0041E326
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041D5732_2_0041D573
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00402D902_2_00402D90
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041E5B72_2_0041E5B7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041DDBE2_2_0041DDBE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00409E5B2_2_00409E5B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00409E602_2_00409E60
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00402FB02_2_00402FB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A4E3F02_2_03A4E3F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B003E62_2_03B003E6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AFA3522_2_03AFA352
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AC02C02_2_03AC02C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AE02742_2_03AE0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AF41A22_2_03AF41A2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B001AA2_2_03B001AA
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AF81CC2_2_03AF81CC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A301002_2_03A30100
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ADA1182_2_03ADA118
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AC81582_2_03AC8158
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AD20002_2_03AD2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3C7C02_2_03A3C7C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A407702_2_03A40770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A647502_2_03A64750
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5C6E02_2_03A5C6E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B005912_2_03B00591
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A405352_2_03A40535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AEE4F62_2_03AEE4F6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AE44202_2_03AE4420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AF24462_2_03AF2446
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AF6BD72_2_03AF6BD7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AFAB402_2_03AFAB40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3EA802_2_03A3EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A429A02_2_03A429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B0A9A62_2_03B0A9A6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A569622_2_03A56962
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A268B82_2_03A268B8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6E8F02_2_03A6E8F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A4A8402_2_03A4A840
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A428402_2_03A42840
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ABEFA02_2_03ABEFA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A4CFE02_2_03A4CFE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A32FC82_2_03A32FC8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A82F282_2_03A82F28
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A60F302_2_03A60F30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AE2F302_2_03AE2F30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB4F402_2_03AB4F40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A52E902_2_03A52E90
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AFCE932_2_03AFCE93
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AFEEDB2_2_03AFEEDB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AFEE262_2_03AFEE26
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A40E592_2_03A40E59
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A58DBF2_2_03A58DBF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3ADE02_2_03A3ADE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A4AD002_2_03A4AD00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ADCD1F2_2_03ADCD1F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AE0CB52_2_03AE0CB5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A30CF22_2_03A30CF2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A40C002_2_03A40C00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A8739A2_2_03A8739A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AF132D2_2_03AF132D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2D34C2_2_03A2D34C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A452A02_2_03A452A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AE12ED2_2_03AE12ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5B2C02_2_03A5B2C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A4B1B02_2_03A4B1B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A7516C2_2_03A7516C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2F1722_2_03A2F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B0B16B2_2_03B0B16B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AF70E92_2_03AF70E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AFF0E02_2_03AFF0E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AEF0CC2_2_03AEF0CC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A470C02_2_03A470C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AFF7B02_2_03AFF7B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AF16CC2_2_03AF16CC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A856302_2_03A85630
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ADD5B02_2_03ADD5B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B095C32_2_03B095C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AF75712_2_03AF7571
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AFF43F2_2_03AFF43F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A314602_2_03A31460
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5FB802_2_03A5FB80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB5BF02_2_03AB5BF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A7DBF92_2_03A7DBF9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AFFB762_2_03AFFB76
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ADDAAC2_2_03ADDAAC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A85AA02_2_03A85AA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AE1AA32_2_03AE1AA3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AEDAC62_2_03AEDAC6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB3A6C2_2_03AB3A6C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AFFA492_2_03AFFA49
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AF7A462_2_03AF7A46
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AD59102_2_03AD5910
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A499502_2_03A49950
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5B9502_2_03A5B950
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A438E02_2_03A438E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AAD8002_2_03AAD800
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AFFFB12_2_03AFFFB1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A41F922_2_03A41F92
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A03FD22_2_03A03FD2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A03FD52_2_03A03FD5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AFFF092_2_03AFFF09
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A49EB02_2_03A49EB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5FDC02_2_03A5FDC0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AF7D732_2_03AF7D73
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A43D402_2_03A43D40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AF1D5A2_2_03AF1D5A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AFFCF22_2_03AFFCF2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB9C322_2_03AB9C32
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FEA0362_2_02FEA036
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FEB2322_2_02FEB232
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FE10822_2_02FE1082
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FEE5CD2_2_02FEE5CD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FE5B322_2_02FE5B32
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FE5B302_2_02FE5B30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FE89122_2_02FE8912
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FE2D022_2_02FE2D02
          Source: C:\Windows\explorer.exeCode function: 3_2_0E56B2323_2_0E56B232
          Source: C:\Windows\explorer.exeCode function: 3_2_0E56A0363_2_0E56A036
          Source: C:\Windows\explorer.exeCode function: 3_2_0E5610823_2_0E561082
          Source: C:\Windows\explorer.exeCode function: 3_2_0E5689123_2_0E568912
          Source: C:\Windows\explorer.exeCode function: 3_2_0E562D023_2_0E562D02
          Source: C:\Windows\explorer.exeCode function: 3_2_0E565B323_2_0E565B32
          Source: C:\Windows\explorer.exeCode function: 3_2_0E565B303_2_0E565B30
          Source: C:\Windows\explorer.exeCode function: 3_2_0E56E5CD3_2_0E56E5CD
          Source: C:\Windows\explorer.exeCode function: 3_2_1090B0823_2_1090B082
          Source: C:\Windows\explorer.exeCode function: 3_2_109140363_2_10914036
          Source: C:\Windows\explorer.exeCode function: 3_2_109185CD3_2_109185CD
          Source: C:\Windows\explorer.exeCode function: 3_2_109129123_2_10912912
          Source: C:\Windows\explorer.exeCode function: 3_2_1090CD023_2_1090CD02
          Source: C:\Windows\explorer.exeCode function: 3_2_109152323_2_10915232
          Source: C:\Windows\explorer.exeCode function: 3_2_1090FB303_2_1090FB30
          Source: C:\Windows\explorer.exeCode function: 3_2_1090FB323_2_1090FB32
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 4_2_051505354_2_05150535
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 4_2_052105914_2_05210591
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 4_2_051F44204_2_051F4420
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 4_2_052024464_2_05202446
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 4_2_051FE4F64_2_051FE4F6
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 4_2_051747504_2_05174750
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 4_2_051507704_2_05150770
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 4_2_0514C7C04_2_0514C7C0
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 4_2_0516C6E04_2_0516C6E0
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 4_2_051EA1184_2_051EA118
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 4_2_051401004_2_05140100
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 4_2_051D81584_2_051D8158
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 4_2_052041A24_2_052041A2
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 4_2_052101AA4_2_052101AA
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 4_2_052081CC4_2_052081CC
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 4_2_051E20004_2_051E2000
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 4_2_0520A3524_2_0520A352
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 4_2_052103E64_2_052103E6
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 4_2_0515E3F04_2_0515E3F0
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 4_2_051F02744_2_051F0274
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 4_2_051D02C04_2_051D02C0
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 4_2_051ECD1F4_2_051ECD1F
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 4_2_0515AD004_2_0515AD00
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 4_2_05168DBF4_2_05168DBF
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 4_2_0514ADE04_2_0514ADE0
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 4_2_05150C004_2_05150C00
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 4_2_051F0CB54_2_051F0CB5
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 4_2_05140CF24_2_05140CF2
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 4_2_05170F304_2_05170F30
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 4_2_051F2F304_2_051F2F30
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 4_2_05192F284_2_05192F28
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 4_2_051C4F404_2_051C4F40
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 4_2_05162F7D4_2_05162F7D
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 4_2_051CEFA04_2_051CEFA0
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 4_2_05142FC84_2_05142FC8
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 4_2_0515CFE04_2_0515CFE0
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 4_2_0520EE264_2_0520EE26
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 4_2_05150E594_2_05150E59
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 4_2_0520CE934_2_0520CE93
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 4_2_0520EEDB4_2_0520EEDB
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 4_2_051669624_2_05166962
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 4_2_0521A9A64_2_0521A9A6
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 4_2_051529A04_2_051529A0
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 4_2_051528404_2_05152840
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 4_2_0515A8404_2_0515A840
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 4_2_051368B84_2_051368B8
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 4_2_0517E8F04_2_0517E8F0
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 4_2_0520AB404_2_0520AB40
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 4_2_05206BD74_2_05206BD7
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 4_2_0514EA804_2_0514EA80
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 4_2_052075714_2_05207571
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 4_2_051ED5B04_2_051ED5B0
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 4_2_052195C34_2_052195C3
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 4_2_0520F43F4_2_0520F43F
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 4_2_051414604_2_05141460
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 4_2_0520F7B04_2_0520F7B0
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 4_2_051956304_2_05195630
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 4_2_052016CC4_2_052016CC
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 4_2_0521B16B4_2_0521B16B
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 4_2_0513F1724_2_0513F172
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 4_2_0518516C4_2_0518516C
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 4_2_0515B1B04_2_0515B1B0
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 4_2_0520F0E04_2_0520F0E0
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 4_2_052070E94_2_052070E9
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 4_2_051FF0CC4_2_051FF0CC
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 4_2_051570C04_2_051570C0
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 4_2_0520132D4_2_0520132D
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 4_2_0513D34C4_2_0513D34C
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 4_2_0519739A4_2_0519739A
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 4_2_051552A04_2_051552A0
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 4_2_0516B2C04_2_0516B2C0
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 4_2_051F12ED4_2_051F12ED
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 4_2_05207D734_2_05207D73
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 4_2_05153D404_2_05153D40
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 4_2_05201D5A4_2_05201D5A
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 4_2_0516FDC04_2_0516FDC0
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 4_2_051C9C324_2_051C9C32
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 4_2_0520FCF24_2_0520FCF2
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 4_2_0520FF094_2_0520FF09
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 4_2_05151F924_2_05151F92
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 4_2_0520FFB14_2_0520FFB1
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 4_2_05113FD24_2_05113FD2
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 4_2_05113FD54_2_05113FD5
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 4_2_05159EB04_2_05159EB0
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 4_2_051E59104_2_051E5910
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 4_2_051599504_2_05159950
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 4_2_0516B9504_2_0516B950
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 4_2_051BD8004_2_051BD800
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 4_2_051538E04_2_051538E0
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 4_2_0520FB764_2_0520FB76
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 4_2_0516FB804_2_0516FB80
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 4_2_0518DBF94_2_0518DBF9
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 4_2_051C5BF04_2_051C5BF0
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 4_2_05207A464_2_05207A46
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 4_2_0520FA494_2_0520FA49
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 4_2_051C3A6C4_2_051C3A6C
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 4_2_051EDAAC4_2_051EDAAC
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 4_2_05195AA04_2_05195AA0
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 4_2_051F1AA34_2_051F1AA3
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 4_2_051FDAC64_2_051FDAC6
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 4_2_0327E3264_2_0327E326
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 4_2_0327D5734_2_0327D573
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 4_2_0327E5B74_2_0327E5B7
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 4_2_03262FB04_2_03262FB0
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 4_2_03269E604_2_03269E60
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 4_2_03269E5B4_2_03269E5B
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 4_2_0327DDBE4_2_0327DDBE
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 4_2_03262D904_2_03262D90
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 4_2_04FCA0364_2_04FCA036
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 4_2_04FCE5CD4_2_04FCE5CD
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 4_2_04FC2D024_2_04FC2D02
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 4_2_04FC10824_2_04FC1082
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 4_2_04FC89124_2_04FC8912
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 4_2_04FCB2324_2_04FCB232
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 4_2_04FC5B304_2_04FC5B30
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 4_2_04FC5B324_2_04FC5B32
          Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exeCode function: String function: 00FE0D27 appears 70 times
          Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exeCode function: String function: 00FC7F41 appears 35 times
          Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exeCode function: String function: 00FE8B40 appears 42 times
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03AAEA12 appears 86 times
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03A2B970 appears 280 times
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03A87E54 appears 111 times
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03ABF290 appears 105 times
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03A75130 appears 58 times
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: String function: 05185130 appears 58 times
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: String function: 051CF290 appears 105 times
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: String function: 05197E54 appears 111 times
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: String function: 0513B970 appears 280 times
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: String function: 051BEA12 appears 86 times
          Source: Bonifico 2692024pdf.exe, 00000000.00000003.2040750326.00000000039F3000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Bonifico 2692024pdf.exe
          Source: Bonifico 2692024pdf.exe, 00000000.00000003.2040878420.0000000003EED000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Bonifico 2692024pdf.exe
          Source: Bonifico 2692024pdf.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
          Source: 0.2.Bonifico 2692024pdf.exe.f60000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 0.2.Bonifico 2692024pdf.exe.f60000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.Bonifico 2692024pdf.exe.f60000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.Bonifico 2692024pdf.exe.f60000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 0.2.Bonifico 2692024pdf.exe.f60000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.Bonifico 2692024pdf.exe.f60000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000002.4500748393.0000000004EF0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000004.00000002.4500748393.0000000004EF0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000002.4500748393.0000000004EF0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.2101569543.0000000002FA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000002.00000002.2101569543.0000000002FA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.2101569543.0000000002FA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000002.4512445617.000000000E583000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_772cc62d os = windows, severity = x86, creation_date = 2022-05-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8343b5d02d74791ba2d5d52d19a759f761de2b5470d935000bc27ea6c0633f5, id = 772cc62d-345c-42d8-97ab-f67e447ddca4, last_modified = 2022-07-18
          Source: 00000002.00000002.2101179285.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000002.00000002.2101179285.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.2101179285.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.2101452453.0000000000EE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000002.00000002.2101452453.0000000000EE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.2101452453.0000000000EE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000002.4500674089.0000000004EC0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000004.00000002.4500674089.0000000004EC0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000002.4500674089.0000000004EC0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000002.4500108224.0000000003260000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000004.00000002.4500108224.0000000003260000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000002.4500108224.0000000003260000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.2043224034.0000000000F60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000000.00000002.2043224034.0000000000F60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.2043224034.0000000000F60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: Process Memory Space: Bonifico 2692024pdf.exe PID: 6084, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: Process Memory Space: svchost.exe PID: 1900, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: Process Memory Space: colorcpl.exe PID: 6184, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: classification engineClassification label: mal100.troj.evad.winEXE@8/4@12/1
          Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exeCode function: 0_2_0102A2D5 GetLastError,FormatMessageW,0_2_0102A2D5
          Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exeCode function: 0_2_01018713 AdjustTokenPrivileges,CloseHandle,0_2_01018713
          Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exeCode function: 0_2_01018CC3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,0_2_01018CC3
          Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exeCode function: 0_2_0102B59E SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,0_2_0102B59E
          Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exeCode function: 0_2_0103F121 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_0103F121
          Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exeCode function: 0_2_0102C602 CoInitialize,CoCreateInstance,CoUninitialize,0_2_0102C602
          Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exeCode function: 0_2_00FC4FE9 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_00FC4FE9
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6048:120:WilError_03
          Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exeFile created: C:\Users\user\AppData\Local\Temp\autF7C0.tmpJump to behavior
          Source: Bonifico 2692024pdf.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: Bonifico 2692024pdf.exeReversingLabs: Detection: 42%
          Source: unknownProcess created: C:\Users\user\Desktop\Bonifico 2692024pdf.exe "C:\Users\user\Desktop\Bonifico 2692024pdf.exe"
          Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Bonifico 2692024pdf.exe"
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\colorcpl.exe "C:\Windows\SysWOW64\colorcpl.exe"
          Source: C:\Windows\SysWOW64\colorcpl.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\SysWOW64\svchost.exe"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Bonifico 2692024pdf.exe"Jump to behavior
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\colorcpl.exe "C:\Windows\SysWOW64\colorcpl.exe"Jump to behavior
          Source: C:\Windows\SysWOW64\colorcpl.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\SysWOW64\svchost.exe"Jump to behavior
          Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exeSection loaded: wsock32.dllJump to behavior
          Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exeSection loaded: version.dllJump to behavior
          Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exeSection loaded: winmm.dllJump to behavior
          Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exeSection loaded: mpr.dllJump to behavior
          Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: windows.cloudstore.schema.shell.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: windows.internal.shell.broker.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: vcruntime140_1.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: vcruntime140.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: msvcp140.dllJump to behavior
          Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: colorui.dllJump to behavior
          Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: mscms.dllJump to behavior
          Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: coloradapterclient.dllJump to behavior
          Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{50CE75BC-766C-4136-BF5E-9197AA23569E}\InProcServer32Jump to behavior
          Source: Bonifico 2692024pdf.exeStatic file information: File size 1126400 > 1048576
          Source: Bonifico 2692024pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
          Source: Bonifico 2692024pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
          Source: Bonifico 2692024pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
          Source: Bonifico 2692024pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
          Source: Bonifico 2692024pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
          Source: Bonifico 2692024pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
          Source: Bonifico 2692024pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
          Source: Binary string: colorcpl.pdbGCTL source: svchost.exe, 00000002.00000003.2100988646.000000000341B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2101004918.0000000003430000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2102673772.0000000005620000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 00000002.00000003.2100887491.000000000341C000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000004.00000002.4499924950.0000000000C50000.00000040.80000000.00040000.00000000.sdmp
          Source: Binary string: colorcpl.pdb source: svchost.exe, 00000002.00000003.2100988646.000000000341B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2101004918.0000000003430000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2102673772.0000000005620000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 00000002.00000003.2100887491.000000000341C000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, colorcpl.exe, 00000004.00000002.4499924950.0000000000C50000.00000040.80000000.00040000.00000000.sdmp
          Source: Binary string: wntdll.pdbUGP source: Bonifico 2692024pdf.exe, 00000000.00000003.2041580738.00000000038D0000.00000004.00001000.00020000.00000000.sdmp, Bonifico 2692024pdf.exe, 00000000.00000003.2042095302.0000000003DC0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2042804509.0000000003600000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2044608415.0000000003800000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2101958762.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2101958762.0000000003B9E000.00000040.00001000.00020000.00000000.sdmp, colorcpl.exe, 00000004.00000003.2101721514.0000000004DB6000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000004.00000002.4501025868.00000000052AE000.00000040.00001000.00020000.00000000.sdmp, colorcpl.exe, 00000004.00000003.2103406264.0000000004F61000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000004.00000002.4501025868.0000000005110000.00000040.00001000.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: Bonifico 2692024pdf.exe, 00000000.00000003.2041580738.00000000038D0000.00000004.00001000.00020000.00000000.sdmp, Bonifico 2692024pdf.exe, 00000000.00000003.2042095302.0000000003DC0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000003.2042804509.0000000003600000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2044608415.0000000003800000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2101958762.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2101958762.0000000003B9E000.00000040.00001000.00020000.00000000.sdmp, colorcpl.exe, colorcpl.exe, 00000004.00000003.2101721514.0000000004DB6000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000004.00000002.4501025868.00000000052AE000.00000040.00001000.00020000.00000000.sdmp, colorcpl.exe, 00000004.00000003.2103406264.0000000004F61000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000004.00000002.4501025868.0000000005110000.00000040.00001000.00020000.00000000.sdmp
          Source: Binary string: svchost.pdb source: explorer.exe, 00000003.00000002.4513780603.0000000010CBF000.00000004.80000000.00040000.00000000.sdmp, colorcpl.exe, 00000004.00000002.4500309363.000000000330E000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000004.00000002.4501809903.000000000565F000.00000004.10000000.00040000.00000000.sdmp
          Source: Binary string: svchost.pdbUGP source: explorer.exe, 00000003.00000002.4513780603.0000000010CBF000.00000004.80000000.00040000.00000000.sdmp, colorcpl.exe, 00000004.00000002.4500309363.000000000330E000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000004.00000002.4501809903.000000000565F000.00000004.10000000.00040000.00000000.sdmp
          Source: Bonifico 2692024pdf.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
          Source: Bonifico 2692024pdf.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
          Source: Bonifico 2692024pdf.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
          Source: Bonifico 2692024pdf.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
          Source: Bonifico 2692024pdf.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
          Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exeCode function: 0_2_0103C304 LoadLibraryA,GetProcAddress,0_2_0103C304
          Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exeCode function: 0_2_00FE8B85 push ecx; ret 0_2_00FE8B98
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041702C pushad ; retf 2_2_0041702D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041726A push esp; iretd 2_2_0041726D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00417AA2 push ds; retf 2_2_00417AA3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040AB37 push FFFFFFF3h; iretd 2_2_0040AB3A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041D4D2 push eax; ret 2_2_0041D4D8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041D4DB push eax; ret 2_2_0041D542
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041D485 push eax; ret 2_2_0041D4D8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041E571 push es; retf 2_2_0041E57A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041D53C push eax; ret 2_2_0041D542
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A0225F pushad ; ret 2_2_03A027F9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A027FA pushad ; ret 2_2_03A027F9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A309AD push ecx; mov dword ptr [esp], ecx2_2_03A309B6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A0283D push eax; iretd 2_2_03A02858
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A01366 push eax; iretd 2_2_03A01369
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FEEB1E push esp; retn 0000h2_2_02FEEB1F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FEEB02 push esp; retn 0000h2_2_02FEEB03
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_02FEE9B5 push esp; retn 0000h2_2_02FEEAE7
          Source: C:\Windows\explorer.exeCode function: 3_2_0E56EB1E push esp; retn 0000h3_2_0E56EB1F
          Source: C:\Windows\explorer.exeCode function: 3_2_0E56EB02 push esp; retn 0000h3_2_0E56EB03
          Source: C:\Windows\explorer.exeCode function: 3_2_0E56E9B5 push esp; retn 0000h3_2_0E56EAE7
          Source: C:\Windows\explorer.exeCode function: 3_2_109189B5 push esp; retn 0000h3_2_10918AE7
          Source: C:\Windows\explorer.exeCode function: 3_2_10918B1E push esp; retn 0000h3_2_10918B1F
          Source: C:\Windows\explorer.exeCode function: 3_2_10918B02 push esp; retn 0000h3_2_10918B03
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 4_2_00C51A6D push ecx; ret 4_2_00C51A80
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 4_2_051127FA pushad ; ret 4_2_051127F9
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 4_2_0511225F pushad ; ret 4_2_051127F9
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 4_2_051409AD push ecx; mov dword ptr [esp], ecx4_2_051409B6
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 4_2_0511283D push eax; iretd 4_2_05112858
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 4_2_0511135D push eax; iretd 4_2_05111369
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 4_2_0327726A push esp; iretd 4_2_0327726D
          Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exeCode function: 0_2_00FC4A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_00FC4A35
          Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exeCode function: 0_2_010455FD IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_010455FD
          Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exeCode function: 0_2_00FE33C7 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00FE33C7
          Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\colorcpl.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion

          barindex
          Switches to a custom stack to bypass stack traces
          Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exeAPI/Special instruction interceptor: Address: E53284
          Source: C:\Windows\SysWOW64\svchost.exeAPI/Special instruction interceptor: Address: 7FF8C88ED324
          Source: C:\Windows\SysWOW64\svchost.exeAPI/Special instruction interceptor: Address: 7FF8C88F0774
          Source: C:\Windows\SysWOW64\svchost.exeAPI/Special instruction interceptor: Address: 7FF8C88F0154
          Source: C:\Windows\SysWOW64\svchost.exeAPI/Special instruction interceptor: Address: 7FF8C88ED8A4
          Source: C:\Windows\SysWOW64\svchost.exeAPI/Special instruction interceptor: Address: 7FF8C88EDA44
          Source: C:\Windows\SysWOW64\svchost.exeAPI/Special instruction interceptor: Address: 7FF8C88ED1E4
          Source: C:\Windows\SysWOW64\colorcpl.exeAPI/Special instruction interceptor: Address: 7FF8C88ED324
          Source: C:\Windows\SysWOW64\colorcpl.exeAPI/Special instruction interceptor: Address: 7FF8C88F0774
          Source: C:\Windows\SysWOW64\colorcpl.exeAPI/Special instruction interceptor: Address: 7FF8C88ED944
          Source: C:\Windows\SysWOW64\colorcpl.exeAPI/Special instruction interceptor: Address: 7FF8C88ED504
          Source: C:\Windows\SysWOW64\colorcpl.exeAPI/Special instruction interceptor: Address: 7FF8C88ED544
          Source: C:\Windows\SysWOW64\colorcpl.exeAPI/Special instruction interceptor: Address: 7FF8C88ED1E4
          Source: C:\Windows\SysWOW64\colorcpl.exeAPI/Special instruction interceptor: Address: 7FF8C88F0154
          Source: C:\Windows\SysWOW64\colorcpl.exeAPI/Special instruction interceptor: Address: 7FF8C88ED8A4
          Source: C:\Windows\SysWOW64\colorcpl.exeAPI/Special instruction interceptor: Address: 7FF8C88EDA44
          Tries to detect virtualization through RDTSC time measurements
          Source: C:\Windows\SysWOW64\svchost.exeRDTSC instruction interceptor: First address: 409904 second address: 40990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\svchost.exeRDTSC instruction interceptor: First address: 409B7E second address: 409B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\colorcpl.exeRDTSC instruction interceptor: First address: 3269904 second address: 326990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\colorcpl.exeRDTSC instruction interceptor: First address: 3269B7E second address: 3269B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00409AB0 rdtsc 2_2_00409AB0
          Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 1684Jump to behavior
          Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 8260Jump to behavior
          Source: C:\Windows\explorer.exeWindow / User API: foregroundWindowGot 880Jump to behavior
          Source: C:\Windows\SysWOW64\colorcpl.exeWindow / User API: threadDelayed 9800Jump to behavior
          Source: C:\Windows\explorer.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)
          Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_0-99881
          Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exeAPI coverage: 4.6 %
          Source: C:\Windows\SysWOW64\svchost.exeAPI coverage: 2.0 %
          Source: C:\Windows\SysWOW64\colorcpl.exeAPI coverage: 2.2 %
          Source: C:\Windows\explorer.exe TID: 1240Thread sleep count: 1684 > 30Jump to behavior
          Source: C:\Windows\explorer.exe TID: 1240Thread sleep time: -3368000s >= -30000sJump to behavior
          Source: C:\Windows\explorer.exe TID: 1240Thread sleep count: 8260 > 30Jump to behavior
          Source: C:\Windows\explorer.exe TID: 1240Thread sleep time: -16520000s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\colorcpl.exe TID: 6500Thread sleep count: 171 > 30Jump to behavior
          Source: C:\Windows\SysWOW64\colorcpl.exe TID: 6500Thread sleep time: -342000s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\colorcpl.exe TID: 6500Thread sleep count: 9800 > 30Jump to behavior
          Source: C:\Windows\SysWOW64\colorcpl.exe TID: 6500Thread sleep time: -19600000s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\colorcpl.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\colorcpl.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exeCode function: 0_2_01024696 GetFileAttributesW,FindFirstFileW,FindClose,0_2_01024696
          Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exeCode function: 0_2_0102C93C FindFirstFileW,FindClose,0_2_0102C93C
          Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exeCode function: 0_2_0102C9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_0102C9C7
          Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exeCode function: 0_2_0102F35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0102F35D
          Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exeCode function: 0_2_0102F200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0102F200
          Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exeCode function: 0_2_0102F65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_0102F65E
          Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exeCode function: 0_2_01023A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_01023A2B
          Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exeCode function: 0_2_01023D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_01023D4E
          Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exeCode function: 0_2_0102BF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_0102BF27
          Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exeCode function: 0_2_00FC4AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00FC4AFE
          Source: explorer.exe, 00000003.00000002.4507951422.0000000009C96000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b},
          Source: explorer.exe, 00000003.00000000.2056882234.00000000076F8000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}99105f770555d7dd
          Source: explorer.exe, 00000003.00000000.2059229241.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4506883763.0000000009AF9000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW0r
          Source: explorer.exe, 00000003.00000000.2059229241.0000000009B79000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
          Source: explorer.exe, 00000003.00000000.2059229241.0000000009B79000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: NXTcaVMWare
          Source: explorer.exe, 00000003.00000002.4507951422.0000000009C96000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000003.00000002.4506883763.0000000009B41000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000%
          Source: explorer.exe, 00000003.00000002.4502198824.000000000354E000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware, Inc.
          Source: explorer.exe, 00000003.00000002.4507951422.0000000009C96000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware SATA CD00
          Source: explorer.exe, 00000003.00000002.4502198824.000000000354E000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware-42 27 d9 2e dc 89 72 dX
          Source: explorer.exe, 00000003.00000002.4500060295.0000000000F13000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000A
          Source: explorer.exe, 00000003.00000000.2056882234.00000000076F8000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}^
          Source: explorer.exe, 00000003.00000002.4506883763.0000000009B2C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2059229241.0000000009B2C000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
          Source: explorer.exe, 00000003.00000002.4502198824.000000000354E000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware, Inc.NoneVMware-42 27 d9 2e dc 89 72 dX
          Source: explorer.exe, 00000003.00000002.4502198824.000000000354E000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware,p
          Source: explorer.exe, 00000003.00000000.2059229241.0000000009B79000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000_
          Source: explorer.exe, 00000003.00000002.4500060295.0000000000F13000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
          Source: explorer.exe, 00000003.00000002.4506883763.0000000009B41000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000003.00000000.2056882234.000000000769A000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exeAPI call chain: ExitProcess graph end nodegraph_0-98199
          Source: C:\Windows\SysWOW64\svchost.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\SysWOW64\colorcpl.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00409AB0 rdtsc 2_2_00409AB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040ACF0 LdrLoadDll,2_2_0040ACF0
          Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exeCode function: 0_2_010341FD BlockInput,0_2_010341FD
          Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exeCode function: 0_2_00FC3B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00FC3B4C
          Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exeCode function: 0_2_00FF5CCC EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,0_2_00FF5CCC
          Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exeCode function: 0_2_0103C304 LoadLibraryA,GetProcAddress,0_2_0103C304
          Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exeCode function: 0_2_00E534F0 mov eax, dword ptr fs:[00000030h]0_2_00E534F0
          Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exeCode function: 0_2_00E53550 mov eax, dword ptr fs:[00000030h]0_2_00E53550
          Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exeCode function: 0_2_00E51E70 mov eax, dword ptr fs:[00000030h]0_2_00E51E70
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2E388 mov eax, dword ptr fs:[00000030h]2_2_03A2E388
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2E388 mov eax, dword ptr fs:[00000030h]2_2_03A2E388
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2E388 mov eax, dword ptr fs:[00000030h]2_2_03A2E388
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5438F mov eax, dword ptr fs:[00000030h]2_2_03A5438F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5438F mov eax, dword ptr fs:[00000030h]2_2_03A5438F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A28397 mov eax, dword ptr fs:[00000030h]2_2_03A28397
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A28397 mov eax, dword ptr fs:[00000030h]2_2_03A28397
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A28397 mov eax, dword ptr fs:[00000030h]2_2_03A28397
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A403E9 mov eax, dword ptr fs:[00000030h]2_2_03A403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A403E9 mov eax, dword ptr fs:[00000030h]2_2_03A403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A403E9 mov eax, dword ptr fs:[00000030h]2_2_03A403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A403E9 mov eax, dword ptr fs:[00000030h]2_2_03A403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A403E9 mov eax, dword ptr fs:[00000030h]2_2_03A403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A403E9 mov eax, dword ptr fs:[00000030h]2_2_03A403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A403E9 mov eax, dword ptr fs:[00000030h]2_2_03A403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A403E9 mov eax, dword ptr fs:[00000030h]2_2_03A403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A4E3F0 mov eax, dword ptr fs:[00000030h]2_2_03A4E3F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A4E3F0 mov eax, dword ptr fs:[00000030h]2_2_03A4E3F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A4E3F0 mov eax, dword ptr fs:[00000030h]2_2_03A4E3F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A663FF mov eax, dword ptr fs:[00000030h]2_2_03A663FF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AEC3CD mov eax, dword ptr fs:[00000030h]2_2_03AEC3CD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3A3C0 mov eax, dword ptr fs:[00000030h]2_2_03A3A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3A3C0 mov eax, dword ptr fs:[00000030h]2_2_03A3A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3A3C0 mov eax, dword ptr fs:[00000030h]2_2_03A3A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3A3C0 mov eax, dword ptr fs:[00000030h]2_2_03A3A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3A3C0 mov eax, dword ptr fs:[00000030h]2_2_03A3A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3A3C0 mov eax, dword ptr fs:[00000030h]2_2_03A3A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A383C0 mov eax, dword ptr fs:[00000030h]2_2_03A383C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A383C0 mov eax, dword ptr fs:[00000030h]2_2_03A383C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A383C0 mov eax, dword ptr fs:[00000030h]2_2_03A383C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A383C0 mov eax, dword ptr fs:[00000030h]2_2_03A383C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB63C0 mov eax, dword ptr fs:[00000030h]2_2_03AB63C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ADE3DB mov eax, dword ptr fs:[00000030h]2_2_03ADE3DB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ADE3DB mov eax, dword ptr fs:[00000030h]2_2_03ADE3DB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ADE3DB mov ecx, dword ptr fs:[00000030h]2_2_03ADE3DB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ADE3DB mov eax, dword ptr fs:[00000030h]2_2_03ADE3DB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AD43D4 mov eax, dword ptr fs:[00000030h]2_2_03AD43D4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AD43D4 mov eax, dword ptr fs:[00000030h]2_2_03AD43D4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B08324 mov eax, dword ptr fs:[00000030h]2_2_03B08324
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B08324 mov ecx, dword ptr fs:[00000030h]2_2_03B08324
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B08324 mov eax, dword ptr fs:[00000030h]2_2_03B08324
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B08324 mov eax, dword ptr fs:[00000030h]2_2_03B08324
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6A30B mov eax, dword ptr fs:[00000030h]2_2_03A6A30B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6A30B mov eax, dword ptr fs:[00000030h]2_2_03A6A30B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6A30B mov eax, dword ptr fs:[00000030h]2_2_03A6A30B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2C310 mov ecx, dword ptr fs:[00000030h]2_2_03A2C310
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A50310 mov ecx, dword ptr fs:[00000030h]2_2_03A50310
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AD437C mov eax, dword ptr fs:[00000030h]2_2_03AD437C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB2349 mov eax, dword ptr fs:[00000030h]2_2_03AB2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB2349 mov eax, dword ptr fs:[00000030h]2_2_03AB2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB2349 mov eax, dword ptr fs:[00000030h]2_2_03AB2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB2349 mov eax, dword ptr fs:[00000030h]2_2_03AB2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB2349 mov eax, dword ptr fs:[00000030h]2_2_03AB2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB2349 mov eax, dword ptr fs:[00000030h]2_2_03AB2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB2349 mov eax, dword ptr fs:[00000030h]2_2_03AB2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB2349 mov eax, dword ptr fs:[00000030h]2_2_03AB2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB2349 mov eax, dword ptr fs:[00000030h]2_2_03AB2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB2349 mov eax, dword ptr fs:[00000030h]2_2_03AB2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB2349 mov eax, dword ptr fs:[00000030h]2_2_03AB2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB2349 mov eax, dword ptr fs:[00000030h]2_2_03AB2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB2349 mov eax, dword ptr fs:[00000030h]2_2_03AB2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB2349 mov eax, dword ptr fs:[00000030h]2_2_03AB2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB2349 mov eax, dword ptr fs:[00000030h]2_2_03AB2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB035C mov eax, dword ptr fs:[00000030h]2_2_03AB035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB035C mov eax, dword ptr fs:[00000030h]2_2_03AB035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB035C mov eax, dword ptr fs:[00000030h]2_2_03AB035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB035C mov ecx, dword ptr fs:[00000030h]2_2_03AB035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB035C mov eax, dword ptr fs:[00000030h]2_2_03AB035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB035C mov eax, dword ptr fs:[00000030h]2_2_03AB035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AFA352 mov eax, dword ptr fs:[00000030h]2_2_03AFA352
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AD8350 mov ecx, dword ptr fs:[00000030h]2_2_03AD8350
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B0634F mov eax, dword ptr fs:[00000030h]2_2_03B0634F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A402A0 mov eax, dword ptr fs:[00000030h]2_2_03A402A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A402A0 mov eax, dword ptr fs:[00000030h]2_2_03A402A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AC62A0 mov eax, dword ptr fs:[00000030h]2_2_03AC62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AC62A0 mov ecx, dword ptr fs:[00000030h]2_2_03AC62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AC62A0 mov eax, dword ptr fs:[00000030h]2_2_03AC62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AC62A0 mov eax, dword ptr fs:[00000030h]2_2_03AC62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AC62A0 mov eax, dword ptr fs:[00000030h]2_2_03AC62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AC62A0 mov eax, dword ptr fs:[00000030h]2_2_03AC62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6E284 mov eax, dword ptr fs:[00000030h]2_2_03A6E284
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6E284 mov eax, dword ptr fs:[00000030h]2_2_03A6E284
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB0283 mov eax, dword ptr fs:[00000030h]2_2_03AB0283
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB0283 mov eax, dword ptr fs:[00000030h]2_2_03AB0283
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB0283 mov eax, dword ptr fs:[00000030h]2_2_03AB0283
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A402E1 mov eax, dword ptr fs:[00000030h]2_2_03A402E1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A402E1 mov eax, dword ptr fs:[00000030h]2_2_03A402E1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A402E1 mov eax, dword ptr fs:[00000030h]2_2_03A402E1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3A2C3 mov eax, dword ptr fs:[00000030h]2_2_03A3A2C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3A2C3 mov eax, dword ptr fs:[00000030h]2_2_03A3A2C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3A2C3 mov eax, dword ptr fs:[00000030h]2_2_03A3A2C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3A2C3 mov eax, dword ptr fs:[00000030h]2_2_03A3A2C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3A2C3 mov eax, dword ptr fs:[00000030h]2_2_03A3A2C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B062D6 mov eax, dword ptr fs:[00000030h]2_2_03B062D6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2823B mov eax, dword ptr fs:[00000030h]2_2_03A2823B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A34260 mov eax, dword ptr fs:[00000030h]2_2_03A34260
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A34260 mov eax, dword ptr fs:[00000030h]2_2_03A34260
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A34260 mov eax, dword ptr fs:[00000030h]2_2_03A34260
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2826B mov eax, dword ptr fs:[00000030h]2_2_03A2826B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AE0274 mov eax, dword ptr fs:[00000030h]2_2_03AE0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AE0274 mov eax, dword ptr fs:[00000030h]2_2_03AE0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AE0274 mov eax, dword ptr fs:[00000030h]2_2_03AE0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AE0274 mov eax, dword ptr fs:[00000030h]2_2_03AE0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AE0274 mov eax, dword ptr fs:[00000030h]2_2_03AE0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AE0274 mov eax, dword ptr fs:[00000030h]2_2_03AE0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AE0274 mov eax, dword ptr fs:[00000030h]2_2_03AE0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AE0274 mov eax, dword ptr fs:[00000030h]2_2_03AE0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AE0274 mov eax, dword ptr fs:[00000030h]2_2_03AE0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AE0274 mov eax, dword ptr fs:[00000030h]2_2_03AE0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AE0274 mov eax, dword ptr fs:[00000030h]2_2_03AE0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AE0274 mov eax, dword ptr fs:[00000030h]2_2_03AE0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB8243 mov eax, dword ptr fs:[00000030h]2_2_03AB8243
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB8243 mov ecx, dword ptr fs:[00000030h]2_2_03AB8243
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B0625D mov eax, dword ptr fs:[00000030h]2_2_03B0625D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2A250 mov eax, dword ptr fs:[00000030h]2_2_03A2A250
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A36259 mov eax, dword ptr fs:[00000030h]2_2_03A36259
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AEA250 mov eax, dword ptr fs:[00000030h]2_2_03AEA250
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AEA250 mov eax, dword ptr fs:[00000030h]2_2_03AEA250
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A70185 mov eax, dword ptr fs:[00000030h]2_2_03A70185
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AEC188 mov eax, dword ptr fs:[00000030h]2_2_03AEC188
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AEC188 mov eax, dword ptr fs:[00000030h]2_2_03AEC188
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AD4180 mov eax, dword ptr fs:[00000030h]2_2_03AD4180
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AD4180 mov eax, dword ptr fs:[00000030h]2_2_03AD4180
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB019F mov eax, dword ptr fs:[00000030h]2_2_03AB019F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB019F mov eax, dword ptr fs:[00000030h]2_2_03AB019F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB019F mov eax, dword ptr fs:[00000030h]2_2_03AB019F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB019F mov eax, dword ptr fs:[00000030h]2_2_03AB019F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2A197 mov eax, dword ptr fs:[00000030h]2_2_03A2A197
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2A197 mov eax, dword ptr fs:[00000030h]2_2_03A2A197
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2A197 mov eax, dword ptr fs:[00000030h]2_2_03A2A197
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B061E5 mov eax, dword ptr fs:[00000030h]2_2_03B061E5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A601F8 mov eax, dword ptr fs:[00000030h]2_2_03A601F8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AF61C3 mov eax, dword ptr fs:[00000030h]2_2_03AF61C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AF61C3 mov eax, dword ptr fs:[00000030h]2_2_03AF61C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AAE1D0 mov eax, dword ptr fs:[00000030h]2_2_03AAE1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AAE1D0 mov eax, dword ptr fs:[00000030h]2_2_03AAE1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AAE1D0 mov ecx, dword ptr fs:[00000030h]2_2_03AAE1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AAE1D0 mov eax, dword ptr fs:[00000030h]2_2_03AAE1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AAE1D0 mov eax, dword ptr fs:[00000030h]2_2_03AAE1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A60124 mov eax, dword ptr fs:[00000030h]2_2_03A60124
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ADE10E mov eax, dword ptr fs:[00000030h]2_2_03ADE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ADE10E mov ecx, dword ptr fs:[00000030h]2_2_03ADE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ADE10E mov eax, dword ptr fs:[00000030h]2_2_03ADE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ADE10E mov eax, dword ptr fs:[00000030h]2_2_03ADE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ADE10E mov ecx, dword ptr fs:[00000030h]2_2_03ADE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ADE10E mov eax, dword ptr fs:[00000030h]2_2_03ADE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ADE10E mov eax, dword ptr fs:[00000030h]2_2_03ADE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ADE10E mov ecx, dword ptr fs:[00000030h]2_2_03ADE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ADE10E mov eax, dword ptr fs:[00000030h]2_2_03ADE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ADE10E mov ecx, dword ptr fs:[00000030h]2_2_03ADE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ADA118 mov ecx, dword ptr fs:[00000030h]2_2_03ADA118
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ADA118 mov eax, dword ptr fs:[00000030h]2_2_03ADA118
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ADA118 mov eax, dword ptr fs:[00000030h]2_2_03ADA118
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ADA118 mov eax, dword ptr fs:[00000030h]2_2_03ADA118
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AF0115 mov eax, dword ptr fs:[00000030h]2_2_03AF0115
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B04164 mov eax, dword ptr fs:[00000030h]2_2_03B04164
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B04164 mov eax, dword ptr fs:[00000030h]2_2_03B04164
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AC4144 mov eax, dword ptr fs:[00000030h]2_2_03AC4144
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AC4144 mov eax, dword ptr fs:[00000030h]2_2_03AC4144
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AC4144 mov ecx, dword ptr fs:[00000030h]2_2_03AC4144
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AC4144 mov eax, dword ptr fs:[00000030h]2_2_03AC4144
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AC4144 mov eax, dword ptr fs:[00000030h]2_2_03AC4144
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2C156 mov eax, dword ptr fs:[00000030h]2_2_03A2C156
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AC8158 mov eax, dword ptr fs:[00000030h]2_2_03AC8158
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A36154 mov eax, dword ptr fs:[00000030h]2_2_03A36154
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A36154 mov eax, dword ptr fs:[00000030h]2_2_03A36154
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A280A0 mov eax, dword ptr fs:[00000030h]2_2_03A280A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AC80A8 mov eax, dword ptr fs:[00000030h]2_2_03AC80A8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AF60B8 mov eax, dword ptr fs:[00000030h]2_2_03AF60B8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AF60B8 mov ecx, dword ptr fs:[00000030h]2_2_03AF60B8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3208A mov eax, dword ptr fs:[00000030h]2_2_03A3208A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2A0E3 mov ecx, dword ptr fs:[00000030h]2_2_03A2A0E3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A380E9 mov eax, dword ptr fs:[00000030h]2_2_03A380E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB60E0 mov eax, dword ptr fs:[00000030h]2_2_03AB60E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2C0F0 mov eax, dword ptr fs:[00000030h]2_2_03A2C0F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A720F0 mov ecx, dword ptr fs:[00000030h]2_2_03A720F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB20DE mov eax, dword ptr fs:[00000030h]2_2_03AB20DE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2A020 mov eax, dword ptr fs:[00000030h]2_2_03A2A020
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2C020 mov eax, dword ptr fs:[00000030h]2_2_03A2C020
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AC6030 mov eax, dword ptr fs:[00000030h]2_2_03AC6030
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB4000 mov ecx, dword ptr fs:[00000030h]2_2_03AB4000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AD2000 mov eax, dword ptr fs:[00000030h]2_2_03AD2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AD2000 mov eax, dword ptr fs:[00000030h]2_2_03AD2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AD2000 mov eax, dword ptr fs:[00000030h]2_2_03AD2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AD2000 mov eax, dword ptr fs:[00000030h]2_2_03AD2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AD2000 mov eax, dword ptr fs:[00000030h]2_2_03AD2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AD2000 mov eax, dword ptr fs:[00000030h]2_2_03AD2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AD2000 mov eax, dword ptr fs:[00000030h]2_2_03AD2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AD2000 mov eax, dword ptr fs:[00000030h]2_2_03AD2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A4E016 mov eax, dword ptr fs:[00000030h]2_2_03A4E016
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A4E016 mov eax, dword ptr fs:[00000030h]2_2_03A4E016
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A4E016 mov eax, dword ptr fs:[00000030h]2_2_03A4E016
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A4E016 mov eax, dword ptr fs:[00000030h]2_2_03A4E016
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5C073 mov eax, dword ptr fs:[00000030h]2_2_03A5C073
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A32050 mov eax, dword ptr fs:[00000030h]2_2_03A32050
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB6050 mov eax, dword ptr fs:[00000030h]2_2_03AB6050
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A307AF mov eax, dword ptr fs:[00000030h]2_2_03A307AF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AE47A0 mov eax, dword ptr fs:[00000030h]2_2_03AE47A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AD678E mov eax, dword ptr fs:[00000030h]2_2_03AD678E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A527ED mov eax, dword ptr fs:[00000030h]2_2_03A527ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A527ED mov eax, dword ptr fs:[00000030h]2_2_03A527ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A527ED mov eax, dword ptr fs:[00000030h]2_2_03A527ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ABE7E1 mov eax, dword ptr fs:[00000030h]2_2_03ABE7E1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A347FB mov eax, dword ptr fs:[00000030h]2_2_03A347FB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A347FB mov eax, dword ptr fs:[00000030h]2_2_03A347FB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3C7C0 mov eax, dword ptr fs:[00000030h]2_2_03A3C7C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB07C3 mov eax, dword ptr fs:[00000030h]2_2_03AB07C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6C720 mov eax, dword ptr fs:[00000030h]2_2_03A6C720
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6C720 mov eax, dword ptr fs:[00000030h]2_2_03A6C720
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6273C mov eax, dword ptr fs:[00000030h]2_2_03A6273C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6273C mov ecx, dword ptr fs:[00000030h]2_2_03A6273C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6273C mov eax, dword ptr fs:[00000030h]2_2_03A6273C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AAC730 mov eax, dword ptr fs:[00000030h]2_2_03AAC730
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6C700 mov eax, dword ptr fs:[00000030h]2_2_03A6C700
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A30710 mov eax, dword ptr fs:[00000030h]2_2_03A30710
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A60710 mov eax, dword ptr fs:[00000030h]2_2_03A60710
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A38770 mov eax, dword ptr fs:[00000030h]2_2_03A38770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A40770 mov eax, dword ptr fs:[00000030h]2_2_03A40770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A40770 mov eax, dword ptr fs:[00000030h]2_2_03A40770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A40770 mov eax, dword ptr fs:[00000030h]2_2_03A40770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A40770 mov eax, dword ptr fs:[00000030h]2_2_03A40770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A40770 mov eax, dword ptr fs:[00000030h]2_2_03A40770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A40770 mov eax, dword ptr fs:[00000030h]2_2_03A40770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A40770 mov eax, dword ptr fs:[00000030h]2_2_03A40770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A40770 mov eax, dword ptr fs:[00000030h]2_2_03A40770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A40770 mov eax, dword ptr fs:[00000030h]2_2_03A40770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A40770 mov eax, dword ptr fs:[00000030h]2_2_03A40770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A40770 mov eax, dword ptr fs:[00000030h]2_2_03A40770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A40770 mov eax, dword ptr fs:[00000030h]2_2_03A40770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6674D mov esi, dword ptr fs:[00000030h]2_2_03A6674D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6674D mov eax, dword ptr fs:[00000030h]2_2_03A6674D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6674D mov eax, dword ptr fs:[00000030h]2_2_03A6674D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A30750 mov eax, dword ptr fs:[00000030h]2_2_03A30750
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ABE75D mov eax, dword ptr fs:[00000030h]2_2_03ABE75D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72750 mov eax, dword ptr fs:[00000030h]2_2_03A72750
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72750 mov eax, dword ptr fs:[00000030h]2_2_03A72750
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB4755 mov eax, dword ptr fs:[00000030h]2_2_03AB4755
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6C6A6 mov eax, dword ptr fs:[00000030h]2_2_03A6C6A6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A666B0 mov eax, dword ptr fs:[00000030h]2_2_03A666B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A34690 mov eax, dword ptr fs:[00000030h]2_2_03A34690
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A34690 mov eax, dword ptr fs:[00000030h]2_2_03A34690
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AAE6F2 mov eax, dword ptr fs:[00000030h]2_2_03AAE6F2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AAE6F2 mov eax, dword ptr fs:[00000030h]2_2_03AAE6F2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AAE6F2 mov eax, dword ptr fs:[00000030h]2_2_03AAE6F2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AAE6F2 mov eax, dword ptr fs:[00000030h]2_2_03AAE6F2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB06F1 mov eax, dword ptr fs:[00000030h]2_2_03AB06F1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB06F1 mov eax, dword ptr fs:[00000030h]2_2_03AB06F1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6A6C7 mov ebx, dword ptr fs:[00000030h]2_2_03A6A6C7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6A6C7 mov eax, dword ptr fs:[00000030h]2_2_03A6A6C7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A4E627 mov eax, dword ptr fs:[00000030h]2_2_03A4E627
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A66620 mov eax, dword ptr fs:[00000030h]2_2_03A66620
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A68620 mov eax, dword ptr fs:[00000030h]2_2_03A68620
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3262C mov eax, dword ptr fs:[00000030h]2_2_03A3262C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AAE609 mov eax, dword ptr fs:[00000030h]2_2_03AAE609
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A4260B mov eax, dword ptr fs:[00000030h]2_2_03A4260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A4260B mov eax, dword ptr fs:[00000030h]2_2_03A4260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A4260B mov eax, dword ptr fs:[00000030h]2_2_03A4260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A4260B mov eax, dword ptr fs:[00000030h]2_2_03A4260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A4260B mov eax, dword ptr fs:[00000030h]2_2_03A4260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A4260B mov eax, dword ptr fs:[00000030h]2_2_03A4260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A4260B mov eax, dword ptr fs:[00000030h]2_2_03A4260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A72619 mov eax, dword ptr fs:[00000030h]2_2_03A72619
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AF866E mov eax, dword ptr fs:[00000030h]2_2_03AF866E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AF866E mov eax, dword ptr fs:[00000030h]2_2_03AF866E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6A660 mov eax, dword ptr fs:[00000030h]2_2_03A6A660
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6A660 mov eax, dword ptr fs:[00000030h]2_2_03A6A660
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A62674 mov eax, dword ptr fs:[00000030h]2_2_03A62674
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A4C640 mov eax, dword ptr fs:[00000030h]2_2_03A4C640
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB05A7 mov eax, dword ptr fs:[00000030h]2_2_03AB05A7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB05A7 mov eax, dword ptr fs:[00000030h]2_2_03AB05A7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB05A7 mov eax, dword ptr fs:[00000030h]2_2_03AB05A7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A545B1 mov eax, dword ptr fs:[00000030h]2_2_03A545B1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A545B1 mov eax, dword ptr fs:[00000030h]2_2_03A545B1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A32582 mov eax, dword ptr fs:[00000030h]2_2_03A32582
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A32582 mov ecx, dword ptr fs:[00000030h]2_2_03A32582
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A64588 mov eax, dword ptr fs:[00000030h]2_2_03A64588
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6E59C mov eax, dword ptr fs:[00000030h]2_2_03A6E59C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5E5E7 mov eax, dword ptr fs:[00000030h]2_2_03A5E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5E5E7 mov eax, dword ptr fs:[00000030h]2_2_03A5E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5E5E7 mov eax, dword ptr fs:[00000030h]2_2_03A5E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5E5E7 mov eax, dword ptr fs:[00000030h]2_2_03A5E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5E5E7 mov eax, dword ptr fs:[00000030h]2_2_03A5E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5E5E7 mov eax, dword ptr fs:[00000030h]2_2_03A5E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5E5E7 mov eax, dword ptr fs:[00000030h]2_2_03A5E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5E5E7 mov eax, dword ptr fs:[00000030h]2_2_03A5E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A325E0 mov eax, dword ptr fs:[00000030h]2_2_03A325E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6C5ED mov eax, dword ptr fs:[00000030h]2_2_03A6C5ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6C5ED mov eax, dword ptr fs:[00000030h]2_2_03A6C5ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6E5CF mov eax, dword ptr fs:[00000030h]2_2_03A6E5CF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6E5CF mov eax, dword ptr fs:[00000030h]2_2_03A6E5CF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A365D0 mov eax, dword ptr fs:[00000030h]2_2_03A365D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6A5D0 mov eax, dword ptr fs:[00000030h]2_2_03A6A5D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6A5D0 mov eax, dword ptr fs:[00000030h]2_2_03A6A5D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A40535 mov eax, dword ptr fs:[00000030h]2_2_03A40535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A40535 mov eax, dword ptr fs:[00000030h]2_2_03A40535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A40535 mov eax, dword ptr fs:[00000030h]2_2_03A40535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A40535 mov eax, dword ptr fs:[00000030h]2_2_03A40535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A40535 mov eax, dword ptr fs:[00000030h]2_2_03A40535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A40535 mov eax, dword ptr fs:[00000030h]2_2_03A40535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5E53E mov eax, dword ptr fs:[00000030h]2_2_03A5E53E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5E53E mov eax, dword ptr fs:[00000030h]2_2_03A5E53E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5E53E mov eax, dword ptr fs:[00000030h]2_2_03A5E53E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5E53E mov eax, dword ptr fs:[00000030h]2_2_03A5E53E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5E53E mov eax, dword ptr fs:[00000030h]2_2_03A5E53E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AC6500 mov eax, dword ptr fs:[00000030h]2_2_03AC6500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B04500 mov eax, dword ptr fs:[00000030h]2_2_03B04500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B04500 mov eax, dword ptr fs:[00000030h]2_2_03B04500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B04500 mov eax, dword ptr fs:[00000030h]2_2_03B04500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B04500 mov eax, dword ptr fs:[00000030h]2_2_03B04500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B04500 mov eax, dword ptr fs:[00000030h]2_2_03B04500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B04500 mov eax, dword ptr fs:[00000030h]2_2_03B04500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B04500 mov eax, dword ptr fs:[00000030h]2_2_03B04500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6656A mov eax, dword ptr fs:[00000030h]2_2_03A6656A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6656A mov eax, dword ptr fs:[00000030h]2_2_03A6656A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6656A mov eax, dword ptr fs:[00000030h]2_2_03A6656A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A38550 mov eax, dword ptr fs:[00000030h]2_2_03A38550
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A38550 mov eax, dword ptr fs:[00000030h]2_2_03A38550
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A364AB mov eax, dword ptr fs:[00000030h]2_2_03A364AB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A644B0 mov ecx, dword ptr fs:[00000030h]2_2_03A644B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ABA4B0 mov eax, dword ptr fs:[00000030h]2_2_03ABA4B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AEA49A mov eax, dword ptr fs:[00000030h]2_2_03AEA49A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A304E5 mov ecx, dword ptr fs:[00000030h]2_2_03A304E5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2E420 mov eax, dword ptr fs:[00000030h]2_2_03A2E420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2E420 mov eax, dword ptr fs:[00000030h]2_2_03A2E420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2E420 mov eax, dword ptr fs:[00000030h]2_2_03A2E420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2C427 mov eax, dword ptr fs:[00000030h]2_2_03A2C427
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB6420 mov eax, dword ptr fs:[00000030h]2_2_03AB6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB6420 mov eax, dword ptr fs:[00000030h]2_2_03AB6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB6420 mov eax, dword ptr fs:[00000030h]2_2_03AB6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB6420 mov eax, dword ptr fs:[00000030h]2_2_03AB6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB6420 mov eax, dword ptr fs:[00000030h]2_2_03AB6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB6420 mov eax, dword ptr fs:[00000030h]2_2_03AB6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB6420 mov eax, dword ptr fs:[00000030h]2_2_03AB6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6A430 mov eax, dword ptr fs:[00000030h]2_2_03A6A430
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A68402 mov eax, dword ptr fs:[00000030h]2_2_03A68402
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A68402 mov eax, dword ptr fs:[00000030h]2_2_03A68402
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A68402 mov eax, dword ptr fs:[00000030h]2_2_03A68402
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ABC460 mov ecx, dword ptr fs:[00000030h]2_2_03ABC460
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5A470 mov eax, dword ptr fs:[00000030h]2_2_03A5A470
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5A470 mov eax, dword ptr fs:[00000030h]2_2_03A5A470
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5A470 mov eax, dword ptr fs:[00000030h]2_2_03A5A470
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6E443 mov eax, dword ptr fs:[00000030h]2_2_03A6E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6E443 mov eax, dword ptr fs:[00000030h]2_2_03A6E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6E443 mov eax, dword ptr fs:[00000030h]2_2_03A6E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6E443 mov eax, dword ptr fs:[00000030h]2_2_03A6E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6E443 mov eax, dword ptr fs:[00000030h]2_2_03A6E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6E443 mov eax, dword ptr fs:[00000030h]2_2_03A6E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6E443 mov eax, dword ptr fs:[00000030h]2_2_03A6E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6E443 mov eax, dword ptr fs:[00000030h]2_2_03A6E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AEA456 mov eax, dword ptr fs:[00000030h]2_2_03AEA456
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2645D mov eax, dword ptr fs:[00000030h]2_2_03A2645D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5245A mov eax, dword ptr fs:[00000030h]2_2_03A5245A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A40BBE mov eax, dword ptr fs:[00000030h]2_2_03A40BBE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A40BBE mov eax, dword ptr fs:[00000030h]2_2_03A40BBE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AE4BB0 mov eax, dword ptr fs:[00000030h]2_2_03AE4BB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AE4BB0 mov eax, dword ptr fs:[00000030h]2_2_03AE4BB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A38BF0 mov eax, dword ptr fs:[00000030h]2_2_03A38BF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A38BF0 mov eax, dword ptr fs:[00000030h]2_2_03A38BF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A38BF0 mov eax, dword ptr fs:[00000030h]2_2_03A38BF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5EBFC mov eax, dword ptr fs:[00000030h]2_2_03A5EBFC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ABCBF0 mov eax, dword ptr fs:[00000030h]2_2_03ABCBF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A50BCB mov eax, dword ptr fs:[00000030h]2_2_03A50BCB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A50BCB mov eax, dword ptr fs:[00000030h]2_2_03A50BCB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A50BCB mov eax, dword ptr fs:[00000030h]2_2_03A50BCB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A30BCD mov eax, dword ptr fs:[00000030h]2_2_03A30BCD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A30BCD mov eax, dword ptr fs:[00000030h]2_2_03A30BCD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A30BCD mov eax, dword ptr fs:[00000030h]2_2_03A30BCD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ADEBD0 mov eax, dword ptr fs:[00000030h]2_2_03ADEBD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5EB20 mov eax, dword ptr fs:[00000030h]2_2_03A5EB20
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5EB20 mov eax, dword ptr fs:[00000030h]2_2_03A5EB20
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AF8B28 mov eax, dword ptr fs:[00000030h]2_2_03AF8B28
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AF8B28 mov eax, dword ptr fs:[00000030h]2_2_03AF8B28
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B04B00 mov eax, dword ptr fs:[00000030h]2_2_03B04B00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AAEB1D mov eax, dword ptr fs:[00000030h]2_2_03AAEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AAEB1D mov eax, dword ptr fs:[00000030h]2_2_03AAEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AAEB1D mov eax, dword ptr fs:[00000030h]2_2_03AAEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AAEB1D mov eax, dword ptr fs:[00000030h]2_2_03AAEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AAEB1D mov eax, dword ptr fs:[00000030h]2_2_03AAEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AAEB1D mov eax, dword ptr fs:[00000030h]2_2_03AAEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AAEB1D mov eax, dword ptr fs:[00000030h]2_2_03AAEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AAEB1D mov eax, dword ptr fs:[00000030h]2_2_03AAEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AAEB1D mov eax, dword ptr fs:[00000030h]2_2_03AAEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A2CB7E mov eax, dword ptr fs:[00000030h]2_2_03A2CB7E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AE4B4B mov eax, dword ptr fs:[00000030h]2_2_03AE4B4B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AE4B4B mov eax, dword ptr fs:[00000030h]2_2_03AE4B4B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B02B57 mov eax, dword ptr fs:[00000030h]2_2_03B02B57
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B02B57 mov eax, dword ptr fs:[00000030h]2_2_03B02B57
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B02B57 mov eax, dword ptr fs:[00000030h]2_2_03B02B57
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B02B57 mov eax, dword ptr fs:[00000030h]2_2_03B02B57
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AC6B40 mov eax, dword ptr fs:[00000030h]2_2_03AC6B40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AC6B40 mov eax, dword ptr fs:[00000030h]2_2_03AC6B40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AFAB40 mov eax, dword ptr fs:[00000030h]2_2_03AFAB40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AD8B42 mov eax, dword ptr fs:[00000030h]2_2_03AD8B42
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A28B50 mov eax, dword ptr fs:[00000030h]2_2_03A28B50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ADEB50 mov eax, dword ptr fs:[00000030h]2_2_03ADEB50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A38AA0 mov eax, dword ptr fs:[00000030h]2_2_03A38AA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A38AA0 mov eax, dword ptr fs:[00000030h]2_2_03A38AA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A86AA4 mov eax, dword ptr fs:[00000030h]2_2_03A86AA4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3EA80 mov eax, dword ptr fs:[00000030h]2_2_03A3EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3EA80 mov eax, dword ptr fs:[00000030h]2_2_03A3EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3EA80 mov eax, dword ptr fs:[00000030h]2_2_03A3EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3EA80 mov eax, dword ptr fs:[00000030h]2_2_03A3EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3EA80 mov eax, dword ptr fs:[00000030h]2_2_03A3EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3EA80 mov eax, dword ptr fs:[00000030h]2_2_03A3EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3EA80 mov eax, dword ptr fs:[00000030h]2_2_03A3EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3EA80 mov eax, dword ptr fs:[00000030h]2_2_03A3EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3EA80 mov eax, dword ptr fs:[00000030h]2_2_03A3EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B04A80 mov eax, dword ptr fs:[00000030h]2_2_03B04A80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A68A90 mov edx, dword ptr fs:[00000030h]2_2_03A68A90
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6AAEE mov eax, dword ptr fs:[00000030h]2_2_03A6AAEE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6AAEE mov eax, dword ptr fs:[00000030h]2_2_03A6AAEE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A86ACC mov eax, dword ptr fs:[00000030h]2_2_03A86ACC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A86ACC mov eax, dword ptr fs:[00000030h]2_2_03A86ACC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A86ACC mov eax, dword ptr fs:[00000030h]2_2_03A86ACC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A30AD0 mov eax, dword ptr fs:[00000030h]2_2_03A30AD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A64AD0 mov eax, dword ptr fs:[00000030h]2_2_03A64AD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A64AD0 mov eax, dword ptr fs:[00000030h]2_2_03A64AD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6CA24 mov eax, dword ptr fs:[00000030h]2_2_03A6CA24
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5EA2E mov eax, dword ptr fs:[00000030h]2_2_03A5EA2E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A54A35 mov eax, dword ptr fs:[00000030h]2_2_03A54A35
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A54A35 mov eax, dword ptr fs:[00000030h]2_2_03A54A35
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6CA38 mov eax, dword ptr fs:[00000030h]2_2_03A6CA38
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ABCA11 mov eax, dword ptr fs:[00000030h]2_2_03ABCA11
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6CA6F mov eax, dword ptr fs:[00000030h]2_2_03A6CA6F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6CA6F mov eax, dword ptr fs:[00000030h]2_2_03A6CA6F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6CA6F mov eax, dword ptr fs:[00000030h]2_2_03A6CA6F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ADEA60 mov eax, dword ptr fs:[00000030h]2_2_03ADEA60
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AACA72 mov eax, dword ptr fs:[00000030h]2_2_03AACA72
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AACA72 mov eax, dword ptr fs:[00000030h]2_2_03AACA72
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A36A50 mov eax, dword ptr fs:[00000030h]2_2_03A36A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A36A50 mov eax, dword ptr fs:[00000030h]2_2_03A36A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A36A50 mov eax, dword ptr fs:[00000030h]2_2_03A36A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A36A50 mov eax, dword ptr fs:[00000030h]2_2_03A36A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A36A50 mov eax, dword ptr fs:[00000030h]2_2_03A36A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A36A50 mov eax, dword ptr fs:[00000030h]2_2_03A36A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A36A50 mov eax, dword ptr fs:[00000030h]2_2_03A36A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A40A5B mov eax, dword ptr fs:[00000030h]2_2_03A40A5B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A40A5B mov eax, dword ptr fs:[00000030h]2_2_03A40A5B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A429A0 mov eax, dword ptr fs:[00000030h]2_2_03A429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A429A0 mov eax, dword ptr fs:[00000030h]2_2_03A429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A429A0 mov eax, dword ptr fs:[00000030h]2_2_03A429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A429A0 mov eax, dword ptr fs:[00000030h]2_2_03A429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A429A0 mov eax, dword ptr fs:[00000030h]2_2_03A429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A429A0 mov eax, dword ptr fs:[00000030h]2_2_03A429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A429A0 mov eax, dword ptr fs:[00000030h]2_2_03A429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A429A0 mov eax, dword ptr fs:[00000030h]2_2_03A429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A429A0 mov eax, dword ptr fs:[00000030h]2_2_03A429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A429A0 mov eax, dword ptr fs:[00000030h]2_2_03A429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A429A0 mov eax, dword ptr fs:[00000030h]2_2_03A429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A429A0 mov eax, dword ptr fs:[00000030h]2_2_03A429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A429A0 mov eax, dword ptr fs:[00000030h]2_2_03A429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A309AD mov eax, dword ptr fs:[00000030h]2_2_03A309AD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A309AD mov eax, dword ptr fs:[00000030h]2_2_03A309AD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB89B3 mov esi, dword ptr fs:[00000030h]2_2_03AB89B3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB89B3 mov eax, dword ptr fs:[00000030h]2_2_03AB89B3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB89B3 mov eax, dword ptr fs:[00000030h]2_2_03AB89B3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ABE9E0 mov eax, dword ptr fs:[00000030h]2_2_03ABE9E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A629F9 mov eax, dword ptr fs:[00000030h]2_2_03A629F9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A629F9 mov eax, dword ptr fs:[00000030h]2_2_03A629F9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AC69C0 mov eax, dword ptr fs:[00000030h]2_2_03AC69C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3A9D0 mov eax, dword ptr fs:[00000030h]2_2_03A3A9D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3A9D0 mov eax, dword ptr fs:[00000030h]2_2_03A3A9D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3A9D0 mov eax, dword ptr fs:[00000030h]2_2_03A3A9D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3A9D0 mov eax, dword ptr fs:[00000030h]2_2_03A3A9D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3A9D0 mov eax, dword ptr fs:[00000030h]2_2_03A3A9D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A3A9D0 mov eax, dword ptr fs:[00000030h]2_2_03A3A9D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A649D0 mov eax, dword ptr fs:[00000030h]2_2_03A649D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AFA9D3 mov eax, dword ptr fs:[00000030h]2_2_03AFA9D3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB892A mov eax, dword ptr fs:[00000030h]2_2_03AB892A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AC892B mov eax, dword ptr fs:[00000030h]2_2_03AC892B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AAE908 mov eax, dword ptr fs:[00000030h]2_2_03AAE908
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AAE908 mov eax, dword ptr fs:[00000030h]2_2_03AAE908
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ABC912 mov eax, dword ptr fs:[00000030h]2_2_03ABC912
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A28918 mov eax, dword ptr fs:[00000030h]2_2_03A28918
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A28918 mov eax, dword ptr fs:[00000030h]2_2_03A28918
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A56962 mov eax, dword ptr fs:[00000030h]2_2_03A56962
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A56962 mov eax, dword ptr fs:[00000030h]2_2_03A56962
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A56962 mov eax, dword ptr fs:[00000030h]2_2_03A56962
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A7096E mov eax, dword ptr fs:[00000030h]2_2_03A7096E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A7096E mov edx, dword ptr fs:[00000030h]2_2_03A7096E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A7096E mov eax, dword ptr fs:[00000030h]2_2_03A7096E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AD4978 mov eax, dword ptr fs:[00000030h]2_2_03AD4978
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AD4978 mov eax, dword ptr fs:[00000030h]2_2_03AD4978
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ABC97C mov eax, dword ptr fs:[00000030h]2_2_03ABC97C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AB0946 mov eax, dword ptr fs:[00000030h]2_2_03AB0946
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B04940 mov eax, dword ptr fs:[00000030h]2_2_03B04940
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A30887 mov eax, dword ptr fs:[00000030h]2_2_03A30887
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03ABC89D mov eax, dword ptr fs:[00000030h]2_2_03ABC89D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03AFA8E4 mov eax, dword ptr fs:[00000030h]2_2_03AFA8E4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6C8F9 mov eax, dword ptr fs:[00000030h]2_2_03A6C8F9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A6C8F9 mov eax, dword ptr fs:[00000030h]2_2_03A6C8F9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A5E8C0 mov eax, dword ptr fs:[00000030h]2_2_03A5E8C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B008C0 mov eax, dword ptr fs:[00000030h]2_2_03B008C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A52835 mov eax, dword ptr fs:[00000030h]2_2_03A52835
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A52835 mov eax, dword ptr fs:[00000030h]2_2_03A52835
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A52835 mov eax, dword ptr fs:[00000030h]2_2_03A52835
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A52835 mov ecx, dword ptr fs:[00000030h]2_2_03A52835
          Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exeCode function: 0_2_010181F7 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_010181F7
          Source: C:\Windows\SysWOW64\svchost.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exeCode function: 0_2_00FEA395 SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00FEA395
          Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exeCode function: 0_2_00FEA364 SetUnhandledExceptionFilter,0_2_00FEA364
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 4_2_00C51AC3 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,4_2_00C51AC3

          HIPS / PFW / Operating System Protection Evasion

          barindex
          Maps a DLL or memory area into another process
          Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Windows\SysWOW64\colorcpl.exe protection: execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Windows\SysWOW64\colorcpl.exe protection: execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: read writeJump to behavior
          Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Modifies the context of a thread in another process (thread injection)
          Source: C:\Windows\SysWOW64\svchost.exeThread register set: target process: 1028Jump to behavior
          Source: C:\Windows\SysWOW64\colorcpl.exeThread register set: target process: 1028Jump to behavior
          Queues an APC in another process (thread injection)
          Source: C:\Windows\SysWOW64\svchost.exeThread APC queued: target process: C:\Windows\explorer.exeJump to behavior
          Sample uses process hollowing technique
          Source: C:\Windows\SysWOW64\svchost.exeSection unmapped: C:\Windows\SysWOW64\colorcpl.exe base address: C50000Jump to behavior
          Writes to foreign memory regions
          Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 30D8008Jump to behavior
          Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exeCode function: 0_2_01018C93 LogonUserW,0_2_01018C93
          Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exeCode function: 0_2_00FC3B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00FC3B4C
          Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exeCode function: 0_2_00FC4A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_00FC4A35
          Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exeCode function: 0_2_01024F21 mouse_event,0_2_01024F21
          Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Bonifico 2692024pdf.exe"Jump to behavior
          Source: C:\Windows\SysWOW64\colorcpl.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\SysWOW64\svchost.exe"Jump to behavior
          Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exeCode function: 0_2_010181F7 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_010181F7
          Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exeCode function: 0_2_01024C03 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_01024C03
          Source: Bonifico 2692024pdf.exeBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
          Source: explorer.exe, 00000003.00000003.3097566585.0000000009C21000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4507885872.0000000009C22000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3095576604.0000000009B79000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Shell_TrayWnd=
          Source: explorer.exe, 00000003.00000000.2054110873.0000000001731000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000002.4501147415.0000000001731000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Program Manager
          Source: Bonifico 2692024pdf.exe, explorer.exe, 00000003.00000000.2056460554.0000000004B00000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2054110873.0000000001731000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000002.4501147415.0000000001731000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000003.00000000.2054110873.0000000001731000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000002.4501147415.0000000001731000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
          Source: explorer.exe, 00000003.00000000.2054110873.0000000001731000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000002.4501147415.0000000001731000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
          Source: explorer.exe, 00000003.00000000.2053555947.0000000000EF8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4500060295.0000000000EF0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PProgman
          Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exeCode function: 0_2_00FE886B cpuid 0_2_00FE886B
          Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exeCode function: 0_2_00FF50D7 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00FF50D7
          Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exeCode function: 0_2_01002230 GetUserNameW,0_2_01002230
          Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exeCode function: 0_2_00FF418A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,0_2_00FF418A
          Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exeCode function: 0_2_00FC4AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00FC4AFE

          Stealing of Sensitive Information

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 0.2.Bonifico 2692024pdf.exe.f60000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Bonifico 2692024pdf.exe.f60000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000004.00000002.4500748393.0000000004EF0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.2101569543.0000000002FA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.2101179285.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.2101452453.0000000000EE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.4500674089.0000000004EC0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.4500108224.0000000003260000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.2043224034.0000000000F60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Bonifico 2692024pdf.exeBinary or memory string: WIN_81
          Source: Bonifico 2692024pdf.exeBinary or memory string: WIN_XP
          Source: Bonifico 2692024pdf.exeBinary or memory string: WIN_XPe
          Source: Bonifico 2692024pdf.exeBinary or memory string: WIN_VISTA
          Source: Bonifico 2692024pdf.exeBinary or memory string: WIN_7
          Source: Bonifico 2692024pdf.exeBinary or memory string: WIN_8
          Source: Bonifico 2692024pdf.exeBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 5USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

          Remote Access Functionality

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 0.2.Bonifico 2692024pdf.exe.f60000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Bonifico 2692024pdf.exe.f60000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000004.00000002.4500748393.0000000004EF0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.2101569543.0000000002FA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.2101179285.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.2101452453.0000000000EE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.4500674089.0000000004EC0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.4500108224.0000000003260000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.2043224034.0000000000F60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exeCode function: 0_2_01036596 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,0_2_01036596
          Source: C:\Users\user\Desktop\Bonifico 2692024pdf.exeCode function: 0_2_01036A5A socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_01036A5A

          Mitre Att&ck Matrix

          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
          Gather Victim Identity InformationAcquire Infrastructure2
          Valid Accounts          		2
          Native API          		1
          DLL Side-Loading          		1
          Exploitation for Privilege Escalation          		1
          Disable or Modify Tools          		21
          Input Capture          		2
          System Time Discovery          		Remote Services1
          Archive Collected Data          		2
          Ingress Tool Transfer          		Exfiltration Over Other Network Medium1
          System Shutdown/Reboot
          CredentialsDomainsDefault Accounts1
          Shared Modules          		2
          Valid Accounts          		1
          DLL Side-Loading          		1
          Deobfuscate/Decode Files or Information          		LSASS Memory1
          Account Discovery          		Remote Desktop Protocol21
          Input Capture          		1
          Encrypted Channel          		Exfiltration Over BluetoothNetwork Denial of Service
          Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)2
          Valid Accounts          		3
          Obfuscated Files or Information          		Security Account Manager1
          File and Directory Discovery          		SMB/Windows Admin Shares3
          Clipboard Data          		2
          Non-Application Layer Protocol          		Automated ExfiltrationData Encrypted for Impact
          Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook21
          Access Token Manipulation          		1
          DLL Side-Loading          		NTDS215
          System Information Discovery          		Distributed Component Object ModelInput Capture12
          Application Layer Protocol          		Traffic DuplicationData Destruction
          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script512
          Process Injection          		2
          Valid Accounts          		LSA Secrets251
          Security Software Discovery          		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts2
          Virtualization/Sandbox Evasion          		Cached Domain Credentials2
          Virtualization/Sandbox Evasion          		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
          DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items21
          Access Token Manipulation          		DCSync3
          Process Discovery          		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
          Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job512
          Process Injection          		Proc Filesystem11
          Application Window Discovery          		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
          Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAtHTML Smuggling/etc/passwd and /etc/shadow1
          System Owner/User Discovery          		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1519629 Sample: Bonifico 2692024pdf.exe Startdate: 26/09/2024 Architecture: WINDOWS Score: 100 29 www.eeplab.xyz 2->29 31 www.zkirv.top 2->31 33 10 other IPs or domains 2->33 35 Suricata IDS alerts for network traffic 2->35 37 Found malware configuration 2->37 39 Malicious sample detected (through community Yara rule) 2->39 43 8 other signatures 2->43 11 Bonifico 2692024pdf.exe 4 2->11         started        signatures3 41 Performs DNS queries to domains with low reputation 29->41 process4 signatures5 53 Binary is likely a compiled AutoIt script file 11->53 55 Writes to foreign memory regions 11->55 57 Maps a DLL or memory area into another process 11->57 14 svchost.exe 11->14         started        process6 signatures7 59 Modifies the context of a thread in another process (thread injection) 14->59 61 Maps a DLL or memory area into another process 14->61 63 Sample uses process hollowing technique 14->63 65 3 other signatures 14->65 17 explorer.exe 91 1 14->17 injected process8 dnsIp9 27 www.bets.net 195.85.59.61, 62804, 80 DANISCODK Denmark 17->27 20 colorcpl.exe 17->20         started        process10 signatures11 45 Modifies the context of a thread in another process (thread injection) 20->45 47 Maps a DLL or memory area into another process 20->47 49 Tries to detect virtualization through RDTSC time measurements 20->49 51 Switches to a custom stack to bypass stack traces 20->51 23 cmd.exe 1 20->23         started        process12 process13 25 conhost.exe 23->25         started       

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          Bonifico 2692024pdf.exe42%ReversingLabsWin32.Backdoor.FormBook
          Bonifico 2692024pdf.exe100%Joe Sandbox ML

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          No Antivirus matches

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          https://excel.office.com0%URL Reputationsafe
          http://schemas.micro0%URL Reputationsafe
          https://android.notify.windows.com/iOS0%URL Reputationsafe
          https://api.msn.com/0%URL Reputationsafe
          http://www.ower-bank-za-4886348.world/e23y/www.zkirv.top0%Avira URL Cloudsafe
          https://powerpoint.office.comcember0%Avira URL Cloudsafe
          http://www.ower-bank-za-4886348.world0%Avira URL Cloudsafe
          http://www.bets.net/e23y/www.emosjumpers.net0%Avira URL Cloudsafe
          www.reakinggroundtherapy.pro/e23y/0%Avira URL Cloudsafe
          http://www.oland-flight-deal.today/e23y/www.ome-care-76206.bond0%Avira URL Cloudsafe
          http://www.hwqcoiu.xyz0%Avira URL Cloudsafe
          http://www.believehim.netReferer:0%Avira URL Cloudsafe
          https://word.office.comon0%Avira URL Cloudsafe
          http://www.ower-bank-za-4886348.worldReferer:0%Avira URL Cloudsafe
          http://www.inoliga.app/e23y/0%Avira URL Cloudsafe
          http://www.reakinggroundtherapy.proReferer:0%Avira URL Cloudsafe
          http://www.8015.xyz/e23y/0%Avira URL Cloudsafe
          http://www.wgxb.topReferer:0%Avira URL Cloudsafe
          http://www.inoliga.app0%Avira URL Cloudsafe
          http://www.wgxb.top/e23y/0%Avira URL Cloudsafe
          http://www.ome-care-76206.bond0%Avira URL Cloudsafe
          http://www.ar-deals-15908.bond/e23y/www.wgxb.top0%Avira URL Cloudsafe
          http://www.ar-deals-15908.bondReferer:0%Avira URL Cloudsafe
          http://www.hwqcoiu.xyz/e23y/0%Avira URL Cloudsafe
          http://www.8015.xyz0%Avira URL Cloudsafe
          http://www.emosjumpers.net/e23y/www.arpediemwireless.net0%Avira URL Cloudsafe
          http://www.arpediemwireless.net/e23y/0%Avira URL Cloudsafe
          http://www.believehim.net/e23y/0%Avira URL Cloudsafe
          http://www.eeplab.xyzReferer:0%Avira URL Cloudsafe
          http://www.emosjumpers.net/e23y/0%Avira URL Cloudsafe
          http://www.zkirv.top0%Avira URL Cloudsafe
          https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe0%Avira URL Cloudsafe
          http://www.arpediemwireless.netReferer:0%Avira URL Cloudsafe
          http://www.inoliga.appReferer:0%Avira URL Cloudsafe
          http://www.emosjumpers.netReferer:0%Avira URL Cloudsafe
          http://www.reakinggroundtherapy.pro0%Avira URL Cloudsafe
          http://www.believehim.net/e23y/www.reakinggroundtherapy.pro0%Avira URL Cloudsafe
          https://wns.windows.com/)s0%Avira URL Cloudsafe
          http://www.arpediemwireless.net/e23y/www.believehim.net0%Avira URL Cloudsafe
          http://www.b-999.topReferer:0%Avira URL Cloudsafe
          http://www.believehim.net0%Avira URL Cloudsafe
          http://www.ower-bank-za-4886348.world/e23y/0%Avira URL Cloudsafe
          http://www.zkirv.top/e23y/0%Avira URL Cloudsafe
          http://www.ome-care-76206.bond/e23y/0%Avira URL Cloudsafe
          http://www.arpediemwireless.net0%Avira URL Cloudsafe
          http://www.b-999.top/e23y/h0%Avira URL Cloudsafe
          http://www.oland-flight-deal.todayReferer:0%Avira URL Cloudsafe
          http://www.bets.netReferer:0%Avira URL Cloudsafe
          http://www.bets.net/e23y/0%Avira URL Cloudsafe
          http://www.oland-flight-deal.today0%Avira URL Cloudsafe
          http://www.wgxb.top/e23y/www.8015.xyz0%Avira URL Cloudsafe
          http://www.zkirv.topReferer:0%Avira URL Cloudsafe
          http://www.bets.net/e23y/?t8UP=DwtvniUQLpu3MRUm2IfWFG9b5evRRAGuG0irUgkzEgTLOHOkkfBziq8rt1/3cMlKaUc0&9r4Hc=GdSL0%Avira URL Cloudsafe
          http://www.wgxb.top0%Avira URL Cloudsafe
          http://www.oland-flight-deal.today/e23y/0%Avira URL Cloudsafe
          http://www.ar-deals-15908.bond/e23y/0%Avira URL Cloudsafe
          http://www.emosjumpers.net0%Avira URL Cloudsafe
          http://www.b-999.top0%Avira URL Cloudsafe
          https://outlook.com0%Avira URL Cloudsafe
          http://www.hwqcoiu.xyzReferer:0%Avira URL Cloudsafe
          http://www.reakinggroundtherapy.pro/e23y/0%Avira URL Cloudsafe
          http://www.zkirv.top/e23y/www.hwqcoiu.xyz0%Avira URL Cloudsafe
          http://www.8015.xyz/e23y/www.b-999.top0%Avira URL Cloudsafe
          http://www.ome-care-76206.bondReferer:0%Avira URL Cloudsafe
          http://www.8015.xyzReferer:0%Avira URL Cloudsafe
          http://www.hwqcoiu.xyz/e23y/www.bets.net0%Avira URL Cloudsafe
          http://www.eeplab.xyz0%Avira URL Cloudsafe
          http://www.bets.net0%Avira URL Cloudsafe
          http://www.ome-care-76206.bond/e23y/www.ar-deals-15908.bond0%Avira URL Cloudsafe
          http://www.b-999.top/e23y/0%Avira URL Cloudsafe
          http://www.inoliga.app/e23y/www.ower-bank-za-4886348.world0%Avira URL Cloudsafe
          http://www.ar-deals-15908.bond0%Avira URL Cloudsafe
          http://www.eeplab.xyz/e23y/www.inoliga.app0%Avira URL Cloudsafe
          http://www.eeplab.xyz/e23y/0%Avira URL Cloudsafe
          http://www.reakinggroundtherapy.pro/e23y/www.oland-flight-deal.today0%Avira URL Cloudsafe
          http://crl.v0%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          www.bets.net
          		195.85.59.61
          		truetrue
            		unknown
            241.42.69.40.in-addr.arpa
            		unknown
            		unknowntrue
              		unknown
              www.eeplab.xyz
              		unknown
              		unknowntrue
                		unknown
                www.ower-bank-za-4886348.world
                		unknown
                		unknowntrue
                  		unknown
                  www.oland-flight-deal.today
                  		unknown
                  		unknowntrue
                    		unknown
                    www.zkirv.top
                    		unknown
                    		unknowntrue
                      		unknown
                      www.reakinggroundtherapy.pro
                      		unknown
                      		unknowntrue
                        		unknown
                        www.emosjumpers.net
                        		unknown
                        		unknowntrue
                          		unknown
                          www.arpediemwireless.net
                          		unknown
                          		unknowntrue
                            		unknown
                            www.ome-care-76206.bond
                            		unknown
                            		unknowntrue
                              		unknown
                              www.inoliga.app
                              		unknown
                              		unknowntrue
                                		unknown
                                www.believehim.net
                                		unknown
                                		unknowntrue
                                  		unknown

                                  Contacted URLs

                                  NameMaliciousAntivirus DetectionReputation
                                  www.reakinggroundtherapy.pro/e23y/true
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.bets.net/e23y/?t8UP=DwtvniUQLpu3MRUm2IfWFG9b5evRRAGuG0irUgkzEgTLOHOkkfBziq8rt1/3cMlKaUc0&9r4Hc=GdSLtrue
                                  • Avira URL Cloud: safe
                                  		unknown

                                  URLs from Memory and Binaries

                                  NameSourceMaliciousAntivirus DetectionReputation
                                  http://www.ower-bank-za-4886348.world/e23y/www.zkirv.topexplorer.exe, 00000003.00000003.3096614317.0000000003531000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097468777.000000000353F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097489630.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4502170784.0000000003545000.00000004.00000001.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://word.office.comonexplorer.exe, 00000003.00000000.2059229241.00000000099C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4506883763.00000000099C0000.00000004.00000001.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.bets.net/e23y/www.emosjumpers.netexplorer.exe, 00000003.00000003.3096614317.0000000003531000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097468777.000000000353F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097489630.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4502170784.0000000003545000.00000004.00000001.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.ower-bank-za-4886348.worldReferer:explorer.exe, 00000003.00000003.3096614317.0000000003531000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097468777.000000000353F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097489630.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4502170784.0000000003545000.00000004.00000001.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.hwqcoiu.xyzexplorer.exe, 00000003.00000003.3096614317.0000000003531000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097468777.000000000353F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097489630.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4502170784.0000000003545000.00000004.00000001.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.oland-flight-deal.today/e23y/www.ome-care-76206.bondexplorer.exe, 00000003.00000003.3096614317.0000000003531000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097468777.000000000353F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097489630.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4502170784.0000000003545000.00000004.00000001.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.ower-bank-za-4886348.worldexplorer.exe, 00000003.00000003.3096614317.0000000003531000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097468777.000000000353F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097489630.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4502170784.0000000003545000.00000004.00000001.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://powerpoint.office.comcemberexplorer.exe, 00000003.00000000.2061812730.000000000C460000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4510678695.000000000C460000.00000004.00000001.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.believehim.netReferer:explorer.exe, 00000003.00000003.3096614317.0000000003531000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097468777.000000000353F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097489630.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4502170784.0000000003545000.00000004.00000001.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.inoliga.app/e23y/explorer.exe, 00000003.00000003.3096614317.0000000003531000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097468777.000000000353F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097489630.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4502170784.0000000003545000.00000004.00000001.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.8015.xyz/e23y/explorer.exe, 00000003.00000003.3096614317.0000000003531000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097468777.000000000353F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097489630.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4502170784.0000000003545000.00000004.00000001.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.reakinggroundtherapy.proReferer:explorer.exe, 00000003.00000003.3096614317.0000000003531000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097468777.000000000353F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097489630.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4502170784.0000000003545000.00000004.00000001.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.ome-care-76206.bondexplorer.exe, 00000003.00000003.3096614317.0000000003531000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097468777.000000000353F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097489630.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4502170784.0000000003545000.00000004.00000001.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.inoliga.appexplorer.exe, 00000003.00000003.3096614317.0000000003531000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097468777.000000000353F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097489630.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4502170784.0000000003545000.00000004.00000001.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.wgxb.top/e23y/explorer.exe, 00000003.00000003.3096614317.0000000003531000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097468777.000000000353F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097489630.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4502170784.0000000003545000.00000004.00000001.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.ar-deals-15908.bondReferer:explorer.exe, 00000003.00000003.3096614317.0000000003531000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097468777.000000000353F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097489630.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4502170784.0000000003545000.00000004.00000001.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://excel.office.comexplorer.exe, 00000003.00000003.3097566585.0000000009C21000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4507885872.0000000009C22000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3095576604.0000000009B79000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2059229241.0000000009B79000.00000004.00000001.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://schemas.microexplorer.exe, 00000003.00000002.4506223697.0000000008890000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.2058010233.0000000007DC0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.2058557156.0000000008870000.00000002.00000001.00040000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.wgxb.topReferer:explorer.exe, 00000003.00000003.3096614317.0000000003531000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097468777.000000000353F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097489630.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4502170784.0000000003545000.00000004.00000001.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.ar-deals-15908.bond/e23y/www.wgxb.topexplorer.exe, 00000003.00000003.3096614317.0000000003531000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097468777.000000000353F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097489630.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4502170784.0000000003545000.00000004.00000001.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.hwqcoiu.xyz/e23y/explorer.exe, 00000003.00000003.3096614317.0000000003531000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097468777.000000000353F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097489630.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4502170784.0000000003545000.00000004.00000001.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.8015.xyzexplorer.exe, 00000003.00000003.3096614317.0000000003531000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097468777.000000000353F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097489630.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4502170784.0000000003545000.00000004.00000001.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.emosjumpers.net/e23y/www.arpediemwireless.netexplorer.exe, 00000003.00000003.3096614317.0000000003531000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097468777.000000000353F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097489630.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4502170784.0000000003545000.00000004.00000001.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.arpediemwireless.net/e23y/explorer.exe, 00000003.00000003.3096614317.0000000003531000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097468777.000000000353F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097489630.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4502170784.0000000003545000.00000004.00000001.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.emosjumpers.net/e23y/explorer.exe, 00000003.00000003.3096614317.0000000003531000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097468777.000000000353F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097489630.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4502170784.0000000003545000.00000004.00000001.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.eeplab.xyzReferer:explorer.exe, 00000003.00000003.3096614317.0000000003531000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097468777.000000000353F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097489630.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4502170784.0000000003545000.00000004.00000001.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.reakinggroundtherapy.proexplorer.exe, 00000003.00000003.3096614317.0000000003531000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097468777.000000000353F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097489630.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4502170784.0000000003545000.00000004.00000001.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.believehim.net/e23y/explorer.exe, 00000003.00000003.3096614317.0000000003531000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097468777.000000000353F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097489630.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4502170784.0000000003545000.00000004.00000001.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exeexplorer.exe, 00000003.00000002.4510678695.000000000C4DC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2061812730.000000000C4DC000.00000004.00000001.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.zkirv.topexplorer.exe, 00000003.00000003.3096614317.0000000003531000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097468777.000000000353F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097489630.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4502170784.0000000003545000.00000004.00000001.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.arpediemwireless.netReferer:explorer.exe, 00000003.00000003.3096614317.0000000003531000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097468777.000000000353F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097489630.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4502170784.0000000003545000.00000004.00000001.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.inoliga.appReferer:explorer.exe, 00000003.00000003.3096614317.0000000003531000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097468777.000000000353F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097489630.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4502170784.0000000003545000.00000004.00000001.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.emosjumpers.netReferer:explorer.exe, 00000003.00000003.3096614317.0000000003531000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097468777.000000000353F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097489630.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4502170784.0000000003545000.00000004.00000001.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.believehim.net/e23y/www.reakinggroundtherapy.proexplorer.exe, 00000003.00000003.3096614317.0000000003531000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097468777.000000000353F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097489630.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4502170784.0000000003545000.00000004.00000001.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.ome-care-76206.bond/e23y/explorer.exe, 00000003.00000003.3096614317.0000000003531000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097468777.000000000353F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097489630.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4502170784.0000000003545000.00000004.00000001.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://wns.windows.com/)sexplorer.exe, 00000003.00000000.2059229241.00000000099C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4506883763.00000000099C0000.00000004.00000001.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.arpediemwireless.net/e23y/www.believehim.netexplorer.exe, 00000003.00000003.3096614317.0000000003531000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097468777.000000000353F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097489630.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4502170784.0000000003545000.00000004.00000001.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.ower-bank-za-4886348.world/e23y/explorer.exe, 00000003.00000003.3096614317.0000000003531000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097468777.000000000353F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097489630.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4502170784.0000000003545000.00000004.00000001.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.believehim.netexplorer.exe, 00000003.00000003.3096614317.0000000003531000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097468777.000000000353F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097489630.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4502170784.0000000003545000.00000004.00000001.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.b-999.top/e23y/hexplorer.exe, 00000003.00000003.3096614317.0000000003531000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097468777.000000000353F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097489630.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4502170784.0000000003545000.00000004.00000001.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.zkirv.top/e23y/explorer.exe, 00000003.00000003.3096614317.0000000003531000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097468777.000000000353F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097489630.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4502170784.0000000003545000.00000004.00000001.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.b-999.topReferer:explorer.exe, 00000003.00000003.3096614317.0000000003531000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097468777.000000000353F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097489630.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4502170784.0000000003545000.00000004.00000001.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.arpediemwireless.netexplorer.exe, 00000003.00000003.3096614317.0000000003531000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097468777.000000000353F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097489630.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4502170784.0000000003545000.00000004.00000001.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.oland-flight-deal.todayReferer:explorer.exe, 00000003.00000003.3096614317.0000000003531000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097468777.000000000353F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097489630.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4502170784.0000000003545000.00000004.00000001.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.oland-flight-deal.todayexplorer.exe, 00000003.00000003.3096614317.0000000003531000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097468777.000000000353F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097489630.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4502170784.0000000003545000.00000004.00000001.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.bets.net/e23y/explorer.exe, 00000003.00000003.3096614317.0000000003531000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097468777.000000000353F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097489630.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4502170784.0000000003545000.00000004.00000001.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.bets.netReferer:explorer.exe, 00000003.00000003.3096614317.0000000003531000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097468777.000000000353F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097489630.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4502170784.0000000003545000.00000004.00000001.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.wgxb.top/e23y/www.8015.xyzexplorer.exe, 00000003.00000003.3096614317.0000000003531000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097468777.000000000353F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097489630.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4502170784.0000000003545000.00000004.00000001.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.wgxb.topexplorer.exe, 00000003.00000003.3096614317.0000000003531000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097468777.000000000353F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097489630.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4502170784.0000000003545000.00000004.00000001.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.zkirv.topReferer:explorer.exe, 00000003.00000003.3096614317.0000000003531000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097468777.000000000353F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097489630.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4502170784.0000000003545000.00000004.00000001.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.oland-flight-deal.today/e23y/explorer.exe, 00000003.00000003.3096614317.0000000003531000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097468777.000000000353F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097489630.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4502170784.0000000003545000.00000004.00000001.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.ar-deals-15908.bond/e23y/explorer.exe, 00000003.00000003.3096614317.0000000003531000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097468777.000000000353F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097489630.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4502170784.0000000003545000.00000004.00000001.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.emosjumpers.netexplorer.exe, 00000003.00000003.3096614317.0000000003531000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097468777.000000000353F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097489630.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4502170784.0000000003545000.00000004.00000001.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://outlook.comexplorer.exe, 00000003.00000003.3096282137.0000000009C92000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3095576604.0000000009B79000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2059229241.0000000009B79000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4507951422.0000000009D42000.00000004.00000001.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.b-999.topexplorer.exe, 00000003.00000003.3096614317.0000000003531000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097468777.000000000353F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097489630.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4502170784.0000000003545000.00000004.00000001.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.hwqcoiu.xyzReferer:explorer.exe, 00000003.00000003.3096614317.0000000003531000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097468777.000000000353F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097489630.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4502170784.0000000003545000.00000004.00000001.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.8015.xyz/e23y/www.b-999.topexplorer.exe, 00000003.00000003.3096614317.0000000003531000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097468777.000000000353F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097489630.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4502170784.0000000003545000.00000004.00000001.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.zkirv.top/e23y/www.hwqcoiu.xyzexplorer.exe, 00000003.00000003.3096614317.0000000003531000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097468777.000000000353F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097489630.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4502170784.0000000003545000.00000004.00000001.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.ome-care-76206.bondReferer:explorer.exe, 00000003.00000003.3096614317.0000000003531000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097468777.000000000353F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097489630.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4502170784.0000000003545000.00000004.00000001.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.reakinggroundtherapy.pro/e23y/explorer.exe, 00000003.00000003.3096614317.0000000003531000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097468777.000000000353F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097489630.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4502170784.0000000003545000.00000004.00000001.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.8015.xyzReferer:explorer.exe, 00000003.00000003.3096614317.0000000003531000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097468777.000000000353F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097489630.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4502170784.0000000003545000.00000004.00000001.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.hwqcoiu.xyz/e23y/www.bets.netexplorer.exe, 00000003.00000003.3096614317.0000000003531000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097468777.000000000353F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097489630.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4502170784.0000000003545000.00000004.00000001.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.ome-care-76206.bond/e23y/www.ar-deals-15908.bondexplorer.exe, 00000003.00000003.3096614317.0000000003531000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097468777.000000000353F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097489630.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4502170784.0000000003545000.00000004.00000001.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.eeplab.xyzexplorer.exe, 00000003.00000003.3096614317.0000000003531000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097468777.000000000353F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097489630.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4502170784.0000000003545000.00000004.00000001.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.bets.netexplorer.exe, 00000003.00000003.3096614317.0000000003531000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097468777.000000000353F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097489630.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4502170784.0000000003545000.00000004.00000001.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://android.notify.windows.com/iOSexplorer.exe, 00000003.00000003.3825137778.00000000076F8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2056882234.00000000076F8000.00000004.00000001.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.inoliga.app/e23y/www.ower-bank-za-4886348.worldexplorer.exe, 00000003.00000003.3096614317.0000000003531000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097468777.000000000353F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097489630.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4502170784.0000000003545000.00000004.00000001.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.b-999.top/e23y/explorer.exe, 00000003.00000003.3096614317.0000000003531000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097468777.000000000353F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097489630.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4502170784.0000000003545000.00000004.00000001.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.eeplab.xyz/e23y/explorer.exe, 00000003.00000003.3096614317.0000000003531000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097468777.000000000353F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097489630.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4502170784.0000000003545000.00000004.00000001.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.ar-deals-15908.bondexplorer.exe, 00000003.00000003.3096614317.0000000003531000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097468777.000000000353F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097489630.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4502170784.0000000003545000.00000004.00000001.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://api.msn.com/explorer.exe, 00000003.00000002.4506883763.0000000009ADB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2059229241.0000000009ADB000.00000004.00000001.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.eeplab.xyz/e23y/www.inoliga.appexplorer.exe, 00000003.00000003.3096614317.0000000003531000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097468777.000000000353F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097489630.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4502170784.0000000003545000.00000004.00000001.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://crl.vexplorer.exe, 00000003.00000000.2053555947.0000000000F13000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4500060295.0000000000F13000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.reakinggroundtherapy.pro/e23y/www.oland-flight-deal.todayexplorer.exe, 00000003.00000003.3096614317.0000000003531000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097468777.000000000353F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3097489630.0000000003544000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4502170784.0000000003545000.00000004.00000001.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown

                                  World Map of Contacted IPs

                                  • No. of IPs < 25%
                                  • 25% < No. of IPs < 50%
                                  • 50% < No. of IPs < 75%
                                  • 75% < No. of IPs

                                  Public IPs

                                  IPDomainCountryFlagASNASN NameMalicious
                                  195.85.59.61
                                  		www.bets.netDenmark
                                  		15411DANISCODKtrue

                                  General Information

                                  Joe Sandbox version:41.0.0 Charoite
                                  Analysis ID:1519629
                                  Start date and time:2024-09-26 18:52:08 +02:00
                                  Joe Sandbox product:CloudBasic
                                  Overall analysis duration:0h 10m 28s
                                  Hypervisor based Inspection enabled:false
                                  Report type:full
                                  Cookbook file name:default.jbs
                                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                  Number of analysed new started processes analysed:8
                                  Number of new started drivers analysed:0
                                  Number of existing processes analysed:0
                                  Number of existing drivers analysed:0
                                  Number of injected processes analysed:1
                                  Technologies:
                                  • HCA enabled
                                  • EGA enabled
                                  • AMSI enabled
                                  Analysis Mode:default
                                  Sample name:Bonifico 2692024pdf.exe
                                  Detection:MAL
                                  Classification:mal100.troj.evad.winEXE@8/4@12/1
                                  EGA Information:
                                  • Successful, ratio: 100%
                                  HCA Information:
                                  • Successful, ratio: 100%
                                  • Number of executed functions: 62
                                  • Number of non-executed functions: 269
                                  Cookbook Comments:
                                  • Found application associated with file extension: .exe
                                  • Override analysis time to 240000 for current running targets taking high CPU consumption

                                  Warnings

                                  • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                  • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                  • Not all processes where analyzed, report is missing behavior information
                                  • Report creation exceeded maximum time and may have missing disassembly code information.
                                  • Report size exceeded maximum capacity and may have missing disassembly code.
                                  • Report size getting too big, too many NtEnumerateKey calls found.
                                  • Report size getting too big, too many NtOpenKey calls found.
                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                  • Report size getting too big, too many NtQueryValueKey calls found.
                                  • VT rate limit hit for: Bonifico 2692024pdf.exe

                                  Simulations

                                  Behavior and APIs

                                  TimeTypeDescription
                                  12:53:00API Interceptor8415482x Sleep call for process: explorer.exe modified
                                  12:53:42API Interceptor7173248x Sleep call for process: colorcpl.exe modified

                                  Joe Sandbox View / Context

                                  IPs

                                  No context

                                  Domains

                                  No context

                                  ASNs

                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                  DANISCODK_eagjyz.jsGet hashmaliciousUnknownBrowse
                                  • 193.149.129.167
                                  _gfsffp.jsGet hashmaliciousUnknownBrowse
                                  • 193.149.129.167
                                  _rnnsnn.jsGet hashmaliciousUnknownBrowse
                                  • 193.149.129.167
                                  _eagjyz.jsGet hashmaliciousUnknownBrowse
                                  • 193.149.129.167
                                  _gfsffp.jsGet hashmaliciousUnknownBrowse
                                  • 193.149.129.167
                                  _rnnsnn.jsGet hashmaliciousUnknownBrowse
                                  • 193.149.129.167
                                  WhatsApp_Image_2024_05-01_DCiM.jpeg.lnkGet hashmaliciousUnknownBrowse
                                  • 195.85.115.130
                                  https://0nline.flloridamoves.com/?bx8hR=bIc18z#monique.kaldy@cbvegas.comGet hashmaliciousUnknownBrowse
                                  • 193.149.129.217
                                  OrderPI.exeGet hashmaliciousFormBookBrowse
                                  • 193.149.176.221
                                  scan19062024.exeGet hashmaliciousFormBookBrowse
                                  • 193.149.176.221

                                  JA3 Fingerprints

                                  No context

                                  Dropped Files

                                  No context

                                  Created / dropped Files

                                  C:\Users\user\AppData\Local\Temp\Ramada

                                  Download File
                                  Process:C:\Users\user\Desktop\Bonifico 2692024pdf.exe
                                  File Type:ASCII text, with very long lines (28674), with no line terminators
                                  Category:dropped
                                  Size (bytes):28674
                                  Entropy (8bit):3.590367470893606
                                  Encrypted:false
                                  SSDEEP:384:yJejr2r2+ReyZonPlWrqGrXO/AKJmJEcvRNlLBm5JjuN0d04T1EL3FHhC:seOK8eyGnPlWrGWJEcvRNsIhi1uPC
                                  MD5:20958529682DD9C4AFC69F8781C70740
                                  SHA1:1FF5810ED209E6D4A7824BEB3280B9DA214FBCBC
                                  SHA-256:A77A5D83498E73F96629315589FA84FD5D1E41D61CC8F0FAAB66256BE3778087
                                  SHA-512:7B9D546066F516473AD425360867EC639BA1DD76D61E90C1FF648CF74B497615D0E50E6ED1A3A37620E1294692A97DE04700C849C91CD0E4163EB34B7258B7E7
                                  Malicious:false
                                  Reputation:low
                                  Preview:0k558orp81rppp0200005657o86o00000066894584o96500000066894q86on7200000066895588o86r0000006689458no96500000066894q8pon6p0000006689558ro83300000066894590o93200000066894q92on2r00000066895594o86400000066894596o96p00000066894q98on6p0000006689559n33p06689459po96r00000066898q44sssssson7400000066899546sssssso86400000066898548sssssso96p00000066898q4nsssssson6p0000006689954psssssso82r0000006689854rsssssso96400000066898q50sssssson6p00000066899552sssssso86p00000066898554ssssss33p966898q56sssssson75000000668955q0o873000000668945q2o96500000066894qq4on72000000668955q6o833000000668945q8o93200000066894qqnon2r000000668955qpo864000000668945qro96p00000066894qr0on6p000000668955r233p0668945r4o96100000066898q68sssssson640000006689956nsssssso8760000006689856psssssso96100000066898q6rsssssson7000000066899570sssssso86900000066898572sssssso93300000066898q74sssssson3200000066899576sssssso82r00000066898578sssssso96400000066898q7nsssssson6p0000006689957psssssso86p0000006689857rssssss33p966894q80on73000000668955n0o868

                                  C:\Users\user\AppData\Local\Temp\autF7C0.tmp

                                  Download File
                                  Process:C:\Users\user\Desktop\Bonifico 2692024pdf.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):185602
                                  Entropy (8bit):7.981763331736462
                                  Encrypted:false
                                  SSDEEP:3072:nrGBNyQ2CNPP3gZtpIQOmQRF5wtKssJTzMmfdyGRBUtIFhXZg7KMaDYH5G8QPz:niBNy7QPPOahPhImly+kAZgKDOhA
                                  MD5:4F0B5EFF1F685768E6ED62DBBCE2739B
                                  SHA1:41FEA2762B0E2A24EF5DA109C9C4D3EED9711075
                                  SHA-256:3B51A242AC7B1BFFBFA7DEC1442CB35D98512577BE11F00DECFC0E27D30323E5
                                  SHA-512:9DDB1E8E3F1D9DD1FF23B29ABCDC2B4076F4F227F4DCBD608DFF73B0659FCC67E55D758C98FAA99ABB719F0B9C8EF835AFAA6BFD8A9D909D0D951D0631B2D33A
                                  Malicious:false
                                  Reputation:low
                                  Preview:EA06.......1MT.4...:Z..1....4I......=.R.E.Q.@...M.Nj.:]^.D.M*tz.b.L.Q1...2S.R..<...Q....ef.s....9..Sh.Ke...)).Z.....%..v8..Q5..5.u..k>.}.O..M.ZNT.......Z.g......6.....q[.n....K}.mN...M. .....W...V..:.]t,.[.....@.....+?H...mP.U+.....xDf.....;.L..zX..T.U@....M.3`..T.p..*. .T...M..H..<b......~ ...$z.6..@..6V.E.U...5&gJ...|7JeJH.-.........................=.....n}.I...i..<....BiQ+..G.R...o...by.Y.;...x..).....Sp.......b........O..-..T..7{}.3...V.....7.......:.?..j..76..s"..~C.S..<..b.D.hj..e{.............(...y...7..f.J..g.-..O..W~Y.v./...&t...;M.n.|8}.e...=.......0...@.....Z.Z...E..M.Hf\...eJ..zT>..w.....|U....bt..n#y.....,Jg...t./......S.?#...V..%...xW...'R..g.(..!..Q.....m....2...~6.:.g.....<..g}T.U8yLn.....@..6o..{.*...Q..kp.}K_..Df7...gE....m..Gx...[.._...waU.}'...r.z..*w..Q.P}.{G..7.......h`8G6.>..@p.6........W.p..%L.@w........tn|W.J.C..I........}..]I.^9..\.a..Mp.=..6.[....37...*....'...w...'CR.d...U...Ay...Rq....X..M..........(.......

                                  C:\Users\user\AppData\Local\Temp\autF7F0.tmp

                                  Download File
                                  Process:C:\Users\user\Desktop\Bonifico 2692024pdf.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):9820
                                  Entropy (8bit):7.609666698119903
                                  Encrypted:false
                                  SSDEEP:192:K7U22a8TlLT5tyTQXTjrlbkmhAWLBBs8dDmuPTfxy4yl6hUs:K7iJZ5tqgT/lbEKBKoDmyTfxy4o6hJ
                                  MD5:DAA7B2FF04D9A25F736CE44C976A2472
                                  SHA1:E5BE3DEA6308478C3EF985ADD3EA8357876C68ED
                                  SHA-256:10C3951EDF19209F0CFB21F37F667F6B2265520715D3943974BA3283B60F5CF4
                                  SHA-512:D7B366F3DE96659E9DEF1065842378092C69D859FF571B2430AA8CAADA6A00B0A3C4BB420A95844391D40ED2BDC13CF46A90C3423A92CA61E60E0182DC0CB28B
                                  Malicious:false
                                  Reputation:low
                                  Preview:EA06..p..Z.Y..p.LnW...a2....Y..oo.M.....a6.N'3I..io....].......K........|...o..o.M.......8.....9.[.30....3....2.Z..k9..6.@.o.l..\......g.9.L.w...\....N..3I.........9..&....r.'.Y...c ....An.H.......F.3<..\..6....`....f@...x..j....Br.....[..0..n3.|.n...\f@5_..h....f.5_..p.U..m.5_....U..n@5_..`.U..@5\..>3...M.^.n.Z..k6.z..o6......@......y..G../Z.M. .....jr.....n.u....$.`./.o8...f.G_T.......@>_.......zk5....i..... ...................`.M..`... ...p...@....'.4...{>K|..c.Mm.@..[..._..p......>Kx#G.o..3|w...G.4..&@8_..kp..i|w.....p.h............7.MnsK....M...;..8..f.0.L..79..f..+..ff6....6.N. ...f...E...Y....3.I.............w............2p....<d....,vb...t....N@!+..'& ....,fo2..n6........r.2.X...c3k..es.Y.!...Gf@....,f.9.N.`. .#7.....c.0.....y..p.h.s.....,vf...|..t.L@...40.....f.....&3....4..@.6.-..p..S....2...S0.N.@.;5.`...9.......k8.....c.P..\.3.wx.....vl........E......y6....p.c3....4..b.!....F ....B5p.L.3........vn.....f....r...B3P.....;8.X...n.............g......k...p...

                                  C:\Users\user\AppData\Local\Temp\strangulating

                                  Download File
                                  Process:C:\Users\user\Desktop\Bonifico 2692024pdf.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):189440
                                  Entropy (8bit):7.883532220406004
                                  Encrypted:false
                                  SSDEEP:3072:zbh1RTPx05wO51l+ZORdi/46EuB1F6Wuugm0hlEj9q9PnzuxEBCwNg89cS:J1x6NN+ARqB1FJufjhu89nixVOcS
                                  MD5:BB2475D7D60669356F25548612157D60
                                  SHA1:D149E8571960D9150C6BB060621A7CCE8FC3A358
                                  SHA-256:0DCB8964DE13976F2C158238E93FEFCD520979E42E533CD6ECCA2EF8CFECDABA
                                  SHA-512:953907A81F3EB7409497E20DD2999950A8DD4AC93372E83BF09161E49CBD4B88F08E63B8985B31F2D04A67452F4651A73DEEC465855EBC23D868D93DFF524E9F
                                  Malicious:false
                                  Reputation:low
                                  Preview:.....6Q4Kk.C....k.D3..y[\...HELFB6Q4K3JMJ9P3KWJD04SGQXTLRD.ELFL).:K.C.k.Q..v.,YGs7#73>3)h&-(,Y%.)Vj??WpZ%w..c.>(5=zA_NlELFB6Q4..B...6...,..5..X.......F....-..M....-..-S\..7.TLRDHELFB6Q4K3JM.|P3.VKD....QXTLRDHE.F@7Z5A3J.H9P3KWJD04c.PXT\RDH.NFB6.4K#JMJ;P3NWKD04SGTXULRDHEL.@6Q6K3JMJ9R3..JD 4SWQXTLBDHULFB6Q4[3JMJ9P3KWJD04SGQXTLRDHELFB6Q4K3JMJ9P3KWJD04SGQXTLRDHELFB6Q4K3JMJ9P3KWJD04SGQXTLRDHELFB6Q4K3JMJ9P3KWJD04SGQXTLRDHELFB6Q4K3JMJ9P3KWJD.@6?%XTL.JELVB6Q.I3J]J9P3KWJD04SGQXtLR$HELFB6Q4K3JMJ9P3KWJD04SGQXTLRDHELFB6Q4K3JMJ9P3KWJD04SGQXTLRDHELFB6Q4K3JMJ9P3KWJD04SGQXTLRDHELFB6Q4K3JMJ9P3KWJD04SGQXTLRDHELFB6Q4K3JMJ9P3KWJD04SGQXTLRDHELFB6Q4K3JMJ9P3KWJD04SGQXTLRDHELFB6Q4K3JMJ9P3KWJD04SGQXTLRDHELFB6Q4K3JMJ9P3KWJD04SGQXTLRDHELFB6Q4K3JMJ9P3KWJD04SGQXTLRDHELFB6Q4K3JMJ9P3KWJD04SGQXTLRDHELFB6Q4K3JMJ9P3KWJD04SGQXTLRDHELFB6Q4K3JMJ9P3KWJD04SGQXTLRDHELFB6Q4K3JMJ9P3KWJD04SGQXTLRDHELFB6Q4K3JMJ9P3KWJD04SGQXTLRDHELFB6Q4K3JMJ9P3KWJD04SGQXTLRDHELFB6Q4K3JMJ9P3KWJD04SGQXTLRDHELFB6Q4K3JMJ9P3KWJD04SGQXTLRDHELFB6Q4K3

                                  Static File Info

                                  General

                                  File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                  Entropy (8bit):7.065054457366454
                                  TrID:
                                  • Win32 Executable (generic) a (10002005/4) 99.96%
                                  • Generic Win/DOS Executable (2004/3) 0.02%
                                  • DOS Executable Generic (2002/1) 0.02%
                                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                  File name:Bonifico 2692024pdf.exe
                                  File size:1'126'400 bytes
                                  MD5:ab5a5fadd9a58b412281fa7c040c54ef
                                  SHA1:d67c6a5fb65869cbb381c0a8276dea5e30ecfed1
                                  SHA256:e4d1f88b5db146a70bce062886dd60b15d13bda9b325535ef4d3ffcb484981ec
                                  SHA512:fd4144fccc27cab79fa9001e9847a65cc778f01c1d2311babc8982cd30c6ba4f2e85d8059f68b9111cfe103d29172dd40d4aadc6e29cb3db60a07e2af5d321f9
                                  SSDEEP:24576:PAHnh+eWsN3skA4RV1Hom2KXMmHara7ystgXDMSJA1p5:yh+ZkldoPK8Yara7y4S5Wl
                                  TLSH:C935AD0273D5C032FFABA2739B6AF64156BC79254133852F13981DB9BC701B2267E663
                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........s..R...R...R....C..P.....;.S..._@#.a..._@......_@..g...[j..[...[jo.w...R...r.............#.S..._@'.S...R.k.S.....".S...RichR..

                                  File Icon

                                  Icon Hash:aaf3e3e3938382a0

                                  Static PE Info

                                  General

                                  Entrypoint:0x42800a
                                  Entrypoint Section:.text
                                  Digitally signed:false
                                  Imagebase:0x400000
                                  Subsystem:windows gui
                                  Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                  DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                  Time Stamp:0x66F53FF5 [Thu Sep 26 11:05:25 2024 UTC]
                                  TLS Callbacks:
                                  CLR (.Net) Version:
                                  OS Version Major:5
                                  OS Version Minor:1
                                  File Version Major:5
                                  File Version Minor:1
                                  Subsystem Version Major:5
                                  Subsystem Version Minor:1
                                  Import Hash:afcdf79be1557326c854b6e20cb900a7

                                  Entrypoint Preview

                                  Instruction
                                  call 00007F9E20D6582Dh
                                  jmp 00007F9E20D585E4h
                                  int3
                                  int3
                                  int3
                                  int3
                                  int3
                                  int3
                                  int3
                                  int3
                                  int3
                                  int3
                                  int3
                                  int3
                                  push edi
                                  push esi
                                  mov esi, dword ptr [esp+10h]
                                  mov ecx, dword ptr [esp+14h]
                                  mov edi, dword ptr [esp+0Ch]
                                  mov eax, ecx
                                  mov edx, ecx
                                  add eax, esi
                                  cmp edi, esi
                                  jbe 00007F9E20D5876Ah
                                  cmp edi, eax
                                  jc 00007F9E20D58ACEh
                                  bt dword ptr [004C41FCh], 01h
                                  jnc 00007F9E20D58769h
                                  rep movsb
                                  jmp 00007F9E20D58A7Ch
                                  cmp ecx, 00000080h
                                  jc 00007F9E20D58934h
                                  mov eax, edi
                                  xor eax, esi
                                  test eax, 0000000Fh
                                  jne 00007F9E20D58770h
                                  bt dword ptr [004BF324h], 01h
                                  jc 00007F9E20D58C40h
                                  bt dword ptr [004C41FCh], 00000000h
                                  jnc 00007F9E20D5890Dh
                                  test edi, 00000003h
                                  jne 00007F9E20D5891Eh
                                  test esi, 00000003h
                                  jne 00007F9E20D588FDh
                                  bt edi, 02h
                                  jnc 00007F9E20D5876Fh
                                  mov eax, dword ptr [esi]
                                  sub ecx, 04h
                                  lea esi, dword ptr [esi+04h]
                                  mov dword ptr [edi], eax
                                  lea edi, dword ptr [edi+04h]
                                  bt edi, 03h
                                  jnc 00007F9E20D58773h
                                  movq xmm1, qword ptr [esi]
                                  sub ecx, 08h
                                  lea esi, dword ptr [esi+08h]
                                  movq qword ptr [edi], xmm1
                                  lea edi, dword ptr [edi+08h]
                                  test esi, 00000007h
                                  je 00007F9E20D587C5h
                                  bt esi, 03h

                                  Rich Headers

                                  Programming Language:
                                  • [ASM] VS2013 build 21005
                                  • [ C ] VS2013 build 21005
                                  • [C++] VS2013 build 21005
                                  • [ C ] VS2008 SP1 build 30729
                                  • [IMP] VS2008 SP1 build 30729
                                  • [ASM] VS2013 UPD5 build 40629
                                  • [RES] VS2013 build 21005
                                  • [LNK] VS2013 UPD5 build 40629

                                  Data Directories

                                  NameVirtual AddressVirtual Size Is in Section
                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_IMPORT0xbc0cc0x17c.rdata
                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0xc80000x488f4.rsrc
                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x1110000x7134.reloc
                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x92bc00x1c.rdata
                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xa4b500x40.rdata
                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_IAT0x8f0000x884.rdata
                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                  Sections

                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                  .text0x10000x8dfdd0x8e000310e36668512d53489c005622bb1b4a9False0.5735602580325704data6.675248351711057IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                  .rdata0x8f0000x2fd8e0x2fe00748cf1ab2605ce1fd72d53d912abb68fFalse0.32828818537859006data5.763244005758284IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                  .data0xbf0000x8f740x5200aae9601d920f07080bdfadf43dfeff12False0.1017530487804878data1.1963819235530628IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  .rsrc0xc80000x488f40x48a0002865e29a111cf4351a20c6c2c559f8aFalse0.9093360047332186data7.851376972102306IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                  .reloc0x1110000x71340x7200f04128ad0f87f42830e4a6cdbc38c719False0.7617530153508771data6.783955557128661IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                  Resources

                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                  RT_ICON0xc85a80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
                                  RT_ICON0xc86d00x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
                                  RT_ICON0xc87f80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
                                  RT_ICON0xc89200x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 0EnglishGreat Britain0.3333333333333333
                                  RT_ICON0xc8c080x128Device independent bitmap graphic, 16 x 32 x 4, image size 0EnglishGreat Britain0.5
                                  RT_ICON0xc8d300xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0EnglishGreat Britain0.2835820895522388
                                  RT_ICON0xc9bd80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0EnglishGreat Britain0.37906137184115524
                                  RT_ICON0xca4800x568Device independent bitmap graphic, 16 x 32 x 8, image size 0EnglishGreat Britain0.23699421965317918
                                  RT_ICON0xca9e80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishGreat Britain0.13858921161825727
                                  RT_ICON0xccf900x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishGreat Britain0.25070356472795496
                                  RT_ICON0xce0380x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishGreat Britain0.3173758865248227
                                  RT_MENU0xce4a00x50dataEnglishGreat Britain0.9
                                  RT_STRING0xce4f00x594dataEnglishGreat Britain0.3333333333333333
                                  RT_STRING0xcea840x68adataEnglishGreat Britain0.2747909199522103
                                  RT_STRING0xcf1100x490dataEnglishGreat Britain0.3715753424657534
                                  RT_STRING0xcf5a00x5fcdataEnglishGreat Britain0.3087467362924282
                                  RT_STRING0xcfb9c0x65cdataEnglishGreat Britain0.34336609336609336
                                  RT_STRING0xd01f80x466dataEnglishGreat Britain0.3605683836589698
                                  RT_STRING0xd06600x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishGreat Britain0.502906976744186
                                  RT_RCDATA0xd07b80x3fbbadata1.0003294388048267
                                  RT_GROUP_ICON0x1103740x76dataEnglishGreat Britain0.6610169491525424
                                  RT_GROUP_ICON0x1103ec0x14dataEnglishGreat Britain1.25
                                  RT_GROUP_ICON0x1104000x14dataEnglishGreat Britain1.15
                                  RT_GROUP_ICON0x1104140x14dataEnglishGreat Britain1.25
                                  RT_VERSION0x1104280xdcdataEnglishGreat Britain0.6181818181818182
                                  RT_MANIFEST0x1105040x3efASCII text, with CRLF line terminatorsEnglishGreat Britain0.5074478649453823

                                  Imports

                                  DLLImport
                                  WSOCK32.dllWSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect
                                  VERSION.dllGetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
                                  WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
                                  COMCTL32.dllImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
                                  MPR.dllWNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
                                  WININET.dllInternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW
                                  PSAPI.DLLGetProcessMemoryInfo
                                  IPHLPAPI.DLLIcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
                                  USERENV.dllDestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW
                                  UxTheme.dllIsThemeActive
                                  KERNEL32.dllDuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA
                                  USER32.dllAdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW
                                  GDI32.dllStrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath
                                  COMDLG32.dllGetOpenFileNameW, GetSaveFileNameW
                                  ADVAPI32.dllGetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW
                                  SHELL32.dllDragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
                                  ole32.dllCoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity
                                  OLEAUT32.dllLoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit

                                  Possible Origin

                                  Language of compilation systemCountry where language is spokenMap
                                  EnglishGreat Britain

                                  Network Behavior

                                  Suricata IDS Alerts

                                  TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                  2024-09-26T18:55:18.936371+02002031412ET MALWARE FormBook CnC Checkin (GET)1192.168.2.562804195.85.59.6180TCP
                                  2024-09-26T18:55:18.936371+02002031449ET MALWARE FormBook CnC Checkin (GET)1192.168.2.562804195.85.59.6180TCP
                                  2024-09-26T18:55:18.936371+02002031453ET MALWARE FormBook CnC Checkin (GET)1192.168.2.562804195.85.59.6180TCP

                                  Network Port Distribution

                                  TCP Packets

                                  TimestampSource PortDest PortSource IPDest IP
                                  Sep 26, 2024 18:55:18.420250893 CEST6280480192.168.2.5195.85.59.61
                                  Sep 26, 2024 18:55:18.425430059 CEST8062804195.85.59.61192.168.2.5
                                  Sep 26, 2024 18:55:18.425513029 CEST6280480192.168.2.5195.85.59.61
                                  Sep 26, 2024 18:55:18.425595999 CEST6280480192.168.2.5195.85.59.61
                                  Sep 26, 2024 18:55:18.430399895 CEST8062804195.85.59.61192.168.2.5
                                  Sep 26, 2024 18:55:18.926310062 CEST6280480192.168.2.5195.85.59.61
                                  Sep 26, 2024 18:55:18.931955099 CEST8062804195.85.59.61192.168.2.5
                                  Sep 26, 2024 18:55:18.936371088 CEST6280480192.168.2.5195.85.59.61

                                  UDP Packets

                                  TimestampSource PortDest PortSource IPDest IP
                                  Sep 26, 2024 18:53:31.465607882 CEST5363849162.159.36.2192.168.2.5
                                  Sep 26, 2024 18:53:32.055697918 CEST6451653192.168.2.51.1.1.1
                                  Sep 26, 2024 18:53:32.063766956 CEST53645161.1.1.1192.168.2.5
                                  Sep 26, 2024 18:53:35.691802979 CEST5577853192.168.2.51.1.1.1
                                  Sep 26, 2024 18:53:35.760637999 CEST53557781.1.1.1192.168.2.5
                                  Sep 26, 2024 18:53:57.143953085 CEST6530553192.168.2.51.1.1.1
                                  Sep 26, 2024 18:53:57.170327902 CEST53653051.1.1.1192.168.2.5
                                  Sep 26, 2024 18:54:16.112967014 CEST6116753192.168.2.51.1.1.1
                                  Sep 26, 2024 18:54:16.129103899 CEST53611671.1.1.1192.168.2.5
                                  Sep 26, 2024 18:54:36.553270102 CEST6394253192.168.2.51.1.1.1
                                  Sep 26, 2024 18:54:36.649272919 CEST53639421.1.1.1192.168.2.5
                                  Sep 26, 2024 18:55:18.380350113 CEST5688453192.168.2.51.1.1.1
                                  Sep 26, 2024 18:55:18.419200897 CEST53568841.1.1.1192.168.2.5
                                  Sep 26, 2024 18:55:38.960226059 CEST5798253192.168.2.51.1.1.1
                                  Sep 26, 2024 18:55:38.991956949 CEST53579821.1.1.1192.168.2.5
                                  Sep 26, 2024 18:55:59.778784990 CEST6293753192.168.2.51.1.1.1
                                  Sep 26, 2024 18:55:59.792143106 CEST53629371.1.1.1192.168.2.5
                                  Sep 26, 2024 18:56:20.191193104 CEST5259053192.168.2.51.1.1.1
                                  Sep 26, 2024 18:56:20.204567909 CEST53525901.1.1.1192.168.2.5
                                  Sep 26, 2024 18:56:40.800338030 CEST6360053192.168.2.51.1.1.1
                                  Sep 26, 2024 18:56:40.830159903 CEST53636001.1.1.1192.168.2.5
                                  Sep 26, 2024 18:57:01.206425905 CEST5105453192.168.2.51.1.1.1
                                  Sep 26, 2024 18:57:01.221259117 CEST53510541.1.1.1192.168.2.5
                                  Sep 26, 2024 18:57:22.506433964 CEST6291653192.168.2.51.1.1.1
                                  Sep 26, 2024 18:57:22.516926050 CEST53629161.1.1.1192.168.2.5

                                  DNS Queries

                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                  Sep 26, 2024 18:53:32.055697918 CEST192.168.2.51.1.1.10x91e2Standard query (0)241.42.69.40.in-addr.arpaPTR (Pointer record)IN (0x0001)false
                                  Sep 26, 2024 18:53:35.691802979 CEST192.168.2.51.1.1.10x6d8bStandard query (0)www.eeplab.xyzA (IP address)IN (0x0001)false
                                  Sep 26, 2024 18:53:57.143953085 CEST192.168.2.51.1.1.10x3e75Standard query (0)www.inoliga.appA (IP address)IN (0x0001)false
                                  Sep 26, 2024 18:54:16.112967014 CEST192.168.2.51.1.1.10xe0afStandard query (0)www.ower-bank-za-4886348.worldA (IP address)IN (0x0001)false
                                  Sep 26, 2024 18:54:36.553270102 CEST192.168.2.51.1.1.10x58e7Standard query (0)www.zkirv.topA (IP address)IN (0x0001)false
                                  Sep 26, 2024 18:55:18.380350113 CEST192.168.2.51.1.1.10xe638Standard query (0)www.bets.netA (IP address)IN (0x0001)false
                                  Sep 26, 2024 18:55:38.960226059 CEST192.168.2.51.1.1.10x7749Standard query (0)www.emosjumpers.netA (IP address)IN (0x0001)false
                                  Sep 26, 2024 18:55:59.778784990 CEST192.168.2.51.1.1.10xa566Standard query (0)www.arpediemwireless.netA (IP address)IN (0x0001)false
                                  Sep 26, 2024 18:56:20.191193104 CEST192.168.2.51.1.1.10xa1Standard query (0)www.believehim.netA (IP address)IN (0x0001)false
                                  Sep 26, 2024 18:56:40.800338030 CEST192.168.2.51.1.1.10x8705Standard query (0)www.reakinggroundtherapy.proA (IP address)IN (0x0001)false
                                  Sep 26, 2024 18:57:01.206425905 CEST192.168.2.51.1.1.10xdc98Standard query (0)www.oland-flight-deal.todayA (IP address)IN (0x0001)false
                                  Sep 26, 2024 18:57:22.506433964 CEST192.168.2.51.1.1.10x7430Standard query (0)www.ome-care-76206.bondA (IP address)IN (0x0001)false

                                  DNS Answers

                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                  Sep 26, 2024 18:53:32.063766956 CEST1.1.1.1192.168.2.50x91e2Name error (3)241.42.69.40.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)false
                                  Sep 26, 2024 18:53:35.760637999 CEST1.1.1.1192.168.2.50x6d8bName error (3)www.eeplab.xyznonenoneA (IP address)IN (0x0001)false
                                  Sep 26, 2024 18:53:57.170327902 CEST1.1.1.1192.168.2.50x3e75Name error (3)www.inoliga.appnonenoneA (IP address)IN (0x0001)false
                                  Sep 26, 2024 18:54:16.129103899 CEST1.1.1.1192.168.2.50xe0afName error (3)www.ower-bank-za-4886348.worldnonenoneA (IP address)IN (0x0001)false
                                  Sep 26, 2024 18:54:36.649272919 CEST1.1.1.1192.168.2.50x58e7Name error (3)www.zkirv.topnonenoneA (IP address)IN (0x0001)false
                                  Sep 26, 2024 18:55:18.419200897 CEST1.1.1.1192.168.2.50xe638No error (0)www.bets.net195.85.59.61A (IP address)IN (0x0001)false
                                  Sep 26, 2024 18:55:18.419200897 CEST1.1.1.1192.168.2.50xe638No error (0)www.bets.net195.85.59.195A (IP address)IN (0x0001)false
                                  Sep 26, 2024 18:55:38.991956949 CEST1.1.1.1192.168.2.50x7749Name error (3)www.emosjumpers.netnonenoneA (IP address)IN (0x0001)false
                                  Sep 26, 2024 18:55:59.792143106 CEST1.1.1.1192.168.2.50xa566Name error (3)www.arpediemwireless.netnonenoneA (IP address)IN (0x0001)false
                                  Sep 26, 2024 18:56:20.204567909 CEST1.1.1.1192.168.2.50xa1Name error (3)www.believehim.netnonenoneA (IP address)IN (0x0001)false
                                  Sep 26, 2024 18:56:40.830159903 CEST1.1.1.1192.168.2.50x8705Name error (3)www.reakinggroundtherapy.prononenoneA (IP address)IN (0x0001)false
                                  Sep 26, 2024 18:57:01.221259117 CEST1.1.1.1192.168.2.50xdc98Name error (3)www.oland-flight-deal.todaynonenoneA (IP address)IN (0x0001)false
                                  Sep 26, 2024 18:57:22.516926050 CEST1.1.1.1192.168.2.50x7430Name error (3)www.ome-care-76206.bondnonenoneA (IP address)IN (0x0001)false

                                  HTTP Request Dependency Graph

                                  • www.bets.net

                                  HTTP Packets

                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  0192.168.2.562804195.85.59.61801028C:\Windows\explorer.exe
                                  TimestampBytes transferredDirectionData
                                  Sep 26, 2024 18:55:18.425595999 CEST154OUTGET /e23y/?t8UP=DwtvniUQLpu3MRUm2IfWFG9b5evRRAGuG0irUgkzEgTLOHOkkfBziq8rt1/3cMlKaUc0&9r4Hc=GdSL HTTP/1.1
                                  Host: www.bets.net
                                  Connection: close
                                  Data Raw: 00 00 00 00 00 00 00
                                  Data Ascii:


                                  Statistics

                                  CPU Usage

                                  Click to jump to process

                                  Memory Usage

                                  Click to jump to process

                                  High Level Behavior Distribution

                                  Click to dive into process behavior distribution

                                  Behavior

                                  Click to jump to process

                                  System Behavior

                                  General

                                  Target ID:0
                                  Start time:12:52:57
                                  Start date:26/09/2024
                                  Path:C:\Users\user\Desktop\Bonifico 2692024pdf.exe
                                  Wow64 process (32bit):true
                                  Commandline:"C:\Users\user\Desktop\Bonifico 2692024pdf.exe"
                                  Imagebase:0xfc0000
                                  File size:1'126'400 bytes
                                  MD5 hash:AB5A5FADD9A58B412281FA7C040C54EF
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Yara matches:
                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.2043224034.0000000000F60000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000000.00000002.2043224034.0000000000F60000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000000.00000002.2043224034.0000000000F60000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.2043224034.0000000000F60000.00000004.00001000.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.2043224034.0000000000F60000.00000004.00001000.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                  Reputation:low
                                  Has exited:true

                                  General

                                  Target ID:2
                                  Start time:12:52:58
                                  Start date:26/09/2024
                                  Path:C:\Windows\SysWOW64\svchost.exe
                                  Wow64 process (32bit):true
                                  Commandline:"C:\Users\user\Desktop\Bonifico 2692024pdf.exe"
                                  Imagebase:0xf90000
                                  File size:46'504 bytes
                                  MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Yara matches:
                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.2101569543.0000000002FA0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2101569543.0000000002FA0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                  • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.2101569543.0000000002FA0000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.2101569543.0000000002FA0000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.2101569543.0000000002FA0000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.2101179285.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2101179285.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                  • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.2101179285.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.2101179285.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.2101179285.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.2101452453.0000000000EE0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2101452453.0000000000EE0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                  • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.2101452453.0000000000EE0000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.2101452453.0000000000EE0000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.2101452453.0000000000EE0000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                  Reputation:high
                                  Has exited:true

                                  General

                                  Target ID:3
                                  Start time:12:52:59
                                  Start date:26/09/2024
                                  Path:C:\Windows\explorer.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\Explorer.EXE
                                  Imagebase:0x7ff674740000
                                  File size:5'141'208 bytes
                                  MD5 hash:662F4F92FDE3557E86D110526BB578D5
                                  Has elevated privileges:false
                                  Has administrator privileges:false
                                  Programmed in:C, C++ or other language
                                  Yara matches:
                                  • Rule: Windows_Trojan_Formbook_772cc62d, Description: unknown, Source: 00000003.00000002.4512445617.000000000E583000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                  Reputation:high
                                  Has exited:false

                                  General

                                  Target ID:4
                                  Start time:12:53:02
                                  Start date:26/09/2024
                                  Path:C:\Windows\SysWOW64\colorcpl.exe
                                  Wow64 process (32bit):true
                                  Commandline:"C:\Windows\SysWOW64\colorcpl.exe"
                                  Imagebase:0xc50000
                                  File size:86'528 bytes
                                  MD5 hash:DB71E132EBF1FEB6E93E8A2A0F0C903D
                                  Has elevated privileges:false
                                  Has administrator privileges:false
                                  Programmed in:C, C++ or other language
                                  Yara matches:
                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.4500748393.0000000004EF0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.4500748393.0000000004EF0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.4500748393.0000000004EF0000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.4500748393.0000000004EF0000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.4500748393.0000000004EF0000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.4500674089.0000000004EC0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.4500674089.0000000004EC0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                  • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.4500674089.0000000004EC0000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.4500674089.0000000004EC0000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.4500674089.0000000004EC0000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.4500108224.0000000003260000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.4500108224.0000000003260000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                  • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.4500108224.0000000003260000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.4500108224.0000000003260000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.4500108224.0000000003260000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                  Reputation:moderate
                                  Has exited:false

                                  General

                                  Target ID:5
                                  Start time:12:53:05
                                  Start date:26/09/2024
                                  Path:C:\Windows\SysWOW64\cmd.exe
                                  Wow64 process (32bit):true
                                  Commandline:/c del "C:\Windows\SysWOW64\svchost.exe"
                                  Imagebase:0x790000
                                  File size:236'544 bytes
                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                  Has elevated privileges:false
                                  Has administrator privileges:false
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:true

                                  General

                                  Target ID:6
                                  Start time:12:53:05
                                  Start date:26/09/2024
                                  Path:C:\Windows\System32\conhost.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                  Imagebase:0x7ff6d64d0000
                                  File size:862'208 bytes
                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                  Has elevated privileges:false
                                  Has administrator privileges:false
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:true

                                  Disassembly

                                  Reset < >

                                    Execution Graph

                                    Execution Coverage:4.1%
                                    Dynamic/Decrypted Code Coverage:1.5%
                                    Signature Coverage:5.8%
                                    Total number of Nodes:2000
                                    Total number of Limit Nodes:154
                                    execution_graph 98045 fc107d 98050 fc71eb 98045->98050 98047 fc108c 98081 fe2f80 98047->98081 98051 fc71fb __write_nolock 98050->98051 98084 fc77c7 98051->98084 98055 fc72ba 98096 fe074f 98055->98096 98062 fc77c7 59 API calls 98063 fc72eb 98062->98063 98115 fc7eec 98063->98115 98065 fc72f4 RegOpenKeyExW 98066 ffecda RegQueryValueExW 98065->98066 98071 fc7316 Mailbox 98065->98071 98067 ffed6c RegCloseKey 98066->98067 98068 ffecf7 98066->98068 98067->98071 98079 ffed7e _wcscat Mailbox __NMSG_WRITE 98067->98079 98119 fe0ff6 98068->98119 98070 ffed10 98129 fc538e 98070->98129 98071->98047 98074 fc7b52 59 API calls 98074->98079 98075 ffed38 98132 fc7d2c 98075->98132 98077 ffed52 98077->98067 98079->98071 98079->98074 98080 fc3f84 59 API calls 98079->98080 98141 fc7f41 98079->98141 98080->98079 98206 fe2e84 98081->98206 98083 fc1096 98085 fe0ff6 Mailbox 59 API calls 98084->98085 98086 fc77e8 98085->98086 98087 fe0ff6 Mailbox 59 API calls 98086->98087 98088 fc72b1 98087->98088 98089 fc4864 98088->98089 98145 ff1b90 98089->98145 98092 fc7f41 59 API calls 98093 fc4897 98092->98093 98147 fc48ae 98093->98147 98095 fc48a1 Mailbox 98095->98055 98097 ff1b90 __write_nolock 98096->98097 98098 fe075c GetFullPathNameW 98097->98098 98099 fe077e 98098->98099 98100 fc7d2c 59 API calls 98099->98100 98101 fc72c5 98100->98101 98102 fc7e0b 98101->98102 98103 fc7e1f 98102->98103 98104 fff173 98102->98104 98169 fc7db0 98103->98169 98174 fc8189 98104->98174 98107 fc72d3 98109 fc3f84 98107->98109 98108 fff17e __NMSG_WRITE _memmove 98110 fc3f92 98109->98110 98114 fc3fb4 _memmove 98109->98114 98113 fe0ff6 Mailbox 59 API calls 98110->98113 98111 fe0ff6 Mailbox 59 API calls 98112 fc3fc8 98111->98112 98112->98062 98113->98114 98114->98111 98116 fc7f06 98115->98116 98118 fc7ef9 98115->98118 98117 fe0ff6 Mailbox 59 API calls 98116->98117 98117->98118 98118->98065 98121 fe0ffe 98119->98121 98122 fe1018 98121->98122 98124 fe101c std::exception::exception 98121->98124 98177 fe594c 98121->98177 98194 fe35e1 DecodePointer 98121->98194 98122->98070 98195 fe87db RaiseException 98124->98195 98126 fe1046 98196 fe8711 58 API calls _free 98126->98196 98128 fe1058 98128->98070 98130 fe0ff6 Mailbox 59 API calls 98129->98130 98131 fc53a0 RegQueryValueExW 98130->98131 98131->98075 98131->98077 98133 fc7d38 __NMSG_WRITE 98132->98133 98134 fc7da5 98132->98134 98136 fc7d4e 98133->98136 98137 fc7d73 98133->98137 98135 fc7e8c 59 API calls 98134->98135 98140 fc7d56 _memmove 98135->98140 98205 fc8087 59 API calls Mailbox 98136->98205 98138 fc8189 59 API calls 98137->98138 98138->98140 98140->98077 98142 fc7f50 __NMSG_WRITE _memmove 98141->98142 98143 fe0ff6 Mailbox 59 API calls 98142->98143 98144 fc7f8e 98143->98144 98144->98079 98146 fc4871 GetModuleFileNameW 98145->98146 98146->98092 98148 ff1b90 __write_nolock 98147->98148 98149 fc48bb GetFullPathNameW 98148->98149 98150 fc48da 98149->98150 98151 fc48f7 98149->98151 98152 fc7d2c 59 API calls 98150->98152 98153 fc7eec 59 API calls 98151->98153 98154 fc48e6 98152->98154 98153->98154 98157 fc7886 98154->98157 98158 fc7894 98157->98158 98161 fc7e8c 98158->98161 98160 fc48f2 98160->98095 98162 fc7e9a 98161->98162 98163 fc7ea3 _memmove 98161->98163 98162->98163 98165 fc7faf 98162->98165 98163->98160 98166 fc7fc2 98165->98166 98168 fc7fbf _memmove 98165->98168 98167 fe0ff6 Mailbox 59 API calls 98166->98167 98167->98168 98168->98163 98170 fc7dbf __NMSG_WRITE 98169->98170 98171 fc8189 59 API calls 98170->98171 98172 fc7dd0 _memmove 98170->98172 98173 fff130 _memmove 98171->98173 98172->98107 98175 fe0ff6 Mailbox 59 API calls 98174->98175 98176 fc8193 98175->98176 98176->98108 98178 fe59c7 98177->98178 98185 fe5958 98177->98185 98203 fe35e1 DecodePointer 98178->98203 98180 fe59cd 98204 fe8d68 58 API calls __getptd_noexit 98180->98204 98183 fe598b RtlAllocateHeap 98183->98185 98193 fe59bf 98183->98193 98185->98183 98186 fe59b3 98185->98186 98190 fe59b1 98185->98190 98191 fe5963 98185->98191 98200 fe35e1 DecodePointer 98185->98200 98201 fe8d68 58 API calls __getptd_noexit 98186->98201 98202 fe8d68 58 API calls __getptd_noexit 98190->98202 98191->98185 98197 fea3ab 58 API calls __NMSG_WRITE 98191->98197 98198 fea408 58 API calls 4 library calls 98191->98198 98199 fe32df GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 98191->98199 98193->98121 98194->98121 98195->98126 98196->98128 98197->98191 98198->98191 98200->98185 98201->98190 98202->98193 98203->98180 98204->98193 98205->98140 98207 fe2e90 __setmode 98206->98207 98214 fe3457 98207->98214 98213 fe2eb7 __setmode 98213->98083 98231 fe9e4b 98214->98231 98216 fe2e99 98217 fe2ec8 DecodePointer DecodePointer 98216->98217 98218 fe2ea5 98217->98218 98219 fe2ef5 98217->98219 98228 fe2ec2 98218->98228 98219->98218 98277 fe89e4 59 API calls 2 library calls 98219->98277 98221 fe2f58 EncodePointer EncodePointer 98221->98218 98222 fe2f07 98222->98221 98224 fe2f2c 98222->98224 98278 fe8aa4 61 API calls 2 library calls 98222->98278 98224->98218 98227 fe2f46 EncodePointer 98224->98227 98279 fe8aa4 61 API calls 2 library calls 98224->98279 98226 fe2f40 98226->98218 98226->98227 98227->98221 98280 fe3460 98228->98280 98232 fe9e6f EnterCriticalSection 98231->98232 98233 fe9e5c 98231->98233 98232->98216 98238 fe9ed3 98233->98238 98235 fe9e62 98235->98232 98262 fe32f5 58 API calls 3 library calls 98235->98262 98239 fe9edf __setmode 98238->98239 98240 fe9ee8 98239->98240 98242 fe9f00 98239->98242 98263 fea3ab 58 API calls __NMSG_WRITE 98240->98263 98249 fe9f21 __setmode 98242->98249 98266 fe8a5d 58 API calls 2 library calls 98242->98266 98243 fe9eed 98264 fea408 58 API calls 4 library calls 98243->98264 98246 fe9f15 98247 fe9f1c 98246->98247 98248 fe9f2b 98246->98248 98267 fe8d68 58 API calls __getptd_noexit 98247->98267 98252 fe9e4b __lock 58 API calls 98248->98252 98249->98235 98250 fe9ef4 98265 fe32df GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 98250->98265 98254 fe9f32 98252->98254 98256 fe9f3f 98254->98256 98257 fe9f57 98254->98257 98268 fea06b InitializeCriticalSectionAndSpinCount 98256->98268 98269 fe2f95 98257->98269 98260 fe9f4b 98275 fe9f73 LeaveCriticalSection _doexit 98260->98275 98263->98243 98264->98250 98266->98246 98267->98249 98268->98260 98270 fe2f9e RtlFreeHeap 98269->98270 98271 fe2fc7 __dosmaperr 98269->98271 98270->98271 98272 fe2fb3 98270->98272 98271->98260 98276 fe8d68 58 API calls __getptd_noexit 98272->98276 98274 fe2fb9 GetLastError 98274->98271 98275->98249 98276->98274 98277->98222 98278->98224 98279->98226 98283 fe9fb5 LeaveCriticalSection 98280->98283 98282 fe2ec7 98282->98213 98283->98282 98284 1000226 98290 fcade2 Mailbox 98284->98290 98286 1000c86 98391 10166f4 98286->98391 98288 1000c8f 98290->98286 98290->98288 98292 fcb6c1 98290->98292 98297 103e237 98290->98297 98300 102d2e6 98290->98300 98347 fd2123 98290->98347 98387 fc9df0 59 API calls Mailbox 98290->98387 98388 fc8e34 59 API calls Mailbox 98290->98388 98389 1017405 59 API calls 98290->98389 98390 102a0b5 89 API calls 4 library calls 98292->98390 98394 103cdf1 98297->98394 98299 103e247 98299->98290 98301 102d310 98300->98301 98302 102d305 98300->98302 98304 102d3ea Mailbox 98301->98304 98307 fc77c7 59 API calls 98301->98307 98552 fc9c9c 59 API calls 98302->98552 98305 fe0ff6 Mailbox 59 API calls 98304->98305 98343 102d3f3 Mailbox 98304->98343 98306 102d433 98305->98306 98308 102d43f 98306->98308 98618 fc5906 60 API calls Mailbox 98306->98618 98309 102d334 98307->98309 98312 fc9997 84 API calls 98308->98312 98311 fc77c7 59 API calls 98309->98311 98313 102d33d 98311->98313 98314 102d457 98312->98314 98315 fc9997 84 API calls 98313->98315 98539 fc5956 98314->98539 98317 102d349 98315->98317 98553 fc46f9 98317->98553 98320 102d46a GetLastError 98324 102d483 98320->98324 98321 102d49e 98326 102d500 98321->98326 98327 102d4c9 98321->98327 98322 102d35e 98604 fc7c8e 98322->98604 98324->98343 98619 fc5a1a CloseHandle 98324->98619 98329 fe0ff6 Mailbox 59 API calls 98326->98329 98330 fe0ff6 Mailbox 59 API calls 98327->98330 98328 102d3e3 98617 fc9c9c 59 API calls 98328->98617 98334 102d505 98329->98334 98335 102d4ce 98330->98335 98339 fc77c7 59 API calls 98334->98339 98334->98343 98337 102d4df 98335->98337 98340 fc77c7 59 API calls 98335->98340 98620 102f835 59 API calls 2 library calls 98337->98620 98338 102d3a5 98342 fc7f41 59 API calls 98338->98342 98339->98343 98340->98337 98344 102d3b2 98342->98344 98343->98290 98616 1023c66 63 API calls Mailbox 98344->98616 98346 102d3bb Mailbox 98346->98328 98694 fc9bf8 98347->98694 98351 fe0ff6 Mailbox 59 API calls 98352 fd2154 98351->98352 98355 fd2164 98352->98355 98722 fc5906 60 API calls Mailbox 98352->98722 98353 fd2189 98362 fd2196 98353->98362 98727 fc9c9c 59 API calls 98353->98727 98354 10069af 98354->98353 98726 102f7df 59 API calls 98354->98726 98357 fc9997 84 API calls 98355->98357 98359 fd2172 98357->98359 98361 fc5956 67 API calls 98359->98361 98360 10069f7 98360->98362 98363 10069ff 98360->98363 98364 fd2181 98361->98364 98365 fc5e3f 2 API calls 98362->98365 98728 fc9c9c 59 API calls 98363->98728 98364->98353 98364->98354 98725 fc5a1a CloseHandle 98364->98725 98368 fd219d 98365->98368 98369 1006a11 98368->98369 98370 fd21b7 98368->98370 98372 fe0ff6 Mailbox 59 API calls 98369->98372 98371 fc77c7 59 API calls 98370->98371 98373 fd21bf 98371->98373 98374 1006a17 98372->98374 98707 fc56d2 98373->98707 98376 1006a2b 98374->98376 98729 fc59b0 ReadFile SetFilePointerEx 98374->98729 98381 1006a2f _memmove 98376->98381 98730 102794e 59 API calls 2 library calls 98376->98730 98378 fd21ce 98378->98381 98723 fc9b9c 59 API calls Mailbox 98378->98723 98382 fd221c 98382->98290 98383 fd21e2 Mailbox 98383->98382 98384 fc5dcf CloseHandle 98383->98384 98385 fd2210 98384->98385 98385->98382 98724 fc5a1a CloseHandle 98385->98724 98387->98290 98388->98290 98389->98290 98390->98286 98754 1016636 98391->98754 98393 1016702 98393->98288 98432 fc9997 98394->98432 98398 103d0cd 98399 103d242 98398->98399 98403 103d0db 98398->98403 98500 103dbdc 92 API calls Mailbox 98399->98500 98402 103d251 98402->98403 98404 103d25d 98402->98404 98463 103cc82 98403->98463 98420 103ce75 Mailbox 98404->98420 98405 fc9997 84 API calls 98422 103cec6 Mailbox 98405->98422 98410 103d114 98478 fe0e48 98410->98478 98413 103d147 98485 fc942e 98413->98485 98414 103d12e 98484 102a0b5 89 API calls 4 library calls 98414->98484 98417 103d139 GetCurrentProcess TerminateProcess 98417->98413 98420->98299 98422->98398 98422->98405 98422->98420 98482 102f835 59 API calls 2 library calls 98422->98482 98483 103d2f3 61 API calls 2 library calls 98422->98483 98424 103d2b8 98424->98420 98426 103d2cc FreeLibrary 98424->98426 98425 103d17f 98497 103d95d 107 API calls _free 98425->98497 98426->98420 98431 103d190 98431->98424 98498 fc8ea0 59 API calls Mailbox 98431->98498 98499 fc9e9c 60 API calls Mailbox 98431->98499 98501 103d95d 107 API calls _free 98431->98501 98433 fc99b1 98432->98433 98442 fc99ab 98432->98442 98434 fff9fc __i64tow 98433->98434 98435 fc99f9 98433->98435 98436 fff903 98433->98436 98438 fc99b7 __itow 98433->98438 98502 fe38d8 83 API calls 4 library calls 98435->98502 98443 fe0ff6 Mailbox 59 API calls 98436->98443 98448 fff97b Mailbox _wcscpy 98436->98448 98440 fe0ff6 Mailbox 59 API calls 98438->98440 98441 fc99d1 98440->98441 98441->98442 98444 fc7f41 59 API calls 98441->98444 98442->98420 98450 103dab9 98442->98450 98446 fff948 98443->98446 98444->98442 98445 fe0ff6 Mailbox 59 API calls 98447 fff96e 98445->98447 98446->98445 98447->98448 98449 fc7f41 59 API calls 98447->98449 98503 fe38d8 83 API calls 4 library calls 98448->98503 98449->98448 98451 fc7faf 59 API calls 98450->98451 98452 103dad4 CharLowerBuffW 98451->98452 98504 101f658 98452->98504 98456 fc77c7 59 API calls 98457 103db0d 98456->98457 98511 fc79ab 98457->98511 98459 103db24 98461 fc7e8c 59 API calls 98459->98461 98460 103db6c Mailbox 98460->98422 98462 103db30 Mailbox 98461->98462 98462->98460 98524 103d2f3 61 API calls 2 library calls 98462->98524 98464 103cc9d 98463->98464 98468 103ccf2 98463->98468 98465 fe0ff6 Mailbox 59 API calls 98464->98465 98467 103ccbf 98465->98467 98466 fe0ff6 Mailbox 59 API calls 98466->98467 98467->98466 98467->98468 98469 103dd64 98468->98469 98470 103df8d Mailbox 98469->98470 98477 103dd87 _strcat _wcscpy __NMSG_WRITE 98469->98477 98470->98410 98471 fc9d46 59 API calls 98471->98477 98472 fc9c9c 59 API calls 98472->98477 98473 fc9cf8 59 API calls 98473->98477 98474 fc9997 84 API calls 98474->98477 98475 fe594c 58 API calls _W_store_winword 98475->98477 98477->98470 98477->98471 98477->98472 98477->98473 98477->98474 98477->98475 98528 1025b29 61 API calls 2 library calls 98477->98528 98480 fe0e5d 98478->98480 98479 fe0ef5 VirtualAlloc 98481 fe0ec3 98479->98481 98480->98479 98480->98481 98481->98413 98481->98414 98482->98422 98483->98422 98484->98417 98486 fc9436 98485->98486 98487 fe0ff6 Mailbox 59 API calls 98486->98487 98488 fc9444 98487->98488 98489 fc9450 98488->98489 98529 fc935c 59 API calls Mailbox 98488->98529 98491 fc91b0 98489->98491 98530 fc92c0 98491->98530 98493 fc91bf 98494 fe0ff6 Mailbox 59 API calls 98493->98494 98495 fc925b 98493->98495 98494->98495 98495->98431 98496 fc8ea0 59 API calls Mailbox 98495->98496 98496->98425 98497->98431 98498->98431 98499->98431 98500->98402 98501->98431 98502->98438 98503->98434 98505 101f683 __NMSG_WRITE 98504->98505 98506 101f6c2 98505->98506 98509 101f6b8 98505->98509 98510 101f769 98505->98510 98506->98456 98506->98462 98509->98506 98525 fc7a24 61 API calls 98509->98525 98510->98506 98526 fc7a24 61 API calls 98510->98526 98512 fc79ba 98511->98512 98513 fc7a17 98511->98513 98512->98513 98514 fc79c5 98512->98514 98515 fc7e8c 59 API calls 98513->98515 98516 fc79e0 98514->98516 98517 ffef32 98514->98517 98521 fc79e8 _memmove 98515->98521 98527 fc8087 59 API calls Mailbox 98516->98527 98518 fc8189 59 API calls 98517->98518 98520 ffef3c 98518->98520 98522 fe0ff6 Mailbox 59 API calls 98520->98522 98521->98459 98523 ffef5c 98522->98523 98524->98460 98525->98509 98526->98510 98527->98521 98528->98477 98529->98489 98531 fc92c9 Mailbox 98530->98531 98532 fff5c8 98531->98532 98537 fc92d3 98531->98537 98533 fe0ff6 Mailbox 59 API calls 98532->98533 98535 fff5d4 98533->98535 98534 fc92da 98534->98493 98537->98534 98538 fc9df0 59 API calls Mailbox 98537->98538 98538->98537 98621 fc5dcf 98539->98621 98543 fc5981 98547 fc59a4 98543->98547 98633 fc5770 98543->98633 98545 fc5993 98650 fc53db SetFilePointerEx SetFilePointerEx 98545->98650 98547->98320 98547->98321 98548 ffe030 98651 1023696 SetFilePointerEx SetFilePointerEx WriteFile 98548->98651 98549 fc599a 98549->98547 98549->98548 98551 ffe060 98551->98547 98552->98301 98554 fc77c7 59 API calls 98553->98554 98555 fc470f 98554->98555 98556 fc77c7 59 API calls 98555->98556 98557 fc4717 98556->98557 98558 fc77c7 59 API calls 98557->98558 98559 fc471f 98558->98559 98560 fc77c7 59 API calls 98559->98560 98561 fc4727 98560->98561 98562 ffd8fb 98561->98562 98563 fc475b 98561->98563 98564 fc81a7 59 API calls 98562->98564 98565 fc79ab 59 API calls 98563->98565 98566 ffd904 98564->98566 98567 fc4769 98565->98567 98568 fc7eec 59 API calls 98566->98568 98569 fc7e8c 59 API calls 98567->98569 98571 fc479e 98568->98571 98570 fc4773 98569->98570 98570->98571 98572 fc79ab 59 API calls 98570->98572 98573 fc47de 98571->98573 98575 fc47bd 98571->98575 98586 ffd924 98571->98586 98576 fc4794 98572->98576 98574 fc79ab 59 API calls 98573->98574 98577 fc47ef 98574->98577 98674 fc7b52 98575->98674 98579 fc7e8c 59 API calls 98576->98579 98581 fc4801 98577->98581 98677 fc81a7 98577->98677 98578 ffd9f4 98582 fc7d2c 59 API calls 98578->98582 98579->98571 98585 fc4811 98581->98585 98588 fc81a7 59 API calls 98581->98588 98593 ffd9b1 98582->98593 98590 fc4818 98585->98590 98591 fc81a7 59 API calls 98585->98591 98586->98578 98589 ffd9dd 98586->98589 98595 ffd95b 98586->98595 98587 fc79ab 59 API calls 98587->98573 98588->98585 98589->98578 98597 ffd9c8 98589->98597 98592 fc81a7 59 API calls 98590->98592 98596 fc481f Mailbox 98590->98596 98591->98590 98592->98596 98593->98573 98594 fc7b52 59 API calls 98593->98594 98681 fc7a84 59 API calls 2 library calls 98593->98681 98594->98593 98598 ffd9b9 98595->98598 98602 ffd9a4 98595->98602 98596->98322 98599 fc7d2c 59 API calls 98597->98599 98600 fc7d2c 59 API calls 98598->98600 98599->98593 98600->98593 98603 fc7d2c 59 API calls 98602->98603 98603->98593 98605 fff094 98604->98605 98606 fc7ca0 98604->98606 98689 1018123 59 API calls _memmove 98605->98689 98683 fc7bb1 98606->98683 98609 fc7cac 98609->98328 98613 1023e73 98609->98613 98610 fff09e 98611 fc81a7 59 API calls 98610->98611 98612 fff0a6 Mailbox 98611->98612 98690 1024696 GetFileAttributesW 98613->98690 98616->98346 98617->98304 98618->98308 98619->98343 98620->98343 98622 fc5de8 98621->98622 98623 fc5962 98621->98623 98622->98623 98624 fc5ded CloseHandle 98622->98624 98625 fc5df9 98623->98625 98624->98623 98626 ffe181 98625->98626 98627 fc5e12 CreateFileW 98625->98627 98628 ffe187 CreateFileW 98626->98628 98630 fc5e34 98626->98630 98627->98630 98629 ffe1ad 98628->98629 98628->98630 98652 fc5c4e 98629->98652 98630->98543 98634 ffdfce 98633->98634 98635 fc578b 98633->98635 98649 fc581a 98634->98649 98668 fc5e3f 98634->98668 98636 fc5c4e 2 API calls 98635->98636 98635->98649 98637 fc57ad 98636->98637 98638 fc538e 59 API calls 98637->98638 98640 fc57b7 98638->98640 98640->98634 98641 fc57c4 98640->98641 98642 fe0ff6 Mailbox 59 API calls 98641->98642 98643 fc57cf 98642->98643 98644 fc538e 59 API calls 98643->98644 98645 fc57da 98644->98645 98662 fc5d20 98645->98662 98648 fc5c4e 2 API calls 98648->98649 98649->98545 98650->98549 98651->98551 98658 fc5c68 98652->98658 98653 fc5cef SetFilePointerEx 98660 fc5dae SetFilePointerEx 98653->98660 98654 ffe151 98661 fc5dae SetFilePointerEx 98654->98661 98657 ffe16b 98658->98653 98658->98654 98659 fc5cc3 98658->98659 98659->98630 98660->98659 98661->98657 98663 fc5d93 98662->98663 98667 fc5d2e 98662->98667 98673 fc5dae SetFilePointerEx 98663->98673 98665 fc5807 98665->98648 98666 fc5d66 ReadFile 98666->98665 98666->98667 98667->98665 98667->98666 98669 fc5c4e 2 API calls 98668->98669 98670 fc5e60 98669->98670 98671 fc5c4e 2 API calls 98670->98671 98672 fc5e74 98671->98672 98672->98649 98673->98667 98675 fc7faf 59 API calls 98674->98675 98676 fc47c7 98675->98676 98676->98573 98676->98587 98678 fc81ba 98677->98678 98679 fc81b2 98677->98679 98678->98581 98682 fc80d7 59 API calls 2 library calls 98679->98682 98681->98593 98682->98678 98684 fc7bbf 98683->98684 98688 fc7be5 _memmove 98683->98688 98685 fe0ff6 Mailbox 59 API calls 98684->98685 98684->98688 98686 fc7c34 98685->98686 98687 fe0ff6 Mailbox 59 API calls 98686->98687 98687->98688 98688->98609 98689->98610 98691 1023e7a 98690->98691 98692 10246b1 FindFirstFileW 98690->98692 98691->98328 98691->98338 98692->98691 98693 10246c6 FindClose 98692->98693 98693->98691 98695 fffbff 98694->98695 98696 fc9c08 98694->98696 98697 fffc10 98695->98697 98699 fc7d2c 59 API calls 98695->98699 98701 fe0ff6 Mailbox 59 API calls 98696->98701 98698 fc7eec 59 API calls 98697->98698 98700 fffc1a 98698->98700 98699->98697 98704 fc9c34 98700->98704 98705 fc77c7 59 API calls 98700->98705 98702 fc9c1b 98701->98702 98702->98700 98703 fc9c26 98702->98703 98703->98704 98706 fc7f41 59 API calls 98703->98706 98704->98351 98704->98354 98705->98704 98706->98704 98708 fc56dd 98707->98708 98709 fc5702 98707->98709 98708->98709 98713 fc56ec 98708->98713 98710 fc7eec 59 API calls 98709->98710 98714 102349a 98710->98714 98711 10234c9 98711->98378 98733 fc5c18 98713->98733 98714->98711 98731 1023436 ReadFile SetFilePointerEx 98714->98731 98732 fc7a84 59 API calls 2 library calls 98714->98732 98721 10235d8 Mailbox 98721->98378 98722->98355 98723->98383 98724->98382 98725->98354 98726->98354 98727->98360 98728->98368 98729->98376 98730->98381 98731->98714 98732->98714 98734 fe0ff6 Mailbox 59 API calls 98733->98734 98735 fc5c2b 98734->98735 98736 fe0ff6 Mailbox 59 API calls 98735->98736 98737 fc5c37 98736->98737 98738 fc5632 98737->98738 98745 fc5a2f 98738->98745 98740 fc5643 98741 fc5d20 2 API calls 98740->98741 98742 fc5674 98740->98742 98752 fc5bda 59 API calls 2 library calls 98740->98752 98741->98740 98742->98721 98744 fc793a 61 API calls Mailbox 98742->98744 98744->98721 98746 ffe065 98745->98746 98747 fc5a40 98745->98747 98753 1016443 59 API calls Mailbox 98746->98753 98747->98740 98749 ffe06f 98750 fe0ff6 Mailbox 59 API calls 98749->98750 98751 ffe07b 98750->98751 98752->98740 98753->98749 98755 1016641 98754->98755 98756 101665e 98754->98756 98755->98756 98758 1016621 59 API calls Mailbox 98755->98758 98756->98393 98758->98755 98759 fc1055 98764 fc2649 98759->98764 98762 fe2f80 __cinit 67 API calls 98763 fc1064 98762->98763 98765 fc77c7 59 API calls 98764->98765 98766 fc26b7 98765->98766 98771 fc3582 98766->98771 98769 fc2754 98770 fc105a 98769->98770 98774 fc3416 59 API calls 2 library calls 98769->98774 98770->98762 98775 fc35b0 98771->98775 98774->98769 98776 fc35bd 98775->98776 98778 fc35a1 98775->98778 98777 fc35c4 RegOpenKeyExW 98776->98777 98776->98778 98777->98778 98779 fc35de RegQueryValueExW 98777->98779 98778->98769 98780 fc35ff 98779->98780 98781 fc3614 RegCloseKey 98779->98781 98780->98781 98781->98778 98782 fc1016 98787 fc4ad2 98782->98787 98785 fe2f80 __cinit 67 API calls 98786 fc1025 98785->98786 98788 fe0ff6 Mailbox 59 API calls 98787->98788 98789 fc4ada 98788->98789 98790 fc101b 98789->98790 98794 fc4a94 98789->98794 98790->98785 98795 fc4a9d 98794->98795 98796 fc4aaf 98794->98796 98797 fe2f80 __cinit 67 API calls 98795->98797 98798 fc4afe 98796->98798 98797->98796 98799 fc77c7 59 API calls 98798->98799 98800 fc4b16 GetVersionExW 98799->98800 98801 fc7d2c 59 API calls 98800->98801 98802 fc4b59 98801->98802 98803 fc7e8c 59 API calls 98802->98803 98806 fc4b86 98802->98806 98804 fc4b7a 98803->98804 98805 fc7886 59 API calls 98804->98805 98805->98806 98807 ffdc8d 98806->98807 98808 fc4bf1 GetCurrentProcess IsWow64Process 98806->98808 98809 fc4c0a 98808->98809 98810 fc4c89 GetSystemInfo 98809->98810 98811 fc4c20 98809->98811 98812 fc4c56 98810->98812 98822 fc4c95 98811->98822 98812->98790 98815 fc4c7d GetSystemInfo 98817 fc4c47 98815->98817 98816 fc4c32 98818 fc4c95 2 API calls 98816->98818 98817->98812 98820 fc4c4d FreeLibrary 98817->98820 98819 fc4c3a GetNativeSystemInfo 98818->98819 98819->98817 98820->98812 98823 fc4c2e 98822->98823 98824 fc4c9e LoadLibraryA 98822->98824 98823->98815 98823->98816 98824->98823 98825 fc4caf GetProcAddress 98824->98825 98825->98823 98826 fe7e93 98827 fe7e9f __setmode 98826->98827 98863 fea048 GetStartupInfoW 98827->98863 98829 fe7ea4 98865 fe8dbc GetProcessHeap 98829->98865 98831 fe7efc 98832 fe7f07 98831->98832 98948 fe7fe3 58 API calls 3 library calls 98831->98948 98866 fe9d26 98832->98866 98835 fe7f0d 98836 fe7f18 __RTC_Initialize 98835->98836 98949 fe7fe3 58 API calls 3 library calls 98835->98949 98887 fed812 98836->98887 98839 fe7f27 98840 fe7f33 GetCommandLineW 98839->98840 98950 fe7fe3 58 API calls 3 library calls 98839->98950 98906 ff5173 GetEnvironmentStringsW 98840->98906 98843 fe7f32 98843->98840 98846 fe7f4d 98847 fe7f58 98846->98847 98951 fe32f5 58 API calls 3 library calls 98846->98951 98916 ff4fa8 98847->98916 98850 fe7f5e 98851 fe7f69 98850->98851 98952 fe32f5 58 API calls 3 library calls 98850->98952 98930 fe332f 98851->98930 98854 fe7f71 98855 fe7f7c __wwincmdln 98854->98855 98953 fe32f5 58 API calls 3 library calls 98854->98953 98936 fc492e 98855->98936 98858 fe7f90 98859 fe7f9f 98858->98859 98954 fe3598 58 API calls _doexit 98858->98954 98955 fe3320 58 API calls _doexit 98859->98955 98862 fe7fa4 __setmode 98864 fea05e 98863->98864 98864->98829 98865->98831 98956 fe33c7 36 API calls 2 library calls 98866->98956 98868 fe9d2b 98957 fe9f7c InitializeCriticalSectionAndSpinCount __ioinit 98868->98957 98870 fe9d30 98871 fe9d34 98870->98871 98959 fe9fca TlsAlloc 98870->98959 98958 fe9d9c 61 API calls 2 library calls 98871->98958 98874 fe9d39 98874->98835 98875 fe9d46 98875->98871 98876 fe9d51 98875->98876 98960 fe8a15 98876->98960 98879 fe9d93 98968 fe9d9c 61 API calls 2 library calls 98879->98968 98882 fe9d98 98882->98835 98883 fe9d72 98883->98879 98884 fe9d78 98883->98884 98967 fe9c73 58 API calls 4 library calls 98884->98967 98886 fe9d80 GetCurrentThreadId 98886->98835 98888 fed81e __setmode 98887->98888 98889 fe9e4b __lock 58 API calls 98888->98889 98890 fed825 98889->98890 98891 fe8a15 __calloc_crt 58 API calls 98890->98891 98892 fed836 98891->98892 98893 fed841 @_EH4_CallFilterFunc@8 __setmode 98892->98893 98894 fed8a1 GetStartupInfoW 98892->98894 98893->98839 98899 fed8b6 98894->98899 98903 fed9e5 98894->98903 98895 fedaad 98982 fedabd LeaveCriticalSection _doexit 98895->98982 98897 fe8a15 __calloc_crt 58 API calls 98897->98899 98898 feda32 GetStdHandle 98898->98903 98899->98897 98902 fed904 98899->98902 98899->98903 98900 feda45 GetFileType 98900->98903 98901 fed938 GetFileType 98901->98902 98902->98901 98902->98903 98980 fea06b InitializeCriticalSectionAndSpinCount 98902->98980 98903->98895 98903->98898 98903->98900 98981 fea06b InitializeCriticalSectionAndSpinCount 98903->98981 98907 fe7f43 98906->98907 98908 ff5184 98906->98908 98912 ff4d6b GetModuleFileNameW 98907->98912 98983 fe8a5d 58 API calls 2 library calls 98908->98983 98910 ff51aa _memmove 98911 ff51c0 FreeEnvironmentStringsW 98910->98911 98911->98907 98913 ff4d9f _wparse_cmdline 98912->98913 98915 ff4ddf _wparse_cmdline 98913->98915 98984 fe8a5d 58 API calls 2 library calls 98913->98984 98915->98846 98917 ff4fc1 __NMSG_WRITE 98916->98917 98921 ff4fb9 98916->98921 98918 fe8a15 __calloc_crt 58 API calls 98917->98918 98926 ff4fea __NMSG_WRITE 98918->98926 98919 ff5041 98920 fe2f95 _free 58 API calls 98919->98920 98920->98921 98921->98850 98922 fe8a15 __calloc_crt 58 API calls 98922->98926 98923 ff5066 98924 fe2f95 _free 58 API calls 98923->98924 98924->98921 98926->98919 98926->98921 98926->98922 98926->98923 98927 ff507d 98926->98927 98985 ff4857 58 API calls 2 library calls 98926->98985 98986 fe9006 IsProcessorFeaturePresent 98927->98986 98929 ff5089 98929->98850 98932 fe333b __IsNonwritableInCurrentImage 98930->98932 99009 fea711 98932->99009 98933 fe3359 __initterm_e 98934 fe2f80 __cinit 67 API calls 98933->98934 98935 fe3378 _doexit __IsNonwritableInCurrentImage 98933->98935 98934->98935 98935->98854 98937 fc4948 98936->98937 98947 fc49e7 98936->98947 98938 fc4982 IsThemeActive 98937->98938 99012 fe35ac 98938->99012 98942 fc49ae 99024 fc4a5b SystemParametersInfoW SystemParametersInfoW 98942->99024 98944 fc49ba 99025 fc3b4c 98944->99025 98946 fc49c2 SystemParametersInfoW 98946->98947 98947->98858 98948->98832 98949->98836 98950->98843 98954->98859 98955->98862 98956->98868 98957->98870 98958->98874 98959->98875 98963 fe8a1c 98960->98963 98962 fe8a57 98962->98879 98966 fea026 TlsSetValue 98962->98966 98963->98962 98965 fe8a3a 98963->98965 98969 ff5446 98963->98969 98965->98962 98965->98963 98977 fea372 Sleep 98965->98977 98966->98883 98967->98886 98968->98882 98970 ff5451 98969->98970 98974 ff546c 98969->98974 98971 ff545d 98970->98971 98970->98974 98978 fe8d68 58 API calls __getptd_noexit 98971->98978 98973 ff547c HeapAlloc 98973->98974 98975 ff5462 98973->98975 98974->98973 98974->98975 98979 fe35e1 DecodePointer 98974->98979 98975->98963 98977->98965 98978->98975 98979->98974 98980->98902 98981->98903 98982->98893 98983->98910 98984->98915 98985->98926 98987 fe9011 98986->98987 98992 fe8e99 98987->98992 98991 fe902c 98991->98929 98993 fe8eb3 _memset __call_reportfault 98992->98993 98994 fe8ed3 IsDebuggerPresent 98993->98994 99000 fea395 SetUnhandledExceptionFilter UnhandledExceptionFilter 98994->99000 98997 fe8fba 98999 fea380 GetCurrentProcess TerminateProcess 98997->98999 98998 fe8f97 __call_reportfault 99001 fec836 98998->99001 98999->98991 99000->98998 99002 fec83e 99001->99002 99003 fec840 IsProcessorFeaturePresent 99001->99003 99002->98997 99005 ff5b5a 99003->99005 99008 ff5b09 5 API calls 2 library calls 99005->99008 99007 ff5c3d 99007->98997 99008->99007 99010 fea714 EncodePointer 99009->99010 99010->99010 99011 fea72e 99010->99011 99011->98933 99013 fe9e4b __lock 58 API calls 99012->99013 99014 fe35b7 DecodePointer EncodePointer 99013->99014 99077 fe9fb5 LeaveCriticalSection 99014->99077 99016 fc49a7 99017 fe3614 99016->99017 99018 fe361e 99017->99018 99019 fe3638 99017->99019 99018->99019 99078 fe8d68 58 API calls __getptd_noexit 99018->99078 99019->98942 99021 fe3628 99079 fe8ff6 9 API calls __cftoe2_l 99021->99079 99023 fe3633 99023->98942 99024->98944 99026 fc3b59 __write_nolock 99025->99026 99027 fc77c7 59 API calls 99026->99027 99028 fc3b63 GetCurrentDirectoryW 99027->99028 99080 fc3778 99028->99080 99030 fc3b8c IsDebuggerPresent 99031 ffd4ad MessageBoxA 99030->99031 99032 fc3b9a 99030->99032 99034 ffd4c7 99031->99034 99032->99034 99035 fc3bb7 99032->99035 99064 fc3c73 99032->99064 99033 fc3c7a SetCurrentDirectoryW 99038 fc3c87 Mailbox 99033->99038 99290 fc7373 59 API calls Mailbox 99034->99290 99161 fc73e5 99035->99161 99038->98946 99039 ffd4d7 99045 ffd4ed SetCurrentDirectoryW 99039->99045 99045->99038 99064->99033 99077->99016 99078->99021 99079->99023 99081 fc77c7 59 API calls 99080->99081 99082 fc378e 99081->99082 99292 fc3d43 99082->99292 99084 fc37ac 99085 fc4864 61 API calls 99084->99085 99086 fc37c0 99085->99086 99087 fc7f41 59 API calls 99086->99087 99088 fc37cd 99087->99088 99306 fc4f3d 99088->99306 99091 ffd3ae 99362 10297e5 99091->99362 99093 fc37ee Mailbox 99096 fc81a7 59 API calls 99093->99096 99095 ffd3cd 99098 fe2f95 _free 58 API calls 99095->99098 99099 fc3801 99096->99099 99100 ffd3da 99098->99100 99330 fc93ea 99099->99330 99102 fc4faa 84 API calls 99100->99102 99104 ffd3e3 99102->99104 99108 fc3ee2 59 API calls 99104->99108 99105 fc7f41 59 API calls 99106 fc381a 99105->99106 99333 fc8620 99106->99333 99110 ffd3fe 99108->99110 99109 fc382c Mailbox 99111 fc7f41 59 API calls 99109->99111 99112 fc3ee2 59 API calls 99110->99112 99113 fc3852 99111->99113 99114 ffd41a 99112->99114 99115 fc8620 69 API calls 99113->99115 99116 fc4864 61 API calls 99114->99116 99118 fc3861 Mailbox 99115->99118 99117 ffd43f 99116->99117 99119 fc3ee2 59 API calls 99117->99119 99121 fc77c7 59 API calls 99118->99121 99120 ffd44b 99119->99120 99122 fc81a7 59 API calls 99120->99122 99123 fc387f 99121->99123 99124 ffd459 99122->99124 99337 fc3ee2 99123->99337 99126 fc3ee2 59 API calls 99124->99126 99129 ffd468 99126->99129 99134 fc81a7 59 API calls 99129->99134 99130 fc3899 99130->99104 99131 fc38a3 99130->99131 99132 fe313d _W_store_winword 60 API calls 99131->99132 99133 fc38ae 99132->99133 99133->99110 99135 fc38b8 99133->99135 99136 ffd48a 99134->99136 99137 fe313d _W_store_winword 60 API calls 99135->99137 99138 fc3ee2 59 API calls 99136->99138 99139 fc38c3 99137->99139 99140 ffd497 99138->99140 99139->99114 99141 fc38cd 99139->99141 99140->99140 99142 fe313d _W_store_winword 60 API calls 99141->99142 99143 fc38d8 99142->99143 99143->99129 99144 fc3919 99143->99144 99146 fc3ee2 59 API calls 99143->99146 99144->99129 99145 fc3926 99144->99145 99147 fc942e 59 API calls 99145->99147 99148 fc38fc 99146->99148 99149 fc3936 99147->99149 99150 fc81a7 59 API calls 99148->99150 99152 fc91b0 59 API calls 99149->99152 99151 fc390a 99150->99151 99153 fc3ee2 59 API calls 99151->99153 99154 fc3944 99152->99154 99153->99144 99353 fc9040 99154->99353 99156 fc93ea 59 API calls 99158 fc3961 99156->99158 99157 fc9040 60 API calls 99157->99158 99158->99156 99158->99157 99159 fc3ee2 59 API calls 99158->99159 99160 fc39a7 Mailbox 99158->99160 99159->99158 99160->99030 99162 fc73f2 __write_nolock 99161->99162 99163 ffee4b _memset 99162->99163 99164 fc740b 99162->99164 99166 ffee67 GetOpenFileNameW 99163->99166 99165 fc48ae 60 API calls 99164->99165 99167 fc7414 99165->99167 99168 ffeeb6 99166->99168 100205 fe09d5 99167->100205 99170 fc7d2c 59 API calls 99168->99170 99172 ffeecb 99170->99172 99172->99172 99174 fc7429 100223 fc69ca 99174->100223 99290->99039 99293 fc3d50 __write_nolock 99292->99293 99294 fc7d2c 59 API calls 99293->99294 99299 fc3eb6 Mailbox 99293->99299 99296 fc3d82 99294->99296 99295 fc7b52 59 API calls 99295->99296 99296->99295 99305 fc3db8 Mailbox 99296->99305 99297 fc7b52 59 API calls 99297->99305 99298 fc3e89 99298->99299 99300 fc7f41 59 API calls 99298->99300 99299->99084 99302 fc3eaa 99300->99302 99301 fc7f41 59 API calls 99301->99305 99303 fc3f84 59 API calls 99302->99303 99303->99299 99304 fc3f84 59 API calls 99304->99305 99305->99297 99305->99298 99305->99299 99305->99301 99305->99304 99403 fc4d13 99306->99403 99311 ffdd0f 99313 fc4faa 84 API calls 99311->99313 99312 fc4f68 LoadLibraryExW 99413 fc4cc8 99312->99413 99315 ffdd16 99313->99315 99317 fc4cc8 3 API calls 99315->99317 99321 ffdd1e 99317->99321 99319 fc4f8f 99320 fc4f9b 99319->99320 99319->99321 99322 fc4faa 84 API calls 99320->99322 99439 fc506b 99321->99439 99324 fc37e6 99322->99324 99324->99091 99324->99093 99327 ffdd45 99447 fc5027 99327->99447 99329 ffdd52 99331 fe0ff6 Mailbox 59 API calls 99330->99331 99332 fc380d 99331->99332 99332->99105 99334 fc862b 99333->99334 99336 fc8652 99334->99336 99874 fc8b13 69 API calls Mailbox 99334->99874 99336->99109 99338 fc3eec 99337->99338 99339 fc3f05 99337->99339 99340 fc81a7 59 API calls 99338->99340 99341 fc7d2c 59 API calls 99339->99341 99342 fc388b 99340->99342 99341->99342 99343 fe313d 99342->99343 99344 fe31be 99343->99344 99345 fe3149 99343->99345 99877 fe31d0 60 API calls 4 library calls 99344->99877 99347 fe316e 99345->99347 99875 fe8d68 58 API calls __getptd_noexit 99345->99875 99347->99130 99349 fe31cb 99349->99130 99350 fe3155 99876 fe8ff6 9 API calls __cftoe2_l 99350->99876 99352 fe3160 99352->99130 99354 fff5a5 99353->99354 99356 fc9057 99353->99356 99354->99356 99879 fc8d3b 59 API calls Mailbox 99354->99879 99357 fc915f 99356->99357 99358 fc9158 99356->99358 99359 fc91a0 99356->99359 99357->99158 99361 fe0ff6 Mailbox 59 API calls 99358->99361 99878 fc9e9c 60 API calls Mailbox 99359->99878 99361->99357 99363 fc5045 85 API calls 99362->99363 99364 1029854 99363->99364 99880 10299be 99364->99880 99367 fc506b 74 API calls 99368 1029881 99367->99368 99369 fc506b 74 API calls 99368->99369 99370 1029891 99369->99370 99371 fc506b 74 API calls 99370->99371 99372 10298ac 99371->99372 99373 fc506b 74 API calls 99372->99373 99374 10298c7 99373->99374 99375 fc5045 85 API calls 99374->99375 99376 10298de 99375->99376 99377 fe594c _W_store_winword 58 API calls 99376->99377 99378 10298e5 99377->99378 99379 fe594c _W_store_winword 58 API calls 99378->99379 99380 10298ef 99379->99380 99381 fc506b 74 API calls 99380->99381 99382 1029903 99381->99382 99383 1029393 GetSystemTimeAsFileTime 99382->99383 99384 1029916 99383->99384 99385 1029940 99384->99385 99386 102992b 99384->99386 99388 1029946 99385->99388 99389 10299a5 99385->99389 99387 fe2f95 _free 58 API calls 99386->99387 99391 1029931 99387->99391 99886 1028d90 99388->99886 99390 fe2f95 _free 58 API calls 99389->99390 99395 ffd3c1 99390->99395 99393 fe2f95 _free 58 API calls 99391->99393 99393->99395 99395->99095 99397 fc4faa 99395->99397 99396 fe2f95 _free 58 API calls 99396->99395 99398 fc4fbb 99397->99398 99399 fc4fb4 99397->99399 99401 fc4fca 99398->99401 99402 fc4fdb FreeLibrary 99398->99402 99400 fe55d6 __fcloseall 83 API calls 99399->99400 99400->99398 99401->99095 99402->99401 99452 fc4d61 99403->99452 99406 fc4d3a 99408 fc4d4a FreeLibrary 99406->99408 99409 fc4d53 99406->99409 99407 fc4d61 2 API calls 99407->99406 99408->99409 99410 fe548b 99409->99410 99456 fe54a0 99410->99456 99412 fc4f5c 99412->99311 99412->99312 99614 fc4d94 99413->99614 99416 fc4cff FreeLibrary 99417 fc4d08 99416->99417 99420 fc4dd0 99417->99420 99418 fc4d94 2 API calls 99419 fc4ced 99418->99419 99419->99416 99419->99417 99421 fe0ff6 Mailbox 59 API calls 99420->99421 99422 fc4de5 99421->99422 99423 fc538e 59 API calls 99422->99423 99424 fc4df1 _memmove 99423->99424 99425 fc4e2c 99424->99425 99426 fc4ee9 99424->99426 99427 fc4f21 99424->99427 99428 fc5027 69 API calls 99425->99428 99618 fc4fe9 CreateStreamOnHGlobal 99426->99618 99629 1029ba5 95 API calls 99427->99629 99436 fc4e35 99428->99436 99431 fc506b 74 API calls 99431->99436 99432 fc4ec9 99432->99319 99434 ffdcd0 99435 fc5045 85 API calls 99434->99435 99437 ffdce4 99435->99437 99436->99431 99436->99432 99436->99434 99624 fc5045 99436->99624 99438 fc506b 74 API calls 99437->99438 99438->99432 99440 fc507d 99439->99440 99441 ffddf6 99439->99441 99653 fe5812 99440->99653 99444 1029393 99851 10291e9 99444->99851 99446 10293a9 99446->99327 99448 ffddb9 99447->99448 99449 fc5036 99447->99449 99856 fe5e90 99449->99856 99451 fc503e 99451->99329 99453 fc4d2e 99452->99453 99454 fc4d6a LoadLibraryA 99452->99454 99453->99406 99453->99407 99454->99453 99455 fc4d7b GetProcAddress 99454->99455 99455->99453 99458 fe54ac __setmode 99456->99458 99457 fe54bf 99505 fe8d68 58 API calls __getptd_noexit 99457->99505 99458->99457 99460 fe54f0 99458->99460 99475 ff0738 99460->99475 99461 fe54c4 99506 fe8ff6 9 API calls __cftoe2_l 99461->99506 99464 fe54f5 99465 fe54fe 99464->99465 99466 fe550b 99464->99466 99507 fe8d68 58 API calls __getptd_noexit 99465->99507 99468 fe5535 99466->99468 99469 fe5515 99466->99469 99490 ff0857 99468->99490 99508 fe8d68 58 API calls __getptd_noexit 99469->99508 99473 fe54cf @_EH4_CallFilterFunc@8 __setmode 99473->99412 99476 ff0744 __setmode 99475->99476 99477 fe9e4b __lock 58 API calls 99476->99477 99478 ff0752 99477->99478 99479 ff07cd 99478->99479 99485 fe9ed3 __mtinitlocknum 58 API calls 99478->99485 99488 ff07c6 99478->99488 99513 fe6e8d 59 API calls __lock 99478->99513 99514 fe6ef7 LeaveCriticalSection LeaveCriticalSection _doexit 99478->99514 99515 fe8a5d 58 API calls 2 library calls 99479->99515 99482 ff07d4 99482->99488 99516 fea06b InitializeCriticalSectionAndSpinCount 99482->99516 99483 ff0843 __setmode 99483->99464 99485->99478 99487 ff07fa EnterCriticalSection 99487->99488 99510 ff084e 99488->99510 99497 ff0877 __wopenfile 99490->99497 99491 ff0891 99521 fe8d68 58 API calls __getptd_noexit 99491->99521 99493 ff0896 99522 fe8ff6 9 API calls __cftoe2_l 99493->99522 99495 fe5540 99509 fe5562 LeaveCriticalSection LeaveCriticalSection _fprintf 99495->99509 99496 ff0aaf 99518 ff87f1 99496->99518 99497->99491 99504 ff0a4c 99497->99504 99523 fe3a0b 60 API calls 3 library calls 99497->99523 99500 ff0a45 99500->99504 99524 fe3a0b 60 API calls 3 library calls 99500->99524 99502 ff0a64 99502->99504 99525 fe3a0b 60 API calls 3 library calls 99502->99525 99504->99491 99504->99496 99505->99461 99506->99473 99507->99473 99508->99473 99509->99473 99517 fe9fb5 LeaveCriticalSection 99510->99517 99512 ff0855 99512->99483 99513->99478 99514->99478 99515->99482 99516->99487 99517->99512 99526 ff7fd5 99518->99526 99520 ff880a 99520->99495 99521->99493 99522->99495 99523->99500 99524->99502 99525->99504 99527 ff7fe1 __setmode 99526->99527 99528 ff7ff7 99527->99528 99531 ff802d 99527->99531 99611 fe8d68 58 API calls __getptd_noexit 99528->99611 99530 ff7ffc 99612 fe8ff6 9 API calls __cftoe2_l 99530->99612 99537 ff809e 99531->99537 99534 ff8049 99613 ff8072 LeaveCriticalSection __unlock_fhandle 99534->99613 99536 ff8006 __setmode 99536->99520 99538 ff80be 99537->99538 99539 fe471a __wsopen_nolock 58 API calls 99538->99539 99541 ff80da 99539->99541 99540 fe9006 __invoke_watson 8 API calls 99542 ff87f0 99540->99542 99543 ff8114 99541->99543 99551 ff8137 99541->99551 99585 ff8211 99541->99585 99544 ff7fd5 __wsopen_helper 103 API calls 99542->99544 99545 fe8d34 __set_osfhnd 58 API calls 99543->99545 99546 ff880a 99544->99546 99547 ff8119 99545->99547 99546->99534 99548 fe8d68 __recalloc 58 API calls 99547->99548 99549 ff8126 99548->99549 99552 fe8ff6 __cftoe2_l 9 API calls 99549->99552 99550 ff81f5 99553 fe8d34 __set_osfhnd 58 API calls 99550->99553 99551->99550 99557 ff81d3 99551->99557 99578 ff8130 99552->99578 99554 ff81fa 99553->99554 99555 fe8d68 __recalloc 58 API calls 99554->99555 99556 ff8207 99555->99556 99558 fe8ff6 __cftoe2_l 9 API calls 99556->99558 99559 fed4d4 __alloc_osfhnd 61 API calls 99557->99559 99558->99585 99560 ff82a1 99559->99560 99561 ff82ce 99560->99561 99562 ff82ab 99560->99562 99564 ff7f4d ___createFile GetModuleHandleW GetProcAddress CreateFileW 99561->99564 99563 fe8d34 __set_osfhnd 58 API calls 99562->99563 99565 ff82b0 99563->99565 99571 ff82f0 99564->99571 99566 fe8d68 __recalloc 58 API calls 99565->99566 99568 ff82ba 99566->99568 99567 ff836e GetFileType 99569 ff8379 GetLastError 99567->99569 99576 ff83bb 99567->99576 99573 fe8d68 __recalloc 58 API calls 99568->99573 99574 fe8d47 __dosmaperr 58 API calls 99569->99574 99570 ff833c GetLastError 99572 fe8d47 __dosmaperr 58 API calls 99570->99572 99571->99567 99571->99570 99575 ff7f4d ___createFile GetModuleHandleW GetProcAddress CreateFileW 99571->99575 99577 ff8361 99572->99577 99573->99578 99579 ff83a0 CloseHandle 99574->99579 99580 ff8331 99575->99580 99581 fed76a __set_osfhnd 59 API calls 99576->99581 99583 fe8d68 __recalloc 58 API calls 99577->99583 99578->99534 99579->99577 99582 ff83ae 99579->99582 99580->99567 99580->99570 99588 ff83d9 99581->99588 99584 fe8d68 __recalloc 58 API calls 99582->99584 99583->99585 99586 ff83b3 99584->99586 99585->99540 99586->99577 99587 ff8594 99587->99585 99590 ff8767 CloseHandle 99587->99590 99588->99587 99589 ff1b11 __lseeki64_nolock 60 API calls 99588->99589 99607 ff845a 99588->99607 99591 ff8443 99589->99591 99592 ff7f4d ___createFile GetModuleHandleW GetProcAddress CreateFileW 99590->99592 99595 fe8d34 __set_osfhnd 58 API calls 99591->99595 99591->99607 99594 ff878e 99592->99594 99593 ff10ab 70 API calls __read_nolock 99593->99607 99596 ff87c2 99594->99596 99597 ff8796 GetLastError 99594->99597 99595->99607 99596->99585 99598 fe8d47 __dosmaperr 58 API calls 99597->99598 99601 ff87a2 99598->99601 99599 ff0d2d __close_nolock 61 API calls 99599->99607 99600 ff848c 99602 ff99f2 __chsize_nolock 82 API calls 99600->99602 99600->99607 99603 fed67d __free_osfhnd 59 API calls 99601->99603 99602->99600 99603->99596 99604 fedac6 __write 78 API calls 99604->99607 99605 ff8611 99606 ff0d2d __close_nolock 61 API calls 99605->99606 99608 ff8618 99606->99608 99607->99587 99607->99593 99607->99599 99607->99600 99607->99604 99607->99605 99609 ff1b11 60 API calls __lseeki64_nolock 99607->99609 99610 fe8d68 __recalloc 58 API calls 99608->99610 99609->99607 99610->99585 99611->99530 99612->99536 99613->99536 99615 fc4ce1 99614->99615 99616 fc4d9d LoadLibraryA 99614->99616 99615->99418 99615->99419 99616->99615 99617 fc4dae GetProcAddress 99616->99617 99617->99615 99619 fc5003 FindResourceExW 99618->99619 99621 fc5020 99618->99621 99620 ffdd5c LoadResource 99619->99620 99619->99621 99620->99621 99622 ffdd71 SizeofResource 99620->99622 99621->99425 99622->99621 99623 ffdd85 LockResource 99622->99623 99623->99621 99625 fc5054 99624->99625 99626 ffddd4 99624->99626 99630 fe5a7d 99625->99630 99628 fc5062 99628->99436 99629->99425 99631 fe5a89 __setmode 99630->99631 99632 fe5a9b 99631->99632 99634 fe5ac1 99631->99634 99643 fe8d68 58 API calls __getptd_noexit 99632->99643 99645 fe6e4e 99634->99645 99635 fe5aa0 99644 fe8ff6 9 API calls __cftoe2_l 99635->99644 99638 fe5ac7 99651 fe59ee 83 API calls 5 library calls 99638->99651 99640 fe5ad6 99652 fe5af8 LeaveCriticalSection LeaveCriticalSection _fprintf 99640->99652 99642 fe5aab __setmode 99642->99628 99643->99635 99644->99642 99646 fe6e5e 99645->99646 99647 fe6e80 EnterCriticalSection 99645->99647 99646->99647 99648 fe6e66 99646->99648 99649 fe6e76 99647->99649 99650 fe9e4b __lock 58 API calls 99648->99650 99649->99638 99650->99649 99651->99640 99652->99642 99656 fe582d 99653->99656 99655 fc508e 99655->99444 99657 fe5839 __setmode 99656->99657 99658 fe584f _memset 99657->99658 99659 fe587c 99657->99659 99660 fe5874 __setmode 99657->99660 99683 fe8d68 58 API calls __getptd_noexit 99658->99683 99661 fe6e4e __lock_file 59 API calls 99659->99661 99660->99655 99663 fe5882 99661->99663 99669 fe564d 99663->99669 99664 fe5869 99684 fe8ff6 9 API calls __cftoe2_l 99664->99684 99670 fe5683 99669->99670 99674 fe5668 _memset 99669->99674 99685 fe58b6 LeaveCriticalSection LeaveCriticalSection _fprintf 99670->99685 99671 fe5673 99781 fe8d68 58 API calls __getptd_noexit 99671->99781 99673 fe56c3 99673->99670 99677 fe57d4 _memset 99673->99677 99686 fe4916 99673->99686 99693 ff10ab 99673->99693 99761 ff0df7 99673->99761 99783 ff0f18 58 API calls 4 library calls 99673->99783 99674->99670 99674->99671 99674->99673 99784 fe8d68 58 API calls __getptd_noexit 99677->99784 99682 fe5678 99782 fe8ff6 9 API calls __cftoe2_l 99682->99782 99683->99664 99684->99660 99685->99660 99687 fe4935 99686->99687 99688 fe4920 99686->99688 99687->99673 99785 fe8d68 58 API calls __getptd_noexit 99688->99785 99690 fe4925 99786 fe8ff6 9 API calls __cftoe2_l 99690->99786 99692 fe4930 99692->99673 99694 ff10cc 99693->99694 99695 ff10e3 99693->99695 99796 fe8d34 58 API calls __getptd_noexit 99694->99796 99697 ff181b 99695->99697 99702 ff111d 99695->99702 99812 fe8d34 58 API calls __getptd_noexit 99697->99812 99699 ff10d1 99797 fe8d68 58 API calls __getptd_noexit 99699->99797 99700 ff1820 99813 fe8d68 58 API calls __getptd_noexit 99700->99813 99704 ff1125 99702->99704 99709 ff113c 99702->99709 99798 fe8d34 58 API calls __getptd_noexit 99704->99798 99705 ff1131 99814 fe8ff6 9 API calls __cftoe2_l 99705->99814 99707 ff112a 99799 fe8d68 58 API calls __getptd_noexit 99707->99799 99710 ff1151 99709->99710 99713 ff116b 99709->99713 99714 ff1189 99709->99714 99741 ff10d8 99709->99741 99800 fe8d34 58 API calls __getptd_noexit 99710->99800 99713->99710 99718 ff1176 99713->99718 99801 fe8a5d 58 API calls 2 library calls 99714->99801 99716 ff1199 99719 ff11bc 99716->99719 99720 ff11a1 99716->99720 99787 ff5ebb 99718->99787 99804 ff1b11 60 API calls 3 library calls 99719->99804 99802 fe8d68 58 API calls __getptd_noexit 99720->99802 99721 ff128a 99723 ff1303 ReadFile 99721->99723 99728 ff12a0 GetConsoleMode 99721->99728 99726 ff1325 99723->99726 99727 ff17e3 GetLastError 99723->99727 99725 ff11a6 99803 fe8d34 58 API calls __getptd_noexit 99725->99803 99726->99727 99734 ff12f5 99726->99734 99730 ff12e3 99727->99730 99731 ff17f0 99727->99731 99732 ff12b4 99728->99732 99733 ff1300 99728->99733 99744 ff12e9 99730->99744 99805 fe8d47 58 API calls 3 library calls 99730->99805 99810 fe8d68 58 API calls __getptd_noexit 99731->99810 99732->99733 99736 ff12ba ReadConsoleW 99732->99736 99733->99723 99743 ff15c7 99734->99743 99734->99744 99746 ff135a 99734->99746 99736->99734 99738 ff12dd GetLastError 99736->99738 99737 ff17f5 99811 fe8d34 58 API calls __getptd_noexit 99737->99811 99738->99730 99741->99673 99742 fe2f95 _free 58 API calls 99742->99741 99743->99744 99751 ff16cd ReadFile 99743->99751 99744->99741 99744->99742 99747 ff13c6 ReadFile 99746->99747 99752 ff1447 99746->99752 99748 ff13e7 GetLastError 99747->99748 99759 ff13f1 99747->99759 99748->99759 99749 ff1504 99755 ff14b4 MultiByteToWideChar 99749->99755 99808 ff1b11 60 API calls 3 library calls 99749->99808 99750 ff14f4 99807 fe8d68 58 API calls __getptd_noexit 99750->99807 99754 ff16f0 GetLastError 99751->99754 99760 ff16fe 99751->99760 99752->99744 99752->99749 99752->99750 99752->99755 99754->99760 99755->99738 99755->99744 99759->99746 99806 ff1b11 60 API calls 3 library calls 99759->99806 99760->99743 99809 ff1b11 60 API calls 3 library calls 99760->99809 99762 ff0e02 99761->99762 99766 ff0e17 99761->99766 99848 fe8d68 58 API calls __getptd_noexit 99762->99848 99764 ff0e07 99849 fe8ff6 9 API calls __cftoe2_l 99764->99849 99767 ff0e4c 99766->99767 99772 ff0e12 99766->99772 99850 ff6234 58 API calls __malloc_crt 99766->99850 99769 fe4916 __flsbuf 58 API calls 99767->99769 99770 ff0e60 99769->99770 99815 ff0f97 99770->99815 99772->99673 99773 ff0e67 99773->99772 99774 fe4916 __flsbuf 58 API calls 99773->99774 99775 ff0e8a 99774->99775 99775->99772 99776 fe4916 __flsbuf 58 API calls 99775->99776 99777 ff0e96 99776->99777 99777->99772 99778 fe4916 __flsbuf 58 API calls 99777->99778 99779 ff0ea3 99778->99779 99780 fe4916 __flsbuf 58 API calls 99779->99780 99780->99772 99781->99682 99782->99670 99783->99673 99784->99682 99785->99690 99786->99692 99788 ff5ec6 99787->99788 99789 ff5ed3 99787->99789 99790 fe8d68 __recalloc 58 API calls 99788->99790 99791 ff5edf 99789->99791 99792 fe8d68 __recalloc 58 API calls 99789->99792 99793 ff5ecb 99790->99793 99791->99721 99794 ff5f00 99792->99794 99793->99721 99795 fe8ff6 __cftoe2_l 9 API calls 99794->99795 99795->99793 99796->99699 99797->99741 99798->99707 99799->99705 99800->99707 99801->99716 99802->99725 99803->99741 99804->99718 99805->99744 99806->99759 99807->99744 99808->99755 99809->99760 99810->99737 99811->99744 99812->99700 99813->99705 99814->99741 99816 ff0fa3 __setmode 99815->99816 99817 ff0fc7 99816->99817 99818 ff0fb0 99816->99818 99820 ff108b 99817->99820 99823 ff0fdb 99817->99823 99819 fe8d34 __set_osfhnd 58 API calls 99818->99819 99822 ff0fb5 99819->99822 99821 fe8d34 __set_osfhnd 58 API calls 99820->99821 99824 ff0ffe 99821->99824 99825 fe8d68 __recalloc 58 API calls 99822->99825 99826 ff0ff9 99823->99826 99827 ff1006 99823->99827 99833 fe8d68 __recalloc 58 API calls 99824->99833 99828 ff0fbc __setmode 99825->99828 99829 fe8d34 __set_osfhnd 58 API calls 99826->99829 99830 ff1028 99827->99830 99831 ff1013 99827->99831 99828->99773 99829->99824 99832 fed446 ___lock_fhandle 59 API calls 99830->99832 99834 fe8d34 __set_osfhnd 58 API calls 99831->99834 99836 ff102e 99832->99836 99840 ff1020 99833->99840 99835 ff1018 99834->99835 99837 fe8d68 __recalloc 58 API calls 99835->99837 99838 ff1054 99836->99838 99839 ff1041 99836->99839 99837->99840 99843 fe8d68 __recalloc 58 API calls 99838->99843 99841 ff10ab __read_nolock 70 API calls 99839->99841 99842 fe8ff6 __cftoe2_l 9 API calls 99840->99842 99844 ff104d 99841->99844 99842->99828 99845 ff1059 99843->99845 99847 ff1083 __read LeaveCriticalSection 99844->99847 99846 fe8d34 __set_osfhnd 58 API calls 99845->99846 99846->99844 99847->99828 99848->99764 99849->99772 99850->99767 99854 fe543a GetSystemTimeAsFileTime 99851->99854 99853 10291f8 99853->99446 99855 fe5468 __aulldiv 99854->99855 99855->99853 99857 fe5e9c __setmode 99856->99857 99858 fe5eae 99857->99858 99859 fe5ec3 99857->99859 99870 fe8d68 58 API calls __getptd_noexit 99858->99870 99860 fe6e4e __lock_file 59 API calls 99859->99860 99863 fe5ec9 99860->99863 99862 fe5eb3 99871 fe8ff6 9 API calls __cftoe2_l 99862->99871 99872 fe5b00 67 API calls 7 library calls 99863->99872 99866 fe5ed4 99873 fe5ef4 LeaveCriticalSection LeaveCriticalSection _fprintf 99866->99873 99868 fe5ee6 99869 fe5ebe __setmode 99868->99869 99869->99451 99870->99862 99871->99869 99872->99866 99873->99868 99874->99336 99875->99350 99876->99352 99877->99349 99878->99357 99879->99356 99883 10299d2 __tzset_nolock _wcscmp 99880->99883 99881 1029393 GetSystemTimeAsFileTime 99881->99883 99882 1029866 99882->99367 99882->99395 99883->99881 99883->99882 99884 fc506b 74 API calls 99883->99884 99885 fc5045 85 API calls 99883->99885 99884->99883 99885->99883 99887 1028da9 99886->99887 99888 1028d9b 99886->99888 99890 1028dee 99887->99890 99891 fe548b 115 API calls 99887->99891 99912 1028db2 99887->99912 99889 fe548b 115 API calls 99888->99889 99889->99887 99917 102901b 99890->99917 99893 1028dd3 99891->99893 99893->99890 99895 1028ddc 99893->99895 99894 1028e32 99896 1028e36 99894->99896 99897 1028e57 99894->99897 99900 fe55d6 __fcloseall 83 API calls 99895->99900 99895->99912 99899 1028e43 99896->99899 99902 fe55d6 __fcloseall 83 API calls 99896->99902 99921 1028c33 99897->99921 99905 fe55d6 __fcloseall 83 API calls 99899->99905 99899->99912 99900->99912 99902->99899 99903 1028e85 99930 1028eb5 99903->99930 99904 1028e65 99906 1028e72 99904->99906 99908 fe55d6 __fcloseall 83 API calls 99904->99908 99905->99912 99910 fe55d6 __fcloseall 83 API calls 99906->99910 99906->99912 99908->99906 99910->99912 99912->99396 99914 1028ea0 99914->99912 99916 fe55d6 __fcloseall 83 API calls 99914->99916 99916->99912 99918 1029040 99917->99918 99920 1029029 __tzset_nolock _memmove 99917->99920 99919 fe5812 __fread_nolock 74 API calls 99918->99919 99919->99920 99920->99894 99922 fe594c _W_store_winword 58 API calls 99921->99922 99923 1028c42 99922->99923 99924 fe594c _W_store_winword 58 API calls 99923->99924 99925 1028c56 99924->99925 99926 fe594c _W_store_winword 58 API calls 99925->99926 99927 1028c6a 99926->99927 99928 1028f97 58 API calls 99927->99928 99929 1028c7d 99927->99929 99928->99929 99929->99903 99929->99904 99936 1028eca 99930->99936 99931 1028f82 99963 10291bf 99931->99963 99933 1028c8f 74 API calls 99933->99936 99936->99931 99936->99933 99937 1028e8c 99936->99937 99959 102909c 99936->99959 99967 1028d2b 74 API calls 99936->99967 99938 1028f97 99937->99938 99939 1028fa4 99938->99939 99944 1028faa 99938->99944 99940 fe2f95 _free 58 API calls 99939->99940 99940->99944 99941 fe2f95 _free 58 API calls 99942 1028fbb 99941->99942 99943 1028e93 99942->99943 99945 fe2f95 _free 58 API calls 99942->99945 99943->99914 99946 fe55d6 99943->99946 99944->99941 99944->99942 99945->99943 99947 fe55e2 __setmode 99946->99947 99948 fe560e 99947->99948 99949 fe55f6 99947->99949 99951 fe6e4e __lock_file 59 API calls 99948->99951 99955 fe5606 __setmode 99948->99955 100016 fe8d68 58 API calls __getptd_noexit 99949->100016 99953 fe5620 99951->99953 99952 fe55fb 100017 fe8ff6 9 API calls __cftoe2_l 99952->100017 100000 fe556a 99953->100000 99955->99914 99960 10290ab 99959->99960 99961 10290eb 99959->99961 99960->99936 99961->99960 99968 1029172 99961->99968 99964 10291dd 99963->99964 99965 10291cc 99963->99965 99964->99937 99966 fe4a93 80 API calls 99965->99966 99966->99964 99967->99936 99969 10291af 99968->99969 99970 102919e 99968->99970 99969->99961 99972 fe4a93 99970->99972 99973 fe4a9f __setmode 99972->99973 99974 fe4abd 99973->99974 99975 fe4ad5 99973->99975 99977 fe4acd __setmode 99973->99977 99997 fe8d68 58 API calls __getptd_noexit 99974->99997 99978 fe6e4e __lock_file 59 API calls 99975->99978 99977->99969 99980 fe4adb 99978->99980 99979 fe4ac2 99998 fe8ff6 9 API calls __cftoe2_l 99979->99998 99985 fe493a 99980->99985 99988 fe4949 99985->99988 99991 fe4967 99985->99991 99986 fe4957 99987 fe8d68 __recalloc 58 API calls 99986->99987 99989 fe495c 99987->99989 99988->99986 99988->99991 99995 fe4981 _memmove 99988->99995 99990 fe8ff6 __cftoe2_l 9 API calls 99989->99990 99990->99991 99999 fe4b0d LeaveCriticalSection LeaveCriticalSection _fprintf 99991->99999 99992 feb05e __flsbuf 78 API calls 99992->99995 99993 fe4c6d __flush 78 API calls 99993->99995 99994 fe4916 __flsbuf 58 API calls 99994->99995 99995->99991 99995->99992 99995->99993 99995->99994 99996 fedac6 __write 78 API calls 99995->99996 99996->99995 99997->99979 99998->99977 99999->99977 100001 fe558d 100000->100001 100002 fe5579 100000->100002 100006 fe5589 100001->100006 100019 fe4c6d 100001->100019 100055 fe8d68 58 API calls __getptd_noexit 100002->100055 100005 fe557e 100056 fe8ff6 9 API calls __cftoe2_l 100005->100056 100018 fe5645 LeaveCriticalSection LeaveCriticalSection _fprintf 100006->100018 100011 fe4916 __flsbuf 58 API calls 100012 fe55a7 100011->100012 100029 ff0c52 100012->100029 100014 fe55ad 100014->100006 100015 fe2f95 _free 58 API calls 100014->100015 100015->100006 100016->99952 100017->99955 100018->99955 100020 fe4c80 100019->100020 100024 fe4ca4 100019->100024 100021 fe4916 __flsbuf 58 API calls 100020->100021 100020->100024 100022 fe4c9d 100021->100022 100057 fedac6 100022->100057 100025 ff0dc7 100024->100025 100026 fe55a1 100025->100026 100027 ff0dd4 100025->100027 100026->100011 100027->100026 100028 fe2f95 _free 58 API calls 100027->100028 100028->100026 100030 ff0c5e __setmode 100029->100030 100031 ff0c6b 100030->100031 100032 ff0c82 100030->100032 100182 fe8d34 58 API calls __getptd_noexit 100031->100182 100033 ff0d0d 100032->100033 100036 ff0c92 100032->100036 100187 fe8d34 58 API calls __getptd_noexit 100033->100187 100035 ff0c70 100183 fe8d68 58 API calls __getptd_noexit 100035->100183 100039 ff0cba 100036->100039 100040 ff0cb0 100036->100040 100043 fed446 ___lock_fhandle 59 API calls 100039->100043 100184 fe8d34 58 API calls __getptd_noexit 100040->100184 100041 ff0cb5 100188 fe8d68 58 API calls __getptd_noexit 100041->100188 100045 ff0cc0 100043->100045 100047 ff0cde 100045->100047 100048 ff0cd3 100045->100048 100046 ff0d19 100189 fe8ff6 9 API calls __cftoe2_l 100046->100189 100185 fe8d68 58 API calls __getptd_noexit 100047->100185 100167 ff0d2d 100048->100167 100052 ff0c77 __setmode 100052->100014 100053 ff0cd9 100186 ff0d05 LeaveCriticalSection __unlock_fhandle 100053->100186 100055->100005 100056->100006 100058 fedad2 __setmode 100057->100058 100059 fedadf 100058->100059 100060 fedaf6 100058->100060 100158 fe8d34 58 API calls __getptd_noexit 100059->100158 100062 fedb95 100060->100062 100064 fedb0a 100060->100064 100164 fe8d34 58 API calls __getptd_noexit 100062->100164 100063 fedae4 100159 fe8d68 58 API calls __getptd_noexit 100063->100159 100067 fedb28 100064->100067 100068 fedb32 100064->100068 100160 fe8d34 58 API calls __getptd_noexit 100067->100160 100085 fed446 100068->100085 100069 fedb2d 100165 fe8d68 58 API calls __getptd_noexit 100069->100165 100072 fedb38 100074 fedb5e 100072->100074 100075 fedb4b 100072->100075 100161 fe8d68 58 API calls __getptd_noexit 100074->100161 100094 fedbb5 100075->100094 100076 fedba1 100166 fe8ff6 9 API calls __cftoe2_l 100076->100166 100077 fedaeb __setmode 100077->100024 100081 fedb57 100163 fedb8d LeaveCriticalSection __unlock_fhandle 100081->100163 100082 fedb63 100162 fe8d34 58 API calls __getptd_noexit 100082->100162 100086 fed452 __setmode 100085->100086 100087 fed4a1 EnterCriticalSection 100086->100087 100088 fe9e4b __lock 58 API calls 100086->100088 100089 fed4c7 __setmode 100087->100089 100090 fed477 100088->100090 100089->100072 100091 fed48f 100090->100091 100092 fea06b __ioinit InitializeCriticalSectionAndSpinCount 100090->100092 100093 fed4cb ___lock_fhandle LeaveCriticalSection 100091->100093 100092->100091 100093->100087 100095 fedbc2 __write_nolock 100094->100095 100096 fedc20 100095->100096 100097 fedc01 100095->100097 100141 fedbf6 100095->100141 100101 fedc78 100096->100101 100102 fedc5c 100096->100102 100098 fe8d34 __set_osfhnd 58 API calls 100097->100098 100100 fedc06 100098->100100 100099 fec836 __NMSG_WRITE 6 API calls 100103 fee416 100099->100103 100104 fe8d68 __recalloc 58 API calls 100100->100104 100105 fedc91 100101->100105 100108 ff1b11 __lseeki64_nolock 60 API calls 100101->100108 100106 fe8d34 __set_osfhnd 58 API calls 100102->100106 100103->100081 100107 fedc0d 100104->100107 100109 ff5ebb __flsbuf 58 API calls 100105->100109 100110 fedc61 100106->100110 100111 fe8ff6 __cftoe2_l 9 API calls 100107->100111 100108->100105 100112 fedc9f 100109->100112 100113 fe8d68 __recalloc 58 API calls 100110->100113 100111->100141 100114 fedff8 100112->100114 100119 fe9bec _LocaleUpdate::_LocaleUpdate 58 API calls 100112->100119 100115 fedc68 100113->100115 100116 fee38b WriteFile 100114->100116 100117 fee016 100114->100117 100118 fe8ff6 __cftoe2_l 9 API calls 100115->100118 100120 fedfeb GetLastError 100116->100120 100151 fedfb8 100116->100151 100121 fee02c 100117->100121 100122 fee13a 100117->100122 100118->100141 100123 fedccb GetConsoleMode 100119->100123 100120->100151 100124 fee09b WriteFile 100121->100124 100131 fee3c4 100121->100131 100138 fee22f 100122->100138 100139 fee145 100122->100139 100123->100114 100127 fedd0a 100123->100127 100124->100120 100128 fee0d8 100124->100128 100125 fe8d68 __recalloc 58 API calls 100129 fee3f2 100125->100129 100126 fedd1a GetConsoleCP 100126->100131 100156 fedd49 100126->100156 100127->100114 100127->100126 100128->100121 100133 fee0fc 100128->100133 100135 fe8d34 __set_osfhnd 58 API calls 100129->100135 100130 fee118 100136 fee3bb 100130->100136 100137 fee123 100130->100137 100131->100125 100131->100141 100132 fee2a4 WideCharToMultiByte 100132->100120 100149 fee2eb 100132->100149 100133->100151 100134 fee1aa WriteFile 100134->100120 100140 fee1f9 100134->100140 100135->100141 100143 fe8d47 __dosmaperr 58 API calls 100136->100143 100142 fe8d68 __recalloc 58 API calls 100137->100142 100138->100131 100138->100132 100139->100131 100139->100134 100140->100133 100140->100139 100140->100151 100141->100099 100145 fee128 100142->100145 100143->100141 100144 fee2f3 WriteFile 100147 fee346 GetLastError 100144->100147 100144->100149 100148 fe8d34 __set_osfhnd 58 API calls 100145->100148 100146 fe3835 __write_nolock 58 API calls 100146->100156 100147->100149 100148->100141 100149->100133 100149->100138 100149->100144 100149->100151 100150 ff650a 60 API calls __write_nolock 100150->100156 100151->100130 100151->100131 100151->100141 100152 fede32 WideCharToMultiByte 100152->100151 100153 fede6d WriteFile 100152->100153 100153->100120 100155 fede9f 100153->100155 100154 ff7cae WriteConsoleW CreateFileW __putwch_nolock 100154->100155 100155->100120 100155->100151 100155->100154 100155->100156 100157 fedec7 WriteFile 100155->100157 100156->100146 100156->100150 100156->100151 100156->100152 100156->100155 100157->100120 100157->100155 100158->100063 100159->100077 100160->100069 100161->100082 100162->100081 100163->100077 100164->100069 100165->100076 100166->100077 100190 fed703 100167->100190 100169 ff0d91 100203 fed67d 59 API calls 2 library calls 100169->100203 100171 ff0d3b 100171->100169 100173 fed703 __lseek_nolock 58 API calls 100171->100173 100181 ff0d6f 100171->100181 100172 ff0d99 100178 ff0dbb 100172->100178 100204 fe8d47 58 API calls 3 library calls 100172->100204 100175 ff0d66 100173->100175 100174 fed703 __lseek_nolock 58 API calls 100176 ff0d7b CloseHandle 100174->100176 100179 fed703 __lseek_nolock 58 API calls 100175->100179 100176->100169 100180 ff0d87 GetLastError 100176->100180 100178->100053 100179->100181 100180->100169 100181->100169 100181->100174 100182->100035 100183->100052 100184->100041 100185->100053 100186->100052 100187->100041 100188->100046 100189->100052 100191 fed70e 100190->100191 100192 fed723 100190->100192 100193 fe8d34 __set_osfhnd 58 API calls 100191->100193 100195 fe8d34 __set_osfhnd 58 API calls 100192->100195 100197 fed748 100192->100197 100194 fed713 100193->100194 100196 fe8d68 __recalloc 58 API calls 100194->100196 100198 fed752 100195->100198 100199 fed71b 100196->100199 100197->100171 100200 fe8d68 __recalloc 58 API calls 100198->100200 100199->100171 100201 fed75a 100200->100201 100202 fe8ff6 __cftoe2_l 9 API calls 100201->100202 100202->100199 100203->100172 100204->100178 100206 fe09e2 __write_nolock 100205->100206 100207 fe09f1 GetLongPathNameW 100206->100207 100208 fc7d2c 59 API calls 100207->100208 100209 fc741d 100208->100209 100210 fc716b 100209->100210 100211 fc77c7 59 API calls 100210->100211 100212 fc717d 100211->100212 100213 fc48ae 60 API calls 100212->100213 100214 fc7188 100213->100214 100215 fc7193 100214->100215 100218 ffecae 100214->100218 100217 fc3f84 59 API calls 100215->100217 100219 fc719f 100217->100219 100220 ffecc8 100218->100220 100263 fc7a68 61 API calls 100218->100263 100257 fc34c2 100219->100257 100222 fc71b2 Mailbox 100222->99174 100224 fc4f3d 136 API calls 100223->100224 100225 fc69ef 100224->100225 100226 ffe45a 100225->100226 100227 fc4f3d 136 API calls 100225->100227 100228 10297e5 122 API calls 100226->100228 100229 fc6a03 100227->100229 100230 ffe46f 100228->100230 100229->100226 100233 fc6a0b 100229->100233 100231 ffe473 100230->100231 100232 ffe490 100230->100232 100234 fc4faa 84 API calls 100231->100234 100235 fe0ff6 Mailbox 59 API calls 100232->100235 100236 ffe47b 100233->100236 100237 fc6a17 100233->100237 100234->100236 100250 ffe4d5 Mailbox 100235->100250 100374 1024534 90 API calls _wprintf 100236->100374 100264 fc6bec 100237->100264 100240 ffe489 100240->100232 100242 ffe689 100243 fe2f95 _free 58 API calls 100242->100243 100244 ffe691 100243->100244 100245 fc4faa 84 API calls 100244->100245 100249 ffe69a 100245->100249 100251 fe2f95 _free 58 API calls 100249->100251 100253 fc4faa 84 API calls 100249->100253 100377 101fcb1 89 API calls 4 library calls 100249->100377 100250->100242 100250->100249 100254 fc7f41 59 API calls 100250->100254 100357 101fc4d 100250->100357 100360 fc766f 100250->100360 100368 fc74bd 100250->100368 100375 101fb6e 61 API calls 2 library calls 100250->100375 100376 1027621 59 API calls Mailbox 100250->100376 100251->100249 100253->100249 100254->100250 100258 fc34d4 100257->100258 100262 fc34f3 _memmove 100257->100262 100260 fe0ff6 Mailbox 59 API calls 100258->100260 100259 fe0ff6 Mailbox 59 API calls 100261 fc350a 100259->100261 100260->100262 100261->100222 100262->100259 100263->100218 100265 ffe847 100264->100265 100266 fc6c15 100264->100266 100393 101fcb1 89 API calls 4 library calls 100265->100393 100383 fc5906 60 API calls Mailbox 100266->100383 100269 fc6c37 100271 fc5956 67 API calls 100269->100271 100270 ffe85a 100394 101fcb1 89 API calls 4 library calls 100270->100394 100272 fc6c4c 100271->100272 100272->100270 100273 fc6c54 100272->100273 100275 fc77c7 59 API calls 100273->100275 100277 fc6c60 100275->100277 100276 ffe876 100279 fc6cc1 100276->100279 100281 fc6ccf 100279->100281 100282 ffe889 100279->100282 100283 fc77c7 59 API calls 100281->100283 100358 fe0ff6 Mailbox 59 API calls 100357->100358 100359 101fc7d _memmove 100358->100359 100359->100250 100359->100359 100361 fc770f 100360->100361 100367 fc7682 _memmove 100360->100367 100363 fe0ff6 Mailbox 59 API calls 100361->100363 100362 fe0ff6 Mailbox 59 API calls 100364 fc7689 100362->100364 100363->100367 100365 fe0ff6 Mailbox 59 API calls 100364->100365 100366 fc76b2 100364->100366 100365->100366 100366->100250 100367->100362 100369 fc74d0 100368->100369 100372 fc757e 100368->100372 100370 fc7502 100369->100370 100371 fe0ff6 Mailbox 59 API calls 100369->100371 100370->100372 100373 fe0ff6 59 API calls Mailbox 100370->100373 100371->100370 100372->100250 100373->100370 100374->100240 100375->100250 100376->100250 100377->100249 100383->100269 100393->100270 100394->100276 100845 fc3633 100846 fc366a 100845->100846 100847 fc3688 100846->100847 100848 fc36e7 100846->100848 100884 fc36e5 100846->100884 100852 fc375d PostQuitMessage 100847->100852 100853 fc3695 100847->100853 100850 fc36ed 100848->100850 100851 ffd31c 100848->100851 100849 fc36ca DefWindowProcW 100887 fc36d8 100849->100887 100854 fc3715 SetTimer RegisterWindowMessageW 100850->100854 100855 fc36f2 100850->100855 100895 fd11d0 10 API calls Mailbox 100851->100895 100852->100887 100856 ffd38f 100853->100856 100857 fc36a0 100853->100857 100861 fc373e CreatePopupMenu 100854->100861 100854->100887 100859 ffd2bf 100855->100859 100860 fc36f9 KillTimer 100855->100860 100899 1022a16 71 API calls _memset 100856->100899 100862 fc36a8 100857->100862 100863 fc3767 100857->100863 100867 ffd2f8 MoveWindow 100859->100867 100868 ffd2c4 100859->100868 100890 fc44cb Shell_NotifyIconW _memset 100860->100890 100861->100887 100870 ffd374 100862->100870 100871 fc36b3 100862->100871 100893 fc4531 64 API calls _memset 100863->100893 100865 ffd343 100896 fd11f3 341 API calls Mailbox 100865->100896 100867->100887 100874 ffd2c8 100868->100874 100875 ffd2e7 SetFocus 100868->100875 100870->100849 100898 101817e 59 API calls Mailbox 100870->100898 100877 fc36be 100871->100877 100878 fc374b 100871->100878 100872 ffd3a1 100872->100849 100872->100887 100874->100877 100879 ffd2d1 100874->100879 100875->100887 100876 fc370c 100891 fc3114 DeleteObject DestroyWindow Mailbox 100876->100891 100877->100849 100897 fc44cb Shell_NotifyIconW _memset 100877->100897 100892 fc45df 81 API calls _memset 100878->100892 100894 fd11d0 10 API calls Mailbox 100879->100894 100884->100849 100885 fc375b 100885->100887 100888 ffd368 100889 fc43db 68 API calls 100888->100889 100889->100884 100890->100876 100891->100887 100892->100885 100893->100885 100894->100887 100895->100865 100896->100877 100897->100888 100898->100884 100899->100872 100900 fcb56e 100907 fdfb84 100900->100907 100902 fcb584 100916 fcc707 100902->100916 100904 fcb5ac 100905 fca4e8 100904->100905 100928 102a0b5 89 API calls 4 library calls 100904->100928 100908 fdfb90 100907->100908 100909 fdfba2 100907->100909 100929 fc9e9c 60 API calls Mailbox 100908->100929 100911 fdfba8 100909->100911 100912 fdfbd1 100909->100912 100914 fe0ff6 Mailbox 59 API calls 100911->100914 100930 fc9e9c 60 API calls Mailbox 100912->100930 100915 fdfb9a 100914->100915 100915->100902 100917 fcc72c _wcscmp 100916->100917 100918 fc7b76 59 API calls 100916->100918 100919 fcc760 Mailbox 100917->100919 100920 fc7f41 59 API calls 100917->100920 100918->100917 100919->100904 100921 1001abb 100920->100921 100922 fc7c8e 59 API calls 100921->100922 100923 1001ac6 100922->100923 100931 fc859a 68 API calls 100923->100931 100925 1001ad7 100927 1001adb Mailbox 100925->100927 100932 fc9e9c 60 API calls Mailbox 100925->100932 100927->100904 100928->100905 100929->100915 100930->100915 100931->100925 100932->100927 100933 fce608 100936 fcd260 100933->100936 100935 fce616 100937 fcd27d 100936->100937 100938 fcd4dd 100936->100938 100939 1002b0a 100937->100939 100940 1002abb 100937->100940 100954 fcd2a4 100937->100954 100949 fcd6ab 100938->100949 100985 102a0b5 89 API calls 4 library calls 100938->100985 100980 103a6fb 341 API calls __cinit 100939->100980 100943 1002abe 100940->100943 100950 1002ad9 100940->100950 100944 1002aca 100943->100944 100943->100954 100978 103ad0f 341 API calls 100944->100978 100945 fe2f80 __cinit 67 API calls 100945->100954 100948 1002cdf 100948->100948 100949->100935 100950->100938 100979 103b1b7 341 API calls 3 library calls 100950->100979 100952 fcd594 100972 fc8bb2 68 API calls 100952->100972 100954->100938 100954->100945 100954->100949 100954->100952 100957 1002c26 100954->100957 100960 fc8620 69 API calls 100954->100960 100967 fca000 341 API calls 100954->100967 100968 fc81a7 59 API calls 100954->100968 100970 fc88a0 68 API calls __cinit 100954->100970 100971 fc86a2 68 API calls 100954->100971 100973 fc859a 68 API calls 100954->100973 100974 fcd0dc 341 API calls 100954->100974 100975 fc9f3a 59 API calls Mailbox 100954->100975 100976 fcd060 89 API calls 100954->100976 100977 fccedd 341 API calls 100954->100977 100981 fc8bb2 68 API calls 100954->100981 100982 fc9e9c 60 API calls Mailbox 100954->100982 100983 1016d03 60 API calls 100954->100983 100956 fcd5a3 100956->100935 100984 103aa66 89 API calls 100957->100984 100960->100954 100967->100954 100968->100954 100970->100954 100971->100954 100972->100956 100973->100954 100974->100954 100975->100954 100976->100954 100977->100954 100978->100949 100979->100938 100980->100954 100981->100954 100982->100954 100983->100954 100984->100938 100985->100948 100986 e523b0 101000 e50000 100986->101000 100988 e524c1 101003 e522a0 100988->101003 101006 e534f0 GetPEB 101000->101006 101002 e5068b 101002->100988 101004 e522a9 Sleep 101003->101004 101005 e522b7 101004->101005 101007 e5351a 101006->101007 101007->101002 101008 fc568a 101009 fc5c18 59 API calls 101008->101009 101010 fc569c 101009->101010 101011 fc5632 61 API calls 101010->101011 101012 fc56aa 101011->101012 101014 fc56ba Mailbox 101012->101014 101015 fc81c1 MultiByteToWideChar 101012->101015 101016 fc822e 101015->101016 101017 fc81e7 101015->101017 101019 fc7eec 59 API calls 101016->101019 101018 fe0ff6 Mailbox 59 API calls 101017->101018 101020 fc81fc MultiByteToWideChar 101018->101020 101021 fc8220 101019->101021 101023 fc78ad 59 API calls 2 library calls 101020->101023 101021->101014 101023->101021 101024 ffff06 101025 ffff10 101024->101025 101064 fcac90 Mailbox _memmove 101024->101064 101122 fc8e34 59 API calls Mailbox 101025->101122 101030 fe0ff6 59 API calls Mailbox 101048 fca097 Mailbox 101030->101048 101033 fcb5d5 101034 fc81a7 59 API calls 101033->101034 101044 fca1b7 101034->101044 101035 100047f 101127 102a0b5 89 API calls 4 library calls 101035->101127 101036 fcb5da 101133 102a0b5 89 API calls 4 library calls 101036->101133 101038 fc81a7 59 API calls 101038->101048 101039 fc7f41 59 API calls 101039->101064 101041 fc77c7 59 API calls 101041->101048 101043 100048e 101045 1017405 59 API calls 101045->101048 101047 10166f4 Mailbox 59 API calls 101047->101044 101048->101030 101048->101033 101048->101035 101048->101036 101048->101038 101048->101041 101048->101044 101048->101045 101049 1000e00 101048->101049 101050 fe2f80 67 API calls __cinit 101048->101050 101053 fca6ba 101048->101053 101116 fcca20 341 API calls 2 library calls 101048->101116 101117 fcba60 60 API calls Mailbox 101048->101117 101132 102a0b5 89 API calls 4 library calls 101049->101132 101050->101048 101052 103bf80 341 API calls 101052->101064 101131 102a0b5 89 API calls 4 library calls 101053->101131 101054 10166f4 Mailbox 59 API calls 101054->101064 101055 fcb416 101121 fcf803 341 API calls 101055->101121 101056 fca000 341 API calls 101056->101064 101058 1000c94 101129 fc9df0 59 API calls Mailbox 101058->101129 101060 1000ca2 101130 102a0b5 89 API calls 4 library calls 101060->101130 101062 1000c86 101062->101044 101062->101047 101063 fcb37c 101119 fc9e9c 60 API calls Mailbox 101063->101119 101064->101039 101064->101044 101064->101048 101064->101052 101064->101054 101064->101055 101064->101056 101064->101058 101064->101060 101064->101063 101065 fe0ff6 59 API calls Mailbox 101064->101065 101070 fcb685 101064->101070 101073 fcade2 Mailbox 101064->101073 101078 103c5f4 101064->101078 101110 1027be0 101064->101110 101123 1017405 59 API calls 101064->101123 101124 103c4a7 85 API calls 2 library calls 101064->101124 101065->101064 101067 fcb38d 101120 fc9e9c 60 API calls Mailbox 101067->101120 101128 102a0b5 89 API calls 4 library calls 101070->101128 101073->101044 101073->101062 101073->101070 101075 102d2e6 101 API calls 101073->101075 101076 103e237 130 API calls 101073->101076 101077 fd2123 95 API calls 101073->101077 101118 fc9df0 59 API calls Mailbox 101073->101118 101125 fc8e34 59 API calls Mailbox 101073->101125 101126 1017405 59 API calls 101073->101126 101075->101073 101076->101073 101077->101073 101079 fc77c7 59 API calls 101078->101079 101080 103c608 101079->101080 101081 fc77c7 59 API calls 101080->101081 101082 103c610 101081->101082 101083 fc77c7 59 API calls 101082->101083 101084 103c618 101083->101084 101085 fc9997 84 API calls 101084->101085 101097 103c626 101085->101097 101086 fc7d2c 59 API calls 101086->101097 101087 103c83c Mailbox 101087->101064 101089 103c7f6 101090 fc7e0b 59 API calls 101089->101090 101094 103c803 101090->101094 101091 fc7a84 59 API calls 101091->101097 101092 103c811 101095 fc7e0b 59 API calls 101092->101095 101093 fc81a7 59 API calls 101093->101097 101096 fc7c8e 59 API calls 101094->101096 101098 103c820 101095->101098 101101 103c80f 101096->101101 101097->101086 101097->101087 101097->101089 101097->101091 101097->101092 101097->101093 101099 fc7faf 59 API calls 101097->101099 101097->101101 101103 fc7faf 59 API calls 101097->101103 101107 fc9997 84 API calls 101097->101107 101108 fc7c8e 59 API calls 101097->101108 101109 fc7e0b 59 API calls 101097->101109 101102 fc7c8e 59 API calls 101098->101102 101100 103c6bd CharUpperBuffW 101099->101100 101134 fc859a 68 API calls 101100->101134 101101->101087 101135 fc9b9c 59 API calls Mailbox 101101->101135 101102->101101 101105 103c77d CharUpperBuffW 101103->101105 101106 fcc707 69 API calls 101105->101106 101106->101097 101107->101097 101108->101097 101109->101097 101111 1027bec 101110->101111 101112 fe0ff6 Mailbox 59 API calls 101111->101112 101113 1027bfa 101112->101113 101114 1027c08 101113->101114 101115 fc77c7 59 API calls 101113->101115 101114->101064 101115->101114 101116->101048 101117->101048 101118->101073 101119->101067 101120->101055 101121->101070 101122->101064 101123->101064 101124->101064 101125->101073 101126->101073 101127->101043 101128->101062 101129->101062 101130->101062 101131->101044 101132->101036 101133->101044 101134->101097 101135->101087 101136 fc1066 101141 fcf8cf 101136->101141 101138 fc106c 101139 fe2f80 __cinit 67 API calls 101138->101139 101140 fc1076 101139->101140 101142 fcf8f0 101141->101142 101174 fe0143 101142->101174 101146 fcf937 101147 fc77c7 59 API calls 101146->101147 101148 fcf941 101147->101148 101149 fc77c7 59 API calls 101148->101149 101150 fcf94b 101149->101150 101151 fc77c7 59 API calls 101150->101151 101152 fcf955 101151->101152 101153 fc77c7 59 API calls 101152->101153 101154 fcf993 101153->101154 101155 fc77c7 59 API calls 101154->101155 101156 fcfa5e 101155->101156 101184 fd60e7 101156->101184 101160 fcfa90 101161 fc77c7 59 API calls 101160->101161 101162 fcfa9a 101161->101162 101212 fdffde 101162->101212 101164 fcfae1 101165 fcfaf1 GetStdHandle 101164->101165 101166 fcfb3d 101165->101166 101167 10049d5 101165->101167 101168 fcfb45 OleInitialize 101166->101168 101167->101166 101169 10049de 101167->101169 101168->101138 101219 1026dda 64 API calls Mailbox 101169->101219 101171 10049e5 101220 10274a9 CreateThread 101171->101220 101173 10049f1 CloseHandle 101173->101168 101221 fe021c 101174->101221 101177 fe021c 59 API calls 101178 fe0185 101177->101178 101179 fc77c7 59 API calls 101178->101179 101180 fe0191 101179->101180 101181 fc7d2c 59 API calls 101180->101181 101182 fcf8f6 101181->101182 101183 fe03a2 6 API calls 101182->101183 101183->101146 101185 fc77c7 59 API calls 101184->101185 101186 fd60f7 101185->101186 101187 fc77c7 59 API calls 101186->101187 101188 fd60ff 101187->101188 101228 fd5bfd 101188->101228 101191 fd5bfd 59 API calls 101192 fd610f 101191->101192 101193 fc77c7 59 API calls 101192->101193 101194 fd611a 101193->101194 101195 fe0ff6 Mailbox 59 API calls 101194->101195 101196 fcfa68 101195->101196 101197 fd6259 101196->101197 101198 fd6267 101197->101198 101199 fc77c7 59 API calls 101198->101199 101200 fd6272 101199->101200 101201 fc77c7 59 API calls 101200->101201 101202 fd627d 101201->101202 101203 fc77c7 59 API calls 101202->101203 101204 fd6288 101203->101204 101205 fc77c7 59 API calls 101204->101205 101206 fd6293 101205->101206 101207 fd5bfd 59 API calls 101206->101207 101208 fd629e 101207->101208 101209 fe0ff6 Mailbox 59 API calls 101208->101209 101210 fd62a5 RegisterWindowMessageW 101209->101210 101210->101160 101213 1015cc3 101212->101213 101214 fdffee 101212->101214 101231 1029d71 60 API calls 101213->101231 101216 fe0ff6 Mailbox 59 API calls 101214->101216 101218 fdfff6 101216->101218 101217 1015cce 101218->101164 101219->101171 101220->101173 101232 102748f 65 API calls 101220->101232 101222 fc77c7 59 API calls 101221->101222 101223 fe0227 101222->101223 101224 fc77c7 59 API calls 101223->101224 101225 fe022f 101224->101225 101226 fc77c7 59 API calls 101225->101226 101227 fe017b 101226->101227 101227->101177 101229 fc77c7 59 API calls 101228->101229 101230 fd5c05 101229->101230 101230->101191 101231->101217 101233 e5295b 101234 e52970 101233->101234 101235 e50000 GetPEB 101234->101235 101236 e5297c 101235->101236 101237 e52a30 101236->101237 101238 e5299a 101236->101238 101255 e532e0 9 API calls 101237->101255 101242 e52640 101238->101242 101241 e52a17 101243 e50000 GetPEB 101242->101243 101246 e526df 101243->101246 101245 e52710 CreateFileW 101245->101246 101250 e5271d 101245->101250 101247 e52739 VirtualAlloc 101246->101247 101246->101250 101253 e52840 CloseHandle 101246->101253 101254 e52850 VirtualFree 101246->101254 101256 e53550 GetPEB 101246->101256 101248 e5275a ReadFile 101247->101248 101247->101250 101249 e52778 VirtualAlloc 101248->101249 101248->101250 101249->101246 101249->101250 101251 e5292c VirtualFree 101250->101251 101252 e5293a 101250->101252 101251->101252 101252->101241 101253->101246 101254->101246 101255->101241 101257 e5357a 101256->101257 101257->101245

                                    Executed Functions

                                    Function 00FC3B4C Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 153windowCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    APIs
                                    • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00FC3B7A
                                    • IsDebuggerPresent.KERNEL32 ref: 00FC3B8C
                                    • GetFullPathNameW.KERNEL32(00007FFF,?,?,010862F8,010862E0,?,?), ref: 00FC3BFD
                                      • Part of subcall function 00FC7D2C: _memmove.LIBCMT ref: 00FC7D66
                                      • Part of subcall function 00FD0A8D: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00FC3C26,010862F8,?,?,?), ref: 00FD0ACE
                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 00FC3C81
                                    • MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,010793F0,00000010), ref: 00FFD4BC
                                    • SetCurrentDirectoryW.KERNEL32(?,010862F8,?,?,?), ref: 00FFD4F4
                                    • GetForegroundWindow.USER32(runas,?,?,?,00000001,?,01075D40,010862F8,?,?,?), ref: 00FFD57A
                                    • ShellExecuteW.SHELL32(00000000,?,?), ref: 00FFD581
                                      • Part of subcall function 00FC3A58: GetSysColorBrush.USER32(0000000F), ref: 00FC3A62
                                      • Part of subcall function 00FC3A58: LoadCursorW.USER32(00000000,00007F00), ref: 00FC3A71
                                      • Part of subcall function 00FC3A58: LoadIconW.USER32(00000063), ref: 00FC3A88
                                      • Part of subcall function 00FC3A58: LoadIconW.USER32(000000A4), ref: 00FC3A9A
                                      • Part of subcall function 00FC3A58: LoadIconW.USER32(000000A2), ref: 00FC3AAC
                                      • Part of subcall function 00FC3A58: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00FC3AD2
                                      • Part of subcall function 00FC3A58: RegisterClassExW.USER32(?), ref: 00FC3B28
                                      • Part of subcall function 00FC39E7: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00FC3A15
                                      • Part of subcall function 00FC39E7: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00FC3A36
                                      • Part of subcall function 00FC39E7: ShowWindow.USER32(00000000,?,?), ref: 00FC3A4A
                                      • Part of subcall function 00FC39E7: ShowWindow.USER32(00000000,?,?), ref: 00FC3A53
                                      • Part of subcall function 00FC43DB: _memset.LIBCMT ref: 00FC4401
                                      • Part of subcall function 00FC43DB: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00FC44A6
                                    Strings
                                    • runas, xrefs: 00FFD575
                                    • This is a third-party compiled AutoIt script., xrefs: 00FFD4B4
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
                                    • String ID: This is a third-party compiled AutoIt script.$runas
                                    • API String ID: 529118366-3287110873
                                    • Opcode ID: 2b46a83e2a1a798a466fc26f73c3f404dbae4a5d5456de9b38533899f0e5fca7
                                    • Instruction ID: bc157560dc4d123a0d0a8fd6b19aeb3fc07a287762ce6852034977e1933a8623
                                    • Opcode Fuzzy Hash: 2b46a83e2a1a798a466fc26f73c3f404dbae4a5d5456de9b38533899f0e5fca7
                                    • Instruction Fuzzy Hash: FF510331D0824AAACB21FBB4DE46FFD7B75AF04350F0480ADF8D1A6152CA3E5645EB20
                                    Function 00FC4AFE Relevance: 10.7, APIs: 7, Instructions: 223COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 996 fc4afe-fc4b5e call fc77c7 GetVersionExW call fc7d2c 1001 fc4c69-fc4c6b 996->1001 1002 fc4b64 996->1002 1003 ffdb90-ffdb9c 1001->1003 1004 fc4b67-fc4b6c 1002->1004 1005 ffdb9d-ffdba1 1003->1005 1006 fc4c70-fc4c71 1004->1006 1007 fc4b72 1004->1007 1009 ffdba4-ffdbb0 1005->1009 1010 ffdba3 1005->1010 1008 fc4b73-fc4baa call fc7e8c call fc7886 1006->1008 1007->1008 1018 ffdc8d-ffdc90 1008->1018 1019 fc4bb0-fc4bb1 1008->1019 1009->1005 1012 ffdbb2-ffdbb7 1009->1012 1010->1009 1012->1004 1014 ffdbbd-ffdbc4 1012->1014 1014->1003 1016 ffdbc6 1014->1016 1020 ffdbcb-ffdbce 1016->1020 1021 ffdca9-ffdcad 1018->1021 1022 ffdc92 1018->1022 1019->1020 1023 fc4bb7-fc4bc2 1019->1023 1024 ffdbd4-ffdbf2 1020->1024 1025 fc4bf1-fc4c08 GetCurrentProcess IsWow64Process 1020->1025 1030 ffdcaf-ffdcb8 1021->1030 1031 ffdc98-ffdca1 1021->1031 1026 ffdc95 1022->1026 1027 fc4bc8-fc4bca 1023->1027 1028 ffdc13-ffdc19 1023->1028 1024->1025 1029 ffdbf8-ffdbfe 1024->1029 1032 fc4c0d-fc4c1e 1025->1032 1033 fc4c0a 1025->1033 1026->1031 1034 ffdc2e-ffdc3a 1027->1034 1035 fc4bd0-fc4bd3 1027->1035 1038 ffdc1b-ffdc1e 1028->1038 1039 ffdc23-ffdc29 1028->1039 1036 ffdc08-ffdc0e 1029->1036 1037 ffdc00-ffdc03 1029->1037 1030->1026 1040 ffdcba-ffdcbd 1030->1040 1031->1021 1041 fc4c89-fc4c93 GetSystemInfo 1032->1041 1042 fc4c20-fc4c30 call fc4c95 1032->1042 1033->1032 1046 ffdc3c-ffdc3f 1034->1046 1047 ffdc44-ffdc4a 1034->1047 1043 ffdc5a-ffdc5d 1035->1043 1044 fc4bd9-fc4be8 1035->1044 1036->1025 1037->1025 1038->1025 1039->1025 1040->1031 1045 fc4c56-fc4c66 1041->1045 1053 fc4c7d-fc4c87 GetSystemInfo 1042->1053 1054 fc4c32-fc4c3f call fc4c95 1042->1054 1043->1025 1052 ffdc63-ffdc78 1043->1052 1049 ffdc4f-ffdc55 1044->1049 1050 fc4bee 1044->1050 1046->1025 1047->1025 1049->1025 1050->1025 1055 ffdc7a-ffdc7d 1052->1055 1056 ffdc82-ffdc88 1052->1056 1057 fc4c47-fc4c4b 1053->1057 1061 fc4c76-fc4c7b 1054->1061 1062 fc4c41-fc4c45 GetNativeSystemInfo 1054->1062 1055->1025 1056->1025 1057->1045 1060 fc4c4d-fc4c50 FreeLibrary 1057->1060 1060->1045 1061->1062 1062->1057
                                    APIs
                                    • GetVersionExW.KERNEL32(?), ref: 00FC4B2B
                                      • Part of subcall function 00FC7D2C: _memmove.LIBCMT ref: 00FC7D66
                                    • GetCurrentProcess.KERNEL32(?,0104FAEC,00000000,00000000,?), ref: 00FC4BF8
                                    • IsWow64Process.KERNEL32(00000000), ref: 00FC4BFF
                                    • GetNativeSystemInfo.KERNELBASE(00000000), ref: 00FC4C45
                                    • FreeLibrary.KERNEL32(00000000), ref: 00FC4C50
                                    • GetSystemInfo.KERNEL32(00000000), ref: 00FC4C81
                                    • GetSystemInfo.KERNEL32(00000000), ref: 00FC4C8D
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
                                    • String ID:
                                    • API String ID: 1986165174-0
                                    • Opcode ID: a65a3b13a3dbbaab7824930e92f236dfbb8606c474916286577876200463027e
                                    • Instruction ID: bf6889d59080bda2aa1f81334a1a8f983f71157eb3dc3eeba0aa663616d95f32
                                    • Opcode Fuzzy Hash: a65a3b13a3dbbaab7824930e92f236dfbb8606c474916286577876200463027e
                                    • Instruction Fuzzy Hash: 2591273184A7C5DEC731DB788662BAAFFE5AF66310B044D9DD0CB83A51C224F908E719
                                    Function 00FC4FE9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1063 fc4fe9-fc5001 CreateStreamOnHGlobal 1064 fc5021-fc5026 1063->1064 1065 fc5003-fc501a FindResourceExW 1063->1065 1066 ffdd5c-ffdd6b LoadResource 1065->1066 1067 fc5020 1065->1067 1066->1067 1068 ffdd71-ffdd7f SizeofResource 1066->1068 1067->1064 1068->1067 1069 ffdd85-ffdd90 LockResource 1068->1069 1069->1067 1070 ffdd96-ffddb4 1069->1070 1070->1067
                                    APIs
                                    • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,00FC4EEE,?,?,00000000,00000000), ref: 00FC4FF9
                                    • FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00FC4EEE,?,?,00000000,00000000), ref: 00FC5010
                                    • LoadResource.KERNEL32(?,00000000,?,?,00FC4EEE,?,?,00000000,00000000,?,?,?,?,?,?,00FC4F8F), ref: 00FFDD60
                                    • SizeofResource.KERNEL32(?,00000000,?,?,00FC4EEE,?,?,00000000,00000000,?,?,?,?,?,?,00FC4F8F), ref: 00FFDD75
                                    • LockResource.KERNEL32(00FC4EEE,?,?,00FC4EEE,?,?,00000000,00000000,?,?,?,?,?,?,00FC4F8F,00000000), ref: 00FFDD88
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: Resource$CreateFindGlobalLoadLockSizeofStream
                                    • String ID: SCRIPT
                                    • API String ID: 3051347437-3967369404
                                    • Opcode ID: 6779b655990172ff1f2f1e9a98cd23781cfb98c4692745edf319806a189221e0
                                    • Instruction ID: 453c4b1d4e3757597a0bd7a9ba6dd2ce37bf8838bf497287b15bdac9ce4476a7
                                    • Opcode Fuzzy Hash: 6779b655990172ff1f2f1e9a98cd23781cfb98c4692745edf319806a189221e0
                                    • Instruction Fuzzy Hash: C6119EB5640702BFD7308B29DE89F277BB9EBC9B51F10416CF445C6250DB62E8409660
                                    Function 01024696 Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetFileAttributesW.KERNELBASE(?,00FFE7C1), ref: 010246A6
                                    • FindFirstFileW.KERNELBASE(?,?), ref: 010246B7
                                    • FindClose.KERNEL32(00000000), ref: 010246C7
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: FileFind$AttributesCloseFirst
                                    • String ID:
                                    • API String ID: 48322524-0
                                    • Opcode ID: 98f695f24a7162bf5592fda5b50f996975b82b070988eab912f594d882d43c4c
                                    • Instruction ID: 37b3ec92f0c7a9fb64fec5ccdcdbfaab8485a39dea77a20cd78a3c3be65af292
                                    • Opcode Fuzzy Hash: 98f695f24a7162bf5592fda5b50f996975b82b070988eab912f594d882d43c4c
                                    • Instruction Fuzzy Hash: 16E0D875910411DB4231663CED8D4EA779C9E09235F000746F9B5C10D0EBB459508696
                                    Function 00FCE800 Relevance: 2.4, Strings: 1, Instructions: 1102COMMON
                                    Download Yara Rule
                                    Strings
                                    • Variable must be of type 'Object'., xrefs: 0100428C
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: Variable must be of type 'Object'.
                                    • API String ID: 0-109567571
                                    • Opcode ID: 01346e4f062c7d988ff2a77df2211c8f988d9ea880acce1f5022d081b7b6a242
                                    • Instruction ID: 5297ed4cb34d90b38388de7a2cd839747039477521cac9ddf7be36d49587ccc5
                                    • Opcode Fuzzy Hash: 01346e4f062c7d988ff2a77df2211c8f988d9ea880acce1f5022d081b7b6a242
                                    • Instruction Fuzzy Hash: D4A27A75E00206CFDB24CF58C682FADB7B2BB48310F24806DE956AB355D735AC46EB91
                                    Function 00FD0B30 Relevance: 57.3, APIs: 27, Strings: 5, Instructions: 1300windowsleeptimeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00FD0BBB
                                    • timeGetTime.WINMM ref: 00FD0E76
                                    • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00FD0FB3
                                    • TranslateMessage.USER32(?), ref: 00FD0FC7
                                    • DispatchMessageW.USER32(?), ref: 00FD0FD5
                                    • Sleep.KERNEL32(0000000A), ref: 00FD0FDF
                                    • LockWindowUpdate.USER32(00000000,?,?), ref: 00FD105A
                                    • DestroyWindow.USER32 ref: 00FD1066
                                    • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00FD1080
                                    • Sleep.KERNEL32(0000000A,?,?), ref: 010052AD
                                    • TranslateMessage.USER32(?), ref: 0100608A
                                    • DispatchMessageW.USER32(?), ref: 01006098
                                    • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 010060AC
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: Message$DispatchPeekSleepTranslateWindow$DestroyLockTimeUpdatetime
                                    • String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID
                                    • API String ID: 4003667617-3242690629
                                    • Opcode ID: 9f22f6dab99c1cf3790ba5dd68d023836f9f8693d2c3f42e744ae83cbd823700
                                    • Instruction ID: 8b04431ff4398230f04665b2b3875a3a2e1a2cdb1515d251b7b6e5a7ada5dd0a
                                    • Opcode Fuzzy Hash: 9f22f6dab99c1cf3790ba5dd68d023836f9f8693d2c3f42e744ae83cbd823700
                                    • Instruction Fuzzy Hash: 61B2B070608342DFE725DB24C885BAEBBE5BF84304F18495EE5C987291DB79E844DF82
                                    Function 010293DF Relevance: 19.8, APIs: 13, Instructions: 322fileCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    APIs
                                      • Part of subcall function 010291E9: __time64.LIBCMT ref: 010291F3
                                      • Part of subcall function 00FC5045: _fseek.LIBCMT ref: 00FC505D
                                    • __wsplitpath.LIBCMT ref: 010294BE
                                      • Part of subcall function 00FE432E: __wsplitpath_helper.LIBCMT ref: 00FE436E
                                    • _wcscpy.LIBCMT ref: 010294D1
                                    • _wcscat.LIBCMT ref: 010294E4
                                    • __wsplitpath.LIBCMT ref: 01029509
                                    • _wcscat.LIBCMT ref: 0102951F
                                    • _wcscat.LIBCMT ref: 01029532
                                      • Part of subcall function 0102922F: _memmove.LIBCMT ref: 01029268
                                      • Part of subcall function 0102922F: _memmove.LIBCMT ref: 01029277
                                    • _wcscmp.LIBCMT ref: 01029479
                                      • Part of subcall function 010299BE: _wcscmp.LIBCMT ref: 01029AAE
                                      • Part of subcall function 010299BE: _wcscmp.LIBCMT ref: 01029AC1
                                    • DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 010296DC
                                    • _wcsncpy.LIBCMT ref: 0102974F
                                    • DeleteFileW.KERNEL32(?,?), ref: 01029785
                                    • CopyFileW.KERNEL32(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 0102979B
                                    • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 010297AC
                                    • DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 010297BE
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
                                    • String ID:
                                    • API String ID: 1500180987-0
                                    • Opcode ID: cb301a7f46eb11954a341c470305aae188728b63813fb5d5f3052cf885f2ac94
                                    • Instruction ID: b8e90ea47ff0496a2bf5425723b75d4fc1dc49c3c4f714dde03f48f4eca41ad6
                                    • Opcode Fuzzy Hash: cb301a7f46eb11954a341c470305aae188728b63813fb5d5f3052cf885f2ac94
                                    • Instruction Fuzzy Hash: 2AC15DB1E0022AABCF21DF95CD85EDEB7BCEF44304F0040AAE649E7141DB359A848F65
                                    Function 00FC3015 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 73windowregistryCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    APIs
                                    • GetSysColorBrush.USER32(0000000F), ref: 00FC3074
                                    • RegisterClassExW.USER32(00000030), ref: 00FC309E
                                    • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00FC30AF
                                    • InitCommonControlsEx.COMCTL32(?), ref: 00FC30CC
                                    • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00FC30DC
                                    • LoadIconW.USER32(000000A9), ref: 00FC30F2
                                    • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00FC3101
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                    • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                    • API String ID: 2914291525-1005189915
                                    • Opcode ID: 8a27e20540b7131c8287b2abc19cace4abe5b7bd4df7980aab1279f42a57b817
                                    • Instruction ID: 695f17142e0a1e6b64fc7be33f82380ae43c24dd97ade277a3552591a2e83e0a
                                    • Opcode Fuzzy Hash: 8a27e20540b7131c8287b2abc19cace4abe5b7bd4df7980aab1279f42a57b817
                                    • Instruction Fuzzy Hash: 4E3147B585430AEFDB20DFA8D989ACDBBF0FB09310F15426AE5D0E6284D3BA4585CF51
                                    Function 00FC3041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54windowregistryCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    APIs
                                    • GetSysColorBrush.USER32(0000000F), ref: 00FC3074
                                    • RegisterClassExW.USER32(00000030), ref: 00FC309E
                                    • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00FC30AF
                                    • InitCommonControlsEx.COMCTL32(?), ref: 00FC30CC
                                    • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00FC30DC
                                    • LoadIconW.USER32(000000A9), ref: 00FC30F2
                                    • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00FC3101
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                    • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                    • API String ID: 2914291525-1005189915
                                    • Opcode ID: b285edccb5b4f0d2f341bfa5233c8fc22144fa6698f60ced5f9272cefc06cadf
                                    • Instruction ID: 6d8b39a90248ac08144463e153dd49d5553cc1a1e3346973c19726ff9e3a23f2
                                    • Opcode Fuzzy Hash: b285edccb5b4f0d2f341bfa5233c8fc22144fa6698f60ced5f9272cefc06cadf
                                    • Instruction Fuzzy Hash: 3E2115F5914209EFDB20DFA8E988B8DBBF4FB08700F00421AF994E6284D7BB05448F91
                                    Function 00FC71EB Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201registryCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    APIs
                                      • Part of subcall function 00FC4864: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,010862F8,?,00FC37C0,?), ref: 00FC4882
                                      • Part of subcall function 00FE074F: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,00FC72C5), ref: 00FE0771
                                    • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00FC7308
                                    • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00FFECF1
                                    • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00FFED32
                                    • RegCloseKey.ADVAPI32(?), ref: 00FFED70
                                    • _wcscat.LIBCMT ref: 00FFEDC9
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
                                    • String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
                                    • API String ID: 2673923337-2727554177
                                    • Opcode ID: 91017787b832242ab613094a6ac7e1935c4c9d912b4c60deb85d69e774d15190
                                    • Instruction ID: 3ddc24607fafa7327b665c54c71b2f05123a0ad348ca36ddea72f4145ced300d
                                    • Opcode Fuzzy Hash: 91017787b832242ab613094a6ac7e1935c4c9d912b4c60deb85d69e774d15190
                                    • Instruction Fuzzy Hash: 7A718C714083069EC324EF25ED829AFBBE8FF84750F50442EF5C587168EB3A9948DB52
                                    Function 00FC3A58 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71windowregistryCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    APIs
                                    • GetSysColorBrush.USER32(0000000F), ref: 00FC3A62
                                    • LoadCursorW.USER32(00000000,00007F00), ref: 00FC3A71
                                    • LoadIconW.USER32(00000063), ref: 00FC3A88
                                    • LoadIconW.USER32(000000A4), ref: 00FC3A9A
                                    • LoadIconW.USER32(000000A2), ref: 00FC3AAC
                                    • LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00FC3AD2
                                    • RegisterClassExW.USER32(?), ref: 00FC3B28
                                      • Part of subcall function 00FC3041: GetSysColorBrush.USER32(0000000F), ref: 00FC3074
                                      • Part of subcall function 00FC3041: RegisterClassExW.USER32(00000030), ref: 00FC309E
                                      • Part of subcall function 00FC3041: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00FC30AF
                                      • Part of subcall function 00FC3041: InitCommonControlsEx.COMCTL32(?), ref: 00FC30CC
                                      • Part of subcall function 00FC3041: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00FC30DC
                                      • Part of subcall function 00FC3041: LoadIconW.USER32(000000A9), ref: 00FC30F2
                                      • Part of subcall function 00FC3041: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00FC3101
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                                    • String ID: #$0$AutoIt v3
                                    • API String ID: 423443420-4155596026
                                    • Opcode ID: ae247be6ec55a72f8f53348ebbfe315be81a057ccf0b3053a9d73e5a245f56b2
                                    • Instruction ID: 550980d93bf49826335b1a934824ba6877e06b94d8f141326e04c16ebeb47cc8
                                    • Opcode Fuzzy Hash: ae247be6ec55a72f8f53348ebbfe315be81a057ccf0b3053a9d73e5a245f56b2
                                    • Instruction Fuzzy Hash: E5216DB5D04305AFEB20DFA8E949B9D7BB4FB08710F014199F580AA294C3BF55549F80
                                    Function 00FC3633 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151windowtimeregistryCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 767 fc3633-fc3681 769 fc36e1-fc36e3 767->769 770 fc3683-fc3686 767->770 769->770 771 fc36e5 769->771 772 fc3688-fc368f 770->772 773 fc36e7 770->773 774 fc36ca-fc36d2 DefWindowProcW 771->774 777 fc375d-fc3765 PostQuitMessage 772->777 778 fc3695-fc369a 772->778 775 fc36ed-fc36f0 773->775 776 ffd31c-ffd34a call fd11d0 call fd11f3 773->776 784 fc36d8-fc36de 774->784 779 fc3715-fc373c SetTimer RegisterWindowMessageW 775->779 780 fc36f2-fc36f3 775->780 814 ffd34f-ffd356 776->814 785 fc3711-fc3713 777->785 781 ffd38f-ffd3a3 call 1022a16 778->781 782 fc36a0-fc36a2 778->782 779->785 788 fc373e-fc3749 CreatePopupMenu 779->788 786 ffd2bf-ffd2c2 780->786 787 fc36f9-fc370c KillTimer call fc44cb call fc3114 780->787 781->785 808 ffd3a9 781->808 789 fc36a8-fc36ad 782->789 790 fc3767-fc3776 call fc4531 782->790 785->784 794 ffd2f8-ffd317 MoveWindow 786->794 795 ffd2c4-ffd2c6 786->795 787->785 788->785 797 ffd374-ffd37b 789->797 798 fc36b3-fc36b8 789->798 790->785 794->785 802 ffd2c8-ffd2cb 795->802 803 ffd2e7-ffd2f3 SetFocus 795->803 797->774 805 ffd381-ffd38a call 101817e 797->805 806 fc36be-fc36c4 798->806 807 fc374b-fc375b call fc45df 798->807 802->806 810 ffd2d1-ffd2e2 call fd11d0 802->810 803->785 805->774 806->774 806->814 807->785 808->774 810->785 814->774 815 ffd35c-ffd36f call fc44cb call fc43db 814->815 815->774
                                    APIs
                                    • DefWindowProcW.USER32(?,?,?,?), ref: 00FC36D2
                                    • KillTimer.USER32(?,00000001), ref: 00FC36FC
                                    • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00FC371F
                                    • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00FC372A
                                    • CreatePopupMenu.USER32 ref: 00FC373E
                                    • PostQuitMessage.USER32(00000000), ref: 00FC375F
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
                                    • String ID: TaskbarCreated
                                    • API String ID: 129472671-2362178303
                                    • Opcode ID: 45b6d7d708c5d502dd9899b82c489eb0771d8099f8e59c56387f9bac9699dc03
                                    • Instruction ID: cb74036093f0342933421f5538f685afba281c9a84cf58eb8cfd9794ee107e12
                                    • Opcode Fuzzy Hash: 45b6d7d708c5d502dd9899b82c489eb0771d8099f8e59c56387f9bac9699dc03
                                    • Instruction Fuzzy Hash: 3041F8F2618107BBDB24AB68EE4BF7D3755FB00390F14411DF68686295CA6F9D00B7A1
                                    Function 00FC3778 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 267COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: FileLibraryLoadModuleName__wcsicmp_l_memmove
                                    • String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$>>>AUTOIT NO CMDEXECUTE<<<$CMDLINE$CMDLINERAW
                                    • API String ID: 1825951767-3513169116
                                    • Opcode ID: 464ae7cca3ec071b75cb4ea033248b05b05ad52ac9ea229af8d641cb346f9e00
                                    • Instruction ID: 42d73942faf3f7e099cb60b71ace65c8f5adcaddd310caa40fc04a71464456fe
                                    • Opcode Fuzzy Hash: 464ae7cca3ec071b75cb4ea033248b05b05ad52ac9ea229af8d641cb346f9e00
                                    • Instruction Fuzzy Hash: E6A17E72C0422E9ACB14EBA1CD96FEEB778BF14340F04442DF452A7191DF796A09EB60
                                    Function 00E52640 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 239fileCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 942 e52640-e526ee call e50000 945 e526f5-e5271b call e53550 CreateFileW 942->945 948 e52722-e52732 945->948 949 e5271d 945->949 957 e52734 948->957 958 e52739-e52753 VirtualAlloc 948->958 950 e5286d-e52871 949->950 951 e528b3-e528b6 950->951 952 e52873-e52877 950->952 954 e528b9-e528c0 951->954 955 e52883-e52887 952->955 956 e52879-e5287c 952->956 961 e52915-e5292a 954->961 962 e528c2-e528cd 954->962 963 e52897-e5289b 955->963 964 e52889-e52893 955->964 956->955 957->950 959 e52755 958->959 960 e5275a-e52771 ReadFile 958->960 959->950 965 e52773 960->965 966 e52778-e527b8 VirtualAlloc 960->966 969 e5292c-e52937 VirtualFree 961->969 970 e5293a-e52942 961->970 967 e528d1-e528dd 962->967 968 e528cf 962->968 971 e5289d-e528a7 963->971 972 e528ab 963->972 964->963 965->950 973 e527bf-e527da call e537a0 966->973 974 e527ba 966->974 975 e528f1-e528fd 967->975 976 e528df-e528ef 967->976 968->961 969->970 971->972 972->951 982 e527e5-e527ef 973->982 974->950 979 e528ff-e52908 975->979 980 e5290a-e52910 975->980 978 e52913 976->978 978->954 979->978 980->978 983 e527f1-e52820 call e537a0 982->983 984 e52822-e52836 call e535b0 982->984 983->982 989 e52838 984->989 990 e5283a-e5283e 984->990 989->950 992 e52840-e52844 CloseHandle 990->992 993 e5284a-e5284e 990->993 992->993 994 e52850-e5285b VirtualFree 993->994 995 e5285e-e52867 993->995 994->995 995->945 995->950
                                    APIs
                                    • CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 00E52711
                                    • VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00E52937
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043193490.0000000000E50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E50000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_e50000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: CreateFileFreeVirtual
                                    • String ID: +/
                                    • API String ID: 204039940-4233215163
                                    • Opcode ID: 7a8af28d10d872e8c42d0e09e8738e4af41cabd85448581b7ead53f150642b41
                                    • Instruction ID: fa774c05e568f5e89824ad997a7199d8c9ac999d129c78eed6bf580a01a7d7b3
                                    • Opcode Fuzzy Hash: 7a8af28d10d872e8c42d0e09e8738e4af41cabd85448581b7ead53f150642b41
                                    • Instruction Fuzzy Hash: 66A11874E00208EBDB18CFE4C894BEEBBB5BF49305F20955DEA01BB280D7759A45DB94
                                    Function 00FC39E7 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1073 fc39e7-fc3a57 CreateWindowExW * 2 ShowWindow * 2
                                    APIs
                                    • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00FC3A15
                                    • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00FC3A36
                                    • ShowWindow.USER32(00000000,?,?), ref: 00FC3A4A
                                    • ShowWindow.USER32(00000000,?,?), ref: 00FC3A53
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: Window$CreateShow
                                    • String ID: AutoIt v3$edit
                                    • API String ID: 1584632944-3779509399
                                    • Opcode ID: 646e8708ae788bc3332677d1b1e664ab5b19ca07c9a11129a261167811363c6b
                                    • Instruction ID: 7ebdb3b6ecf06439ea5d9d9ed5fc68bd8a8a48cfb515acc314752cfa6fe6d04b
                                    • Opcode Fuzzy Hash: 646e8708ae788bc3332677d1b1e664ab5b19ca07c9a11129a261167811363c6b
                                    • Instruction Fuzzy Hash: 70F03AB46442A07FEA305667AC48F2B3E7DE7C6F51B02006EB980E6154C2AF0810CBB0
                                    Function 00E523B0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 166fileCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1074 e523b0-e5253a call e50000 call e522a0 CreateFileW 1081 e52541-e52551 1074->1081 1082 e5253c 1074->1082 1085 e52553 1081->1085 1086 e52558-e52572 VirtualAlloc 1081->1086 1083 e525f4-e525f9 1082->1083 1085->1083 1087 e52574 1086->1087 1088 e52576-e52590 ReadFile 1086->1088 1087->1083 1089 e52594-e525ce call e522e0 call e512a0 1088->1089 1090 e52592 1088->1090 1095 e525d0-e525e5 call e52330 1089->1095 1096 e525ea-e525f2 ExitProcess 1089->1096 1090->1083 1095->1096 1096->1083
                                    APIs
                                      • Part of subcall function 00E522A0: Sleep.KERNELBASE(000001F4), ref: 00E522B1
                                    • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 00E5252D
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043193490.0000000000E50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E50000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_e50000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: CreateFileSleep
                                    • String ID: HELFB6Q4K3JMJ9P3KWJD04SGQXTLRD
                                    • API String ID: 2694422964-252676572
                                    • Opcode ID: f54ef03748e4f27ef90260707610bd5e971a0557a16291f75f5e6c1d5cc3417a
                                    • Instruction ID: a9219ecc2c606111b9e9c1c018a627149819ec2834e2243c84310d51d77c2e9d
                                    • Opcode Fuzzy Hash: f54ef03748e4f27ef90260707610bd5e971a0557a16291f75f5e6c1d5cc3417a
                                    • Instruction Fuzzy Hash: 15718270D04288DAEF11DBA4C854BDEBB75AF19304F044598E658BB2C1D7BA0B49CB6A
                                    Function 00FC410D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88windowCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1098 fc410d-fc4123 1099 fc4129-fc413e call fc7b76 1098->1099 1100 fc4200-fc4204 1098->1100 1103 ffd5dd-ffd5ec LoadStringW 1099->1103 1104 fc4144-fc4164 call fc7d2c 1099->1104 1107 ffd5f7-ffd60f call fc7c8e call fc7143 1103->1107 1104->1107 1108 fc416a-fc416e 1104->1108 1117 fc417e-fc41fb call fe3020 call fc463e call fe2ffc Shell_NotifyIconW call fc5a64 1107->1117 1120 ffd615-ffd633 call fc7e0b call fc7143 call fc7e0b 1107->1120 1110 fc4174-fc4179 call fc7c8e 1108->1110 1111 fc4205-fc420e call fc81a7 1108->1111 1110->1117 1111->1117 1117->1100 1120->1117
                                    APIs
                                    • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00FFD5EC
                                      • Part of subcall function 00FC7D2C: _memmove.LIBCMT ref: 00FC7D66
                                    • _memset.LIBCMT ref: 00FC418D
                                    • _wcscpy.LIBCMT ref: 00FC41E1
                                    • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00FC41F1
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
                                    • String ID: Line:
                                    • API String ID: 3942752672-1585850449
                                    • Opcode ID: cedb084be49ea3e6e2d0b469372dca1fd7695baff4ab03383e4aa8b8478e971b
                                    • Instruction ID: 24e9563eebccdcd3d755366eb59b60df959d11939afaa08e39a5d241782725ec
                                    • Opcode Fuzzy Hash: cedb084be49ea3e6e2d0b469372dca1fd7695baff4ab03383e4aa8b8478e971b
                                    • Instruction Fuzzy Hash: 1431DE71408306AAD331FB60DE47FDE77E8AF44310F14491EB1C492092EF79A648EB92
                                    Function 00FE564D Relevance: 7.7, APIs: 5, Instructions: 163COMMONLIBRARYCODE
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1133 fe564d-fe5666 1134 fe5668-fe566d 1133->1134 1135 fe5683 1133->1135 1134->1135 1136 fe566f-fe5671 1134->1136 1137 fe5685-fe568b 1135->1137 1138 fe568c-fe5691 1136->1138 1139 fe5673-fe5678 call fe8d68 1136->1139 1141 fe569f-fe56a3 1138->1141 1142 fe5693-fe569d 1138->1142 1150 fe567e call fe8ff6 1139->1150 1145 fe56a5-fe56b0 call fe3020 1141->1145 1146 fe56b3-fe56b5 1141->1146 1142->1141 1144 fe56c3-fe56d2 1142->1144 1148 fe56d9 1144->1148 1149 fe56d4-fe56d7 1144->1149 1145->1146 1146->1139 1147 fe56b7-fe56c1 1146->1147 1147->1139 1147->1144 1152 fe56de-fe56e3 1148->1152 1149->1152 1150->1135 1155 fe57cc-fe57cf 1152->1155 1156 fe56e9-fe56f0 1152->1156 1155->1137 1157 fe56f2-fe56fa 1156->1157 1158 fe5731-fe5733 1156->1158 1157->1158 1159 fe56fc 1157->1159 1160 fe579d-fe579e call ff0df7 1158->1160 1161 fe5735-fe5737 1158->1161 1165 fe57fa 1159->1165 1166 fe5702-fe5704 1159->1166 1167 fe57a3-fe57a7 1160->1167 1163 fe575b-fe5766 1161->1163 1164 fe5739-fe5741 1161->1164 1170 fe576a-fe576d 1163->1170 1171 fe5768 1163->1171 1168 fe5743-fe574f 1164->1168 1169 fe5751-fe5755 1164->1169 1174 fe57fe-fe5807 1165->1174 1172 fe570b-fe5710 1166->1172 1173 fe5706-fe5708 1166->1173 1167->1174 1175 fe57a9-fe57ae 1167->1175 1176 fe5757-fe5759 1168->1176 1169->1176 1177 fe576f-fe577b call fe4916 call ff10ab 1170->1177 1178 fe57d4-fe57d8 1170->1178 1171->1170 1172->1178 1179 fe5716-fe572f call ff0f18 1172->1179 1173->1172 1174->1137 1175->1178 1180 fe57b0-fe57c1 1175->1180 1176->1170 1194 fe5780-fe5785 1177->1194 1181 fe57ea-fe57f5 call fe8d68 1178->1181 1182 fe57da-fe57e7 call fe3020 1178->1182 1193 fe5792-fe579b 1179->1193 1185 fe57c4-fe57c6 1180->1185 1181->1150 1182->1181 1185->1155 1185->1156 1193->1185 1195 fe580c-fe5810 1194->1195 1196 fe578b-fe578e 1194->1196 1195->1174 1196->1165 1197 fe5790 1196->1197 1197->1193
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
                                    • String ID:
                                    • API String ID: 1559183368-0
                                    • Opcode ID: cbc132a2d90f1fa170c901e77712e707e3c45fd9b9f6dd10e42efcbbdaed9f46
                                    • Instruction ID: 8fbf7aabba6e59a3e66e9ebb07997f9bb5e4f8291921101491087935e54d3118
                                    • Opcode Fuzzy Hash: cbc132a2d90f1fa170c901e77712e707e3c45fd9b9f6dd10e42efcbbdaed9f46
                                    • Instruction Fuzzy Hash: A751D631E00B89DBDB249F7BCC8466E77A1AF40B38F248729F835962D1D7749D60AB50
                                    Function 00FC69CA Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 260COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00FC4F3D: LoadLibraryExW.KERNEL32(?,00000000,00000002,?,010862F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00FC4F6F
                                    • _free.LIBCMT ref: 00FFE68C
                                    • _free.LIBCMT ref: 00FFE6D3
                                      • Part of subcall function 00FC6BEC: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00FC6D0D
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: _free$CurrentDirectoryLibraryLoad
                                    • String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
                                    • API String ID: 2861923089-1757145024
                                    • Opcode ID: a93dbfcb6c566060e9f219cbf14f04219bf2ad0341e90a21c6e4a068655f67dd
                                    • Instruction ID: d894aaac13a131cf341749d6745c481dc230da8b20d7a352b559d5710ea98645
                                    • Opcode Fuzzy Hash: a93dbfcb6c566060e9f219cbf14f04219bf2ad0341e90a21c6e4a068655f67dd
                                    • Instruction Fuzzy Hash: 9B917C7191021EAFCF04EFA4CD91AEDB7B4FF19314B04446DE955EB2A1DB34A904EB60
                                    Function 00FC35B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,00FC35A1,SwapMouseButtons,00000004,?), ref: 00FC35D4
                                    • RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,00FC35A1,SwapMouseButtons,00000004,?,?,?,?,00FC2754), ref: 00FC35F5
                                    • RegCloseKey.KERNELBASE(00000000,?,?,00FC35A1,SwapMouseButtons,00000004,?,?,?,?,00FC2754), ref: 00FC3617
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: CloseOpenQueryValue
                                    • String ID: Control Panel\Mouse
                                    • API String ID: 3677997916-824357125
                                    • Opcode ID: 846fc89c7d1c62e6dba3e3aaec79be5112a943407fee046c241046e3c3151073
                                    • Instruction ID: 51b0b8de385be5e9a5db51853e5b14600c4ace1cc4d39fca8759814c0e0a5163
                                    • Opcode Fuzzy Hash: 846fc89c7d1c62e6dba3e3aaec79be5112a943407fee046c241046e3c3151073
                                    • Instruction Fuzzy Hash: EE115AB5910209BFDB208F68D985EEEB7B8EF44790F018459F805D7200D2729F40B760
                                    Function 00E512A0 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateProcessW.KERNELBASE(?,00000000), ref: 00E51A5B
                                    • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 00E51AF1
                                    • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 00E51B13
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043193490.0000000000E50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E50000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_e50000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: Process$ContextCreateMemoryReadThreadWow64
                                    • String ID:
                                    • API String ID: 2438371351-0
                                    • Opcode ID: 3790e136272a110f5ab4d8617909c812004bdd41f4683ed991f3cafb80161bff
                                    • Instruction ID: 7ff33b80cc797d56ebfed16c8c9d4cc2a8cc65071caa8db34804acd0aea2e418
                                    • Opcode Fuzzy Hash: 3790e136272a110f5ab4d8617909c812004bdd41f4683ed991f3cafb80161bff
                                    • Instruction Fuzzy Hash: 77621930A14258DBEB24CFA4C841BDEB372EF58301F1095A9D50DFB290E77A9E85CB59
                                    Function 010297E5 Relevance: 6.2, APIs: 4, Instructions: 155COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00FC5045: _fseek.LIBCMT ref: 00FC505D
                                      • Part of subcall function 010299BE: _wcscmp.LIBCMT ref: 01029AAE
                                      • Part of subcall function 010299BE: _wcscmp.LIBCMT ref: 01029AC1
                                    • _free.LIBCMT ref: 0102992C
                                    • _free.LIBCMT ref: 01029933
                                    • _free.LIBCMT ref: 0102999E
                                      • Part of subcall function 00FE2F95: RtlFreeHeap.NTDLL(00000000,00000000,?,00FE9C64), ref: 00FE2FA9
                                      • Part of subcall function 00FE2F95: GetLastError.KERNEL32(00000000,?,00FE9C64), ref: 00FE2FBB
                                    • _free.LIBCMT ref: 010299A6
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
                                    • String ID:
                                    • API String ID: 1552873950-0
                                    • Opcode ID: 524c7517910f68098ecd1505304e53dc2ab353584dbe7d24e86b344c5f7c1620
                                    • Instruction ID: 67db03b5e7cc8cf04c06ad7dab76d941683f5e4a7cf60b32a82b1c797136cfbf
                                    • Opcode Fuzzy Hash: 524c7517910f68098ecd1505304e53dc2ab353584dbe7d24e86b344c5f7c1620
                                    • Instruction Fuzzy Hash: A55183B1E04269AFDF249F64CC81B9EBBB9EF48314F00009EF649A7241DB755980CF58
                                    Function 00FE493A Relevance: 6.1, APIs: 4, Instructions: 136COMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: __flsbuf__flush__getptd_noexit__write_memmove
                                    • String ID:
                                    • API String ID: 2782032738-0
                                    • Opcode ID: 14470a6213cb86a88b8286372661136e60ed3d9327b1e96cf2061ba74b92ecb7
                                    • Instruction ID: e1889389d640fa65a9388f781399392d8cd151b699414527d1cf581cba6bc81c
                                    • Opcode Fuzzy Hash: 14470a6213cb86a88b8286372661136e60ed3d9327b1e96cf2061ba74b92ecb7
                                    • Instruction Fuzzy Hash: 66412771A007869BDF28CEABC8809AF77A6EF84770B24817DE855D7641D738FD40AB44
                                    Function 00FC73E5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON
                                    Download Yara Rule
                                    APIs
                                    • _memset.LIBCMT ref: 00FFEE62
                                    • GetOpenFileNameW.COMDLG32(?), ref: 00FFEEAC
                                      • Part of subcall function 00FC48AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00FC48A1,?,?,00FC37C0,?), ref: 00FC48CE
                                      • Part of subcall function 00FE09D5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00FE09F4
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: Name$Path$FileFullLongOpen_memset
                                    • String ID: X
                                    • API String ID: 3777226403-3081909835
                                    • Opcode ID: 07f175fb5148739110afa21914a26d7036a4ba6a7fe06e81df59553c8bd85750
                                    • Instruction ID: 487e06258b2fe61a18e142f2c93696563fbed220ded97816d43b4f0a6264da1c
                                    • Opcode Fuzzy Hash: 07f175fb5148739110afa21914a26d7036a4ba6a7fe06e81df59553c8bd85750
                                    • Instruction Fuzzy Hash: 50210531E0028C9BCB15DF94CC46BEE7BF89F49314F00405AE508E7281DBB85A899FA1
                                    Function 0102901B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: __fread_nolock_memmove
                                    • String ID: EA06
                                    • API String ID: 1988441806-3962188686
                                    • Opcode ID: 954647f3c50da98899e2b8dd367b92cea36953b4fa2f2367fbf5673d4fe5298c
                                    • Instruction ID: b2ec82df62cc72ade451f37bb559ceec6c7709401c63930de1a6b10455563a60
                                    • Opcode Fuzzy Hash: 954647f3c50da98899e2b8dd367b92cea36953b4fa2f2367fbf5673d4fe5298c
                                    • Instruction Fuzzy Hash: FB01F972904268AEDB28C6A9CC56EEE7BF89B01205F00419EF592D2181E579A704DB60
                                    Function 01029B6D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetTempPathW.KERNEL32(00000104,?), ref: 01029B82
                                    • GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 01029B99
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: Temp$FileNamePath
                                    • String ID: aut
                                    • API String ID: 3285503233-3010740371
                                    • Opcode ID: 34d7c2d742fe6b283b1911b823e99b38a5659b681b63d8e87d0f0679604c786d
                                    • Instruction ID: 16243388befa27dc80b4b056e124228f41ada5a43e2b30f4f664d0b07e5355b6
                                    • Opcode Fuzzy Hash: 34d7c2d742fe6b283b1911b823e99b38a5659b681b63d8e87d0f0679604c786d
                                    • Instruction Fuzzy Hash: 97D05EB994030EBBDB209A94DD4EF9A772CE704700F0042A1BE9496091DEB655988B95
                                    Function 0103CDF1 Relevance: 4.9, APIs: 3, Instructions: 392COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 637166013c82fd67c198acb3cc3ad71192af955735b5e0d688621c6500499624
                                    • Instruction ID: 61cd67564388175c8ad3a80955a8f79410de2af0176c1d299b5a9eb982593894
                                    • Opcode Fuzzy Hash: 637166013c82fd67c198acb3cc3ad71192af955735b5e0d688621c6500499624
                                    • Instruction Fuzzy Hash: EAF17670A083019FC710DF68C984A6ABBE9FFC8314F44896EF8999B251D775E945CF82
                                    Function 00FCF8CF Relevance: 4.7, APIs: 3, Instructions: 168comCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00FE03A2: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00FE03D3
                                      • Part of subcall function 00FE03A2: MapVirtualKeyW.USER32(00000010,00000000), ref: 00FE03DB
                                      • Part of subcall function 00FE03A2: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00FE03E6
                                      • Part of subcall function 00FE03A2: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00FE03F1
                                      • Part of subcall function 00FE03A2: MapVirtualKeyW.USER32(00000011,00000000), ref: 00FE03F9
                                      • Part of subcall function 00FE03A2: MapVirtualKeyW.USER32(00000012,00000000), ref: 00FE0401
                                      • Part of subcall function 00FD6259: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,00FCFA90), ref: 00FD62B4
                                    • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00FCFB2D
                                    • OleInitialize.OLE32(00000000), ref: 00FCFBAA
                                    • CloseHandle.KERNEL32(00000000), ref: 010049F2
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
                                    • String ID:
                                    • API String ID: 1986988660-0
                                    • Opcode ID: ddca10068eb5e4cbe7ad801cf2310b957ede49741d0830538077be1fc6905c87
                                    • Instruction ID: d334abb05db924e4cbbf01e6cefff0216b6e5b586f5238bff6422716886ff552
                                    • Opcode Fuzzy Hash: ddca10068eb5e4cbe7ad801cf2310b957ede49741d0830538077be1fc6905c87
                                    • Instruction Fuzzy Hash: 1081AAB09092518FC3A4EF7DE65561D7AE6FB58304B12A12EA0D9CB35AEF3F44048F61
                                    Function 00FC43DB Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • _memset.LIBCMT ref: 00FC4401
                                    • Shell_NotifyIconW.SHELL32(00000000,?), ref: 00FC44A6
                                    • Shell_NotifyIconW.SHELL32(00000001,?), ref: 00FC44C3
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: IconNotifyShell_$_memset
                                    • String ID:
                                    • API String ID: 1505330794-0
                                    • Opcode ID: 926db12962b37474f17e24de2e767777cae642431f924951a0a28c3a15aa453e
                                    • Instruction ID: b18275480cbe878894999ce26db97c6c7f1c73922c0e10c9478cf288a4ea6092
                                    • Opcode Fuzzy Hash: 926db12962b37474f17e24de2e767777cae642431f924951a0a28c3a15aa453e
                                    • Instruction Fuzzy Hash: E73181B19087028FD724DF24D595B9BBBE8FB48314F10092EE9DAC7240D77AA948DB52
                                    Function 00FE594C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • __FF_MSGBANNER.LIBCMT ref: 00FE5963
                                      • Part of subcall function 00FEA3AB: __NMSG_WRITE.LIBCMT ref: 00FEA3D2
                                      • Part of subcall function 00FEA3AB: __NMSG_WRITE.LIBCMT ref: 00FEA3DC
                                    • __NMSG_WRITE.LIBCMT ref: 00FE596A
                                      • Part of subcall function 00FEA408: GetModuleFileNameW.KERNEL32(00000000,010843BA,00000104,?,00000001,00000000), ref: 00FEA49A
                                      • Part of subcall function 00FEA408: ___crtMessageBoxW.LIBCMT ref: 00FEA548
                                      • Part of subcall function 00FE32DF: ___crtCorExitProcess.LIBCMT ref: 00FE32E5
                                      • Part of subcall function 00FE32DF: ExitProcess.KERNEL32 ref: 00FE32EE
                                      • Part of subcall function 00FE8D68: __getptd_noexit.LIBCMT ref: 00FE8D68
                                    • RtlAllocateHeap.NTDLL(01530000,00000000,00000001,00000000,?,?,?,00FE1013,?), ref: 00FE598F
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
                                    • String ID:
                                    • API String ID: 1372826849-0
                                    • Opcode ID: 33dde4e94fe22dc4ed22ea4c643a701e2fde8de97ba12c6ef29eab8d76e1a746
                                    • Instruction ID: 741993b4b8af1e8693950498cebf28ca4aac03783e8a661a6ad2327e8df99c17
                                    • Opcode Fuzzy Hash: 33dde4e94fe22dc4ed22ea4c643a701e2fde8de97ba12c6ef29eab8d76e1a746
                                    • Instruction Fuzzy Hash: E701F532604B96DEE6313B67DC46BAD72988F42F78F50002AF444EB2C2DE799D01B365
                                    Function 01029B2C Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,010297D2,?,?,?,?,?,00000004), ref: 01029B45
                                    • SetFileTime.KERNELBASE(00000000,?,00000000,?,?,010297D2,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 01029B5B
                                    • CloseHandle.KERNEL32(00000000,?,010297D2,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 01029B62
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: File$CloseCreateHandleTime
                                    • String ID:
                                    • API String ID: 3397143404-0
                                    • Opcode ID: c6a035ff35c1ce27369fbed9d2d75ff67f77e5327293b1935d2e74aaa4a0ebb9
                                    • Instruction ID: 458573ec4f9c95db11f1bb362fd686251be51e6ca3db2884bca8c4b1f083baa4
                                    • Opcode Fuzzy Hash: c6a035ff35c1ce27369fbed9d2d75ff67f77e5327293b1935d2e74aaa4a0ebb9
                                    • Instruction Fuzzy Hash: 77E08636180225B7EB311A58ED49FCA7F58AB06B65F108110FB94690E087B625119798
                                    Function 01028F97 Relevance: 4.5, APIs: 3, Instructions: 22COMMON
                                    Download Yara Rule
                                    APIs
                                    • _free.LIBCMT ref: 01028FA5
                                      • Part of subcall function 00FE2F95: RtlFreeHeap.NTDLL(00000000,00000000,?,00FE9C64), ref: 00FE2FA9
                                      • Part of subcall function 00FE2F95: GetLastError.KERNEL32(00000000,?,00FE9C64), ref: 00FE2FBB
                                    • _free.LIBCMT ref: 01028FB6
                                    • _free.LIBCMT ref: 01028FC8
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: _free$ErrorFreeHeapLast
                                    • String ID:
                                    • API String ID: 776569668-0
                                    • Opcode ID: 7d3b2028e624efae88516297b2f19128b0b5a47fb3bf7ffb404a5919715f4e12
                                    • Instruction ID: 7544be8e301855afb99a78005edff81b99916fbf03bedbea9a1562e5c53cca6b
                                    • Opcode Fuzzy Hash: 7d3b2028e624efae88516297b2f19128b0b5a47fb3bf7ffb404a5919715f4e12
                                    • Instruction Fuzzy Hash: 14E0C2A13087904AEAE4A5BDAD00E832BEE0F48211708084FF649DB142EE28E4419024
                                    Function 00FCAB23 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 534COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: CALL
                                    • API String ID: 0-4196123274
                                    • Opcode ID: 698d9234d493c29b08106a6b6b7dc97e46f8221e3b3eb8d2043e620a3c45ad79
                                    • Instruction ID: 3282dafb19a4cf38a3b30b1aa95c3b47e56eb2e16c4bedfde6ca09c8af5e95e4
                                    • Opcode Fuzzy Hash: 698d9234d493c29b08106a6b6b7dc97e46f8221e3b3eb8d2043e620a3c45ad79
                                    • Instruction Fuzzy Hash: 39226874508346CFD724DF14C996F6ABBE1BF84304F14895DE8868B262DB35EC81EB82
                                    Function 00FC4DD0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 141COMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: _memmove
                                    • String ID: EA06
                                    • API String ID: 4104443479-3962188686
                                    • Opcode ID: 77608e9f5f276c4577d4d799ee3693502b3e56b88afec30bb7c1bab1aa9ad2a5
                                    • Instruction ID: 208bb2447c663bc00762e67ede4b169b6d0280927e29cbfeeb86f88bf7d4d2d0
                                    • Opcode Fuzzy Hash: 77608e9f5f276c4577d4d799ee3693502b3e56b88afec30bb7c1bab1aa9ad2a5
                                    • Instruction Fuzzy Hash: FF415E32E041565BDF219B648E73FBE7F66AB41310F19406DEC82DB182C525BD84B3A1
                                    Function 00FC492E Relevance: 3.1, APIs: 2, Instructions: 59COMMON
                                    Download Yara Rule
                                    APIs
                                    • IsThemeActive.UXTHEME ref: 00FC4992
                                      • Part of subcall function 00FE35AC: __lock.LIBCMT ref: 00FE35B2
                                      • Part of subcall function 00FE35AC: DecodePointer.KERNEL32(00000001,?,00FC49A7,010181BC), ref: 00FE35BE
                                      • Part of subcall function 00FE35AC: EncodePointer.KERNEL32(?,?,00FC49A7,010181BC), ref: 00FE35C9
                                      • Part of subcall function 00FC4A5B: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00FC4A73
                                      • Part of subcall function 00FC4A5B: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00FC4A88
                                      • Part of subcall function 00FC3B4C: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00FC3B7A
                                      • Part of subcall function 00FC3B4C: IsDebuggerPresent.KERNEL32 ref: 00FC3B8C
                                      • Part of subcall function 00FC3B4C: GetFullPathNameW.KERNEL32(00007FFF,?,?,010862F8,010862E0,?,?), ref: 00FC3BFD
                                      • Part of subcall function 00FC3B4C: SetCurrentDirectoryW.KERNEL32(?), ref: 00FC3C81
                                    • SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00FC49D2
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: InfoParametersSystem$CurrentDirectoryPointer$ActiveDebuggerDecodeEncodeFullNamePathPresentTheme__lock
                                    • String ID:
                                    • API String ID: 1438897964-0
                                    • Opcode ID: 72f8ec42bb3368ea17f27a090b10f9c4be89d524b759ca46ef3138f84441f429
                                    • Instruction ID: 21c2af2e256dd0d1b67f72190dd14d91393fbede4af31a6c4f358df3f33cc44b
                                    • Opcode Fuzzy Hash: 72f8ec42bb3368ea17f27a090b10f9c4be89d524b759ca46ef3138f84441f429
                                    • Instruction Fuzzy Hash: 08118E719187129BC310DF29D94AE0EFBE8EB94710F00451EF4C5872A5DBBA9544DB92
                                    Function 00FC5DF9 Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000,?,00FC5981,?,?,?,?), ref: 00FC5E27
                                    • CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,?,00000000,?,00FC5981,?,?,?,?), ref: 00FFE19C
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: CreateFile
                                    • String ID:
                                    • API String ID: 823142352-0
                                    • Opcode ID: 33486ab3345960c05a6ec8692f72226ac9958e06dac5eb079a38bf389abc6520
                                    • Instruction ID: 84d18bd1ac8362775e5fb2b518be7597c9f8310cca86081aed6e0a5fca63085a
                                    • Opcode Fuzzy Hash: 33486ab3345960c05a6ec8692f72226ac9958e06dac5eb079a38bf389abc6520
                                    • Instruction Fuzzy Hash: 6401B571644709BFF3240E29CD8BF763B9CEB01B78F108319BAE55A1E0C6B42E859B50
                                    Function 00FE0FF6 Relevance: 3.0, APIs: 2, Instructions: 44COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00FE594C: __FF_MSGBANNER.LIBCMT ref: 00FE5963
                                      • Part of subcall function 00FE594C: __NMSG_WRITE.LIBCMT ref: 00FE596A
                                      • Part of subcall function 00FE594C: RtlAllocateHeap.NTDLL(01530000,00000000,00000001,00000000,?,?,?,00FE1013,?), ref: 00FE598F
                                    • std::exception::exception.LIBCMT ref: 00FE102C
                                    • __CxxThrowException@8.LIBCMT ref: 00FE1041
                                      • Part of subcall function 00FE87DB: RaiseException.KERNEL32(?,?,?,0107BAF8,00000000,?,?,?,?,00FE1046,?,0107BAF8,?,00000001), ref: 00FE8830
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
                                    • String ID:
                                    • API String ID: 3902256705-0
                                    • Opcode ID: d164e7e741b2cd7b3399768fd44f3ec5d7fdcf7d92d859fe8ffe49f7c3d92d8c
                                    • Instruction ID: 026f9370e835f24a7cd2fbd39b19f0a4dbe5c7d40804ec36e918eb6c1aa66df7
                                    • Opcode Fuzzy Hash: d164e7e741b2cd7b3399768fd44f3ec5d7fdcf7d92d859fe8ffe49f7c3d92d8c
                                    • Instruction Fuzzy Hash: 76F0C8359003DDA6CB24BA5BEC159DF7BACAF01361F100426FD08A6691DF758EC1A2E5
                                    Function 00FE582D Relevance: 3.0, APIs: 2, Instructions: 42COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: __lock_file_memset
                                    • String ID:
                                    • API String ID: 26237723-0
                                    • Opcode ID: 400d98256557c873ff2c5191cda19c0271313d591977ff5073eb37f24ad8eb01
                                    • Instruction ID: dd8c69ca46f146b3a0a1d9a48875774332dff531823be39d04b39107afc3002b
                                    • Opcode Fuzzy Hash: 400d98256557c873ff2c5191cda19c0271313d591977ff5073eb37f24ad8eb01
                                    • Instruction Fuzzy Hash: 9501AC71C01689EBCF11BF678C0559F7B61AF807A4F144215F8245B161DB35CB12FB51
                                    Function 00FE55D6 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00FE8D68: __getptd_noexit.LIBCMT ref: 00FE8D68
                                    • __lock_file.LIBCMT ref: 00FE561B
                                      • Part of subcall function 00FE6E4E: __lock.LIBCMT ref: 00FE6E71
                                    • __fclose_nolock.LIBCMT ref: 00FE5626
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: __fclose_nolock__getptd_noexit__lock__lock_file
                                    • String ID:
                                    • API String ID: 2800547568-0
                                    • Opcode ID: 84f3bd9e84f476ae0f533e076ca0548fd1a36ec49c2c03e2b7e77798d58e281f
                                    • Instruction ID: b20910914a39f2b3d17e9706fc6a49a500a9ea1d7aefae49b35bfdedf43b21a3
                                    • Opcode Fuzzy Hash: 84f3bd9e84f476ae0f533e076ca0548fd1a36ec49c2c03e2b7e77798d58e281f
                                    • Instruction Fuzzy Hash: 49F09072C00A859ADB20BB778C0276E77A16F40B78F558209E428AB1C1CF7C8902BB55
                                    Function 00FC81C1 Relevance: 2.6, APIs: 2, Instructions: 54COMMON
                                    Download Yara Rule
                                    APIs
                                    • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000001,00000000,00000000,?,?,?,00FC558F,?,?,?,?,?), ref: 00FC81DA
                                    • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000001,00000000,?,?,?,00FC558F,?,?,?,?,?), ref: 00FC820D
                                      • Part of subcall function 00FC78AD: _memmove.LIBCMT ref: 00FC78E9
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: ByteCharMultiWide$_memmove
                                    • String ID:
                                    • API String ID: 3033907384-0
                                    • Opcode ID: aedc08ee47e5fb1026d64b93ade504366b1348cf3bd1d28a545829648608f760
                                    • Instruction ID: 79c591df5ef61c4e55a787d7c0a0b506a62be1318a3e0e1d0302fb6f61beec27
                                    • Opcode Fuzzy Hash: aedc08ee47e5fb1026d64b93ade504366b1348cf3bd1d28a545829648608f760
                                    • Instruction Fuzzy Hash: 7501A2752012057FEB247A26DE4BFBB3B5CEB85760F10802AFD05CD190DE71D800A671
                                    Function 00E5129D Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateProcessW.KERNELBASE(?,00000000), ref: 00E51A5B
                                    • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 00E51AF1
                                    • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 00E51B13
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043193490.0000000000E50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E50000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_e50000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: Process$ContextCreateMemoryReadThreadWow64
                                    • String ID:
                                    • API String ID: 2438371351-0
                                    • Opcode ID: 282d440d23347d33a5333bc70feb3b77e7ffa06fe9f8fdc76eda24defaf3804a
                                    • Instruction ID: f9a3c796ea6a4ac2b858a4fd346498e86905c530f4ea0d86b569586e294da637
                                    • Opcode Fuzzy Hash: 282d440d23347d33a5333bc70feb3b77e7ffa06fe9f8fdc76eda24defaf3804a
                                    • Instruction Fuzzy Hash: 6612FE20E14658C6EB24DF60D8507DEB232EF68300F10A4E9D10DEB7A5E77A4F85CB5A
                                    Function 00FCF3F0 Relevance: 1.7, APIs: 1, Instructions: 185COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 5bfe54d652a41bb23b00f87bc1a7ffc2d0a88f717980d6aefbaf7b7997ba5215
                                    • Instruction ID: c3c389e3f7bf10b0b3dcdaccade73edf0c1865d9e9124b0561d684e9fc0bd1d5
                                    • Opcode Fuzzy Hash: 5bfe54d652a41bb23b00f87bc1a7ffc2d0a88f717980d6aefbaf7b7997ba5215
                                    • Instruction Fuzzy Hash: B3618A71A0020A9FDB14DF24CA82FAAB7E6EF44310F14847DEA4A87281D775ED59DB50
                                    Function 00FD2123 Relevance: 1.7, APIs: 1, Instructions: 171COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 958910b9efad8cddae8ee012cf19eae05a03c52ca047bf4f0c7da7af73f9eb16
                                    • Instruction ID: 6a67f3f21d65afa720bae448311b13112eb1a2ab7a66186c2d50c71255843cb8
                                    • Opcode Fuzzy Hash: 958910b9efad8cddae8ee012cf19eae05a03c52ca047bf4f0c7da7af73f9eb16
                                    • Instruction Fuzzy Hash: 9D51D531600205AFDF15EB58CD92FAE77E6AF85710F188099F9469B382CB35ED40EB51
                                    Function 00FC5C4E Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                    Download Yara Rule
                                    APIs
                                    • SetFilePointerEx.KERNELBASE(?,?,00000001,00000000,00000000,?,?,00000000), ref: 00FC5CF6
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: FilePointer
                                    • String ID:
                                    • API String ID: 973152223-0
                                    • Opcode ID: 0edd0e5ed245885d53fc7786f09bd694f9fc12f27fed18987782f4db9a1264fc
                                    • Instruction ID: e250512d6f74980b867d2f30c543c9a02284e543238830f07a1208fba834ed3e
                                    • Opcode Fuzzy Hash: 0edd0e5ed245885d53fc7786f09bd694f9fc12f27fed18987782f4db9a1264fc
                                    • Instruction Fuzzy Hash: A3316D71A00B0AAFCB18CF6DC585B6DB7B1FF48720F148619D81A93710D771B9A0EB90
                                    Function 010000D6 Relevance: 1.6, APIs: 1, Instructions: 88COMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: ClearVariant
                                    • String ID:
                                    • API String ID: 1473721057-0
                                    • Opcode ID: b6065abe49296374c818949ed73fcb17bf451c3f36349cf434a8611627592d9c
                                    • Instruction ID: 537438aa2eb644e2613f50172a86da0e3d8f775fed40455e92e95ed8daa00d4f
                                    • Opcode Fuzzy Hash: b6065abe49296374c818949ed73fcb17bf451c3f36349cf434a8611627592d9c
                                    • Instruction Fuzzy Hash: F8412774908342CFDB25DF19C585F1ABBE0BF45318F09889CE98A4B762C736E845DB52
                                    Function 00FCC707 Relevance: 1.6, APIs: 1, Instructions: 69COMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: _wcscmp
                                    • String ID:
                                    • API String ID: 856254489-0
                                    • Opcode ID: 07e3a2283adeabac325f6b0a9c4b7ec24ffee144cb57945f42e13be13ebd676c
                                    • Instruction ID: 4d50415b09ef5ebbb37c87ef94121614d77f1f355ad374f7796ed63c9915a2f5
                                    • Opcode Fuzzy Hash: 07e3a2283adeabac325f6b0a9c4b7ec24ffee144cb57945f42e13be13ebd676c
                                    • Instruction Fuzzy Hash: C8112731D0021ADBDB11EBAACD82EEEF7B8EF81360F00411AF814A7190DB349D05DB90
                                    Function 00FC4F3D Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00FC4D13: FreeLibrary.KERNEL32(00000000,?), ref: 00FC4D4D
                                      • Part of subcall function 00FE548B: __wfsopen.LIBCMT ref: 00FE5496
                                    • LoadLibraryExW.KERNEL32(?,00000000,00000002,?,010862F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00FC4F6F
                                      • Part of subcall function 00FC4CC8: FreeLibrary.KERNEL32(00000000), ref: 00FC4D02
                                      • Part of subcall function 00FC4DD0: _memmove.LIBCMT ref: 00FC4E1A
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: Library$Free$Load__wfsopen_memmove
                                    • String ID:
                                    • API String ID: 1396898556-0
                                    • Opcode ID: e2eea9debacd2badac9fc8bb716ceb97386ddce2c13ad754ab799d49c004e554
                                    • Instruction ID: 40d317d4d11bebca702011a73ed2594e9e5b6b67d5c8955858d70c54a3169704
                                    • Opcode Fuzzy Hash: e2eea9debacd2badac9fc8bb716ceb97386ddce2c13ad754ab799d49c004e554
                                    • Instruction Fuzzy Hash: EA11E73260020BABCB14FF74CE67FAE77A59F40711F10842DF941A71C1DA79AA05BBA0
                                    Function 010001AF Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: ClearVariant
                                    • String ID:
                                    • API String ID: 1473721057-0
                                    • Opcode ID: 4e9a7c86cb5b099fa2ebb4ac6d271f299bf7b33d84794a096567de5af2cc22a2
                                    • Instruction ID: 6839bc1544fa5c5f571c7a574a3a78f3906c3eaa3694fdcd9b6dcec8c5f32ede
                                    • Opcode Fuzzy Hash: 4e9a7c86cb5b099fa2ebb4ac6d271f299bf7b33d84794a096567de5af2cc22a2
                                    • Instruction Fuzzy Hash: 0B211FB4908342DFDB25DF65C985F1ABBE0BB84318F04886CE98A47761C735F845DB92
                                    Function 00FE0941 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00FE09F4
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: LongNamePath
                                    • String ID:
                                    • API String ID: 82841172-0
                                    • Opcode ID: acfb2f6243b039b5672768ffc86251c791cf0114a286c1c20b526726435d8d17
                                    • Instruction ID: 11bc0a64a54025b714b72df16cf6a38998a267ac1b6246481cb3cf30f0a63168
                                    • Opcode Fuzzy Hash: acfb2f6243b039b5672768ffc86251c791cf0114a286c1c20b526726435d8d17
                                    • Instruction Fuzzy Hash: 1201807384A2818FC352C774D95A6D03BB6DE5762932801DDDC429A532E5675C13AB50
                                    Function 00FC5D20 Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • ReadFile.KERNELBASE(?,?,00010000,?,00000000,00000000,?,00010000,?,00FC5807,00000000,00010000,00000000,00000000,00000000,00000000), ref: 00FC5D76
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: FileRead
                                    • String ID:
                                    • API String ID: 2738559852-0
                                    • Opcode ID: d4a9a9d0ba70d058b370f06285ec8d894eb2f73a0098b7dccdf08dd7fc858e24
                                    • Instruction ID: b0c01ff4529aa5a52576b4b4d75a03c56a90b2043c77137b5df0bad612d6ff53
                                    • Opcode Fuzzy Hash: d4a9a9d0ba70d058b370f06285ec8d894eb2f73a0098b7dccdf08dd7fc858e24
                                    • Instruction Fuzzy Hash: D6115871608B029FD3308F05CA85F62B7E4EB45B20F10892EE8AB86A50D771F984DB60
                                    Function 00FCC6DA Relevance: 1.5, APIs: 1, Instructions: 49COMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: _wcscmp
                                    • String ID:
                                    • API String ID: 856254489-0
                                    • Opcode ID: 4b2744e15493722d91e3cab164d56c5558369f6d03e87fc5a0b12a12ca92fdb2
                                    • Instruction ID: 3e61940a78bc20fe5916723dfd428ec611d2deea0dd79eee30c2276a697dd80b
                                    • Opcode Fuzzy Hash: 4b2744e15493722d91e3cab164d56c5558369f6d03e87fc5a0b12a12ca92fdb2
                                    • Instruction Fuzzy Hash: DA012632C082869FD7129B288D52EAAFFB4DF53360F19409FD894DB2A1D2349C46DB81
                                    Function 00FC7F41 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: _memmove
                                    • String ID:
                                    • API String ID: 4104443479-0
                                    • Opcode ID: c56c3b4cee92743fd843ba2fcf40f434112ab0d27706c117a31bb8eb393c03f0
                                    • Instruction ID: 9b1933c48d91a6898f0812f881bf40fbe1ae7e743c250e0dcaee412db57bc28c
                                    • Opcode Fuzzy Hash: c56c3b4cee92743fd843ba2fcf40f434112ab0d27706c117a31bb8eb393c03f0
                                    • Instruction Fuzzy Hash: 1701D6732047426ED3206B29CC03F67BBA8EB447A0F10853EF65ACA191EA75E550EB90
                                    Function 00FE4A93 Relevance: 1.5, APIs: 1, Instructions: 36COMMON
                                    Download Yara Rule
                                    APIs
                                    • __lock_file.LIBCMT ref: 00FE4AD6
                                      • Part of subcall function 00FE8D68: __getptd_noexit.LIBCMT ref: 00FE8D68
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: __getptd_noexit__lock_file
                                    • String ID:
                                    • API String ID: 2597487223-0
                                    • Opcode ID: 4166419d4f7c8d24f6847da06c398fa2ca6d6aa1c68465d1d7776b04350b418c
                                    • Instruction ID: 5695d4dfa45f5eeb2f1b3a7ee6eec8b59ea2b1f304bd36bc9a68783e2bb79a04
                                    • Opcode Fuzzy Hash: 4166419d4f7c8d24f6847da06c398fa2ca6d6aa1c68465d1d7776b04350b418c
                                    • Instruction Fuzzy Hash: 0CF0AF31D40289ABDF61BF668C063AF36A1AF00775F048528F828AA1D1DB7C9A51FF55
                                    Function 00FC4FAA Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                    Download Yara Rule
                                    APIs
                                    • FreeLibrary.KERNEL32(?,?,010862F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00FC4FDE
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: FreeLibrary
                                    • String ID:
                                    • API String ID: 3664257935-0
                                    • Opcode ID: aa627b5eaed96fa83defd2fb009054a3c2deb9ed78f0251f2c0b276501191d28
                                    • Instruction ID: c6d90210e7c903356aaf45fa3c339eeda5847e7d4a7ccd7260384860e7cff250
                                    • Opcode Fuzzy Hash: aa627b5eaed96fa83defd2fb009054a3c2deb9ed78f0251f2c0b276501191d28
                                    • Instruction Fuzzy Hash: ACF015B2505712CFCB389F64E5A5E12BBE1AF043293248A2EE5D683A10C772A840EF40
                                    Function 00FE09D5 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00FE09F4
                                      • Part of subcall function 00FC7D2C: _memmove.LIBCMT ref: 00FC7D66
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: LongNamePath_memmove
                                    • String ID:
                                    • API String ID: 2514874351-0
                                    • Opcode ID: b41c44c60b8027eb031677c67fe116006482fe76821e25d5383b1878c17e2755
                                    • Instruction ID: b8ae64170d493905cb9766380aa7bb2c89b999c6ed3dad512c24c1df1ec25213
                                    • Opcode Fuzzy Hash: b41c44c60b8027eb031677c67fe116006482fe76821e25d5383b1878c17e2755
                                    • Instruction Fuzzy Hash: F5E086769052299BC720E5589C06FFA77ADDF88790F0401B5FD4CD7208D9659C818690
                                    Function 01029129 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: __fread_nolock
                                    • String ID:
                                    • API String ID: 2638373210-0
                                    • Opcode ID: 85a266c19ac15f6dd4f37f244161312340f338b31e1d7e5613d3c154e10e17cf
                                    • Instruction ID: 52c2e9313693a37e291c8b4e9899284925bd6d27f3b1f403c9eaeeee53cc3c9e
                                    • Opcode Fuzzy Hash: 85a266c19ac15f6dd4f37f244161312340f338b31e1d7e5613d3c154e10e17cf
                                    • Instruction Fuzzy Hash: BEE092B0104B505FDB798A28D8107E377E0AB06319F00085DF2DA83342EB627841C759
                                    Function 00FC5DAE Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                    Download Yara Rule
                                    APIs
                                    • SetFilePointerEx.KERNELBASE(?,00000000,00000000,?,00000001,?,?,?,00FFE16B,?,?,00000000), ref: 00FC5DBF
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: FilePointer
                                    • String ID:
                                    • API String ID: 973152223-0
                                    • Opcode ID: feebc1120ae8911a2392ab6ab9a9b4e264f8ae4216e3b71a4c05ee68a4de55fe
                                    • Instruction ID: a589d4ba8fbfbd6a2bbaf5377417d3eb3fda3c3b75315c4c401cd6dc18917300
                                    • Opcode Fuzzy Hash: feebc1120ae8911a2392ab6ab9a9b4e264f8ae4216e3b71a4c05ee68a4de55fe
                                    • Instruction Fuzzy Hash: 70D0C77464020CBFE710DB84DC46FA9777CD705710F100194FD0456290D6B27D508795
                                    Function 00FE548B Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: __wfsopen
                                    • String ID:
                                    • API String ID: 197181222-0
                                    • Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                                    • Instruction ID: 45f44c800f194e76492d40cf083b43dc43a9e5955b87bca747f1a7c98342ac2b
                                    • Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                                    • Instruction Fuzzy Hash: 33B0927684020C77DE022E82EC02A593B199B40A78F808020FB0C181A2A677A6A0A689
                                    Function 0102D2E6 Relevance: 1.4, APIs: 1, Instructions: 198COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetLastError.KERNEL32(00000002,00000000), ref: 0102D46A
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: ErrorLast
                                    • String ID:
                                    • API String ID: 1452528299-0
                                    • Opcode ID: d7b07d613f1d6376972fde00ab032fe1c38d647cd9445c8fe1c2a71ebe6269e0
                                    • Instruction ID: ac1f78c35e8e417bf09744457658355e107d7f20729dbc24c88ff760e764a79f
                                    • Opcode Fuzzy Hash: d7b07d613f1d6376972fde00ab032fe1c38d647cd9445c8fe1c2a71ebe6269e0
                                    • Instruction Fuzzy Hash: 2E7161302083128FC714EF68C991FAAB7E0AF88714F04456DF5968B291DF78ED49DB52
                                    Function 00FE0E48 Relevance: 1.3, APIs: 1, Instructions: 94memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: AllocVirtual
                                    • String ID:
                                    • API String ID: 4275171209-0
                                    • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                    • Instruction ID: 6889ebc193a5197ae199a0f35fdea1615ee37309587f54b6db755d99459beeb6
                                    • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                    • Instruction Fuzzy Hash: 81312971A00186DFC718DF4AC480A69F7B2FF59310B688AA5E409CB251DB70EDC0EBD0
                                    Function 00E5229C Relevance: 1.3, APIs: 1, Instructions: 21sleepCOMMON
                                    Download Yara Rule
                                    APIs
                                    • Sleep.KERNELBASE(000001F4), ref: 00E522B1
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043193490.0000000000E50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E50000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_e50000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: Sleep
                                    • String ID:
                                    • API String ID: 3472027048-0
                                    • Opcode ID: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
                                    • Instruction ID: 7a2e7bd3db2af42ae3e66d32e6009b745e00a2ebb11ecd8031f21644bc47ed1b
                                    • Opcode Fuzzy Hash: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
                                    • Instruction Fuzzy Hash: F5E0BF7594010EEFDB00EFA4D5496DE7BB4EF04312F1005A5FE05E7690DB309E548A62
                                    Function 00E522A0 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON
                                    Download Yara Rule
                                    APIs
                                    • Sleep.KERNELBASE(000001F4), ref: 00E522B1
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043193490.0000000000E50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E50000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_e50000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: Sleep
                                    • String ID:
                                    • API String ID: 3472027048-0
                                    • Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                    • Instruction ID: f593daa0260e61329338545381e2da69b90be7c845c973726b6d68fc683cf50a
                                    • Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                    • Instruction Fuzzy Hash: 31E0E67594010EEFDB00EFB4D54969E7FB4EF04302F100565FD05E2280D6309D508A72

                                    Non-executed Functions

                                    Function 0104CDAC Relevance: 74.1, APIs: 40, Strings: 2, Instructions: 637windowkeyboardCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00FC2612: GetWindowLongW.USER32(?,000000EB), ref: 00FC2623
                                    • DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 0104CE50
                                    • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0104CE91
                                    • GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 0104CED6
                                    • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0104CF00
                                    • SendMessageW.USER32 ref: 0104CF29
                                    • _wcsncpy.LIBCMT ref: 0104CFA1
                                    • GetKeyState.USER32(00000011), ref: 0104CFC2
                                    • GetKeyState.USER32(00000009), ref: 0104CFCF
                                    • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0104CFE5
                                    • GetKeyState.USER32(00000010), ref: 0104CFEF
                                    • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0104D018
                                    • SendMessageW.USER32 ref: 0104D03F
                                    • SendMessageW.USER32(?,00001030,?,0104B602), ref: 0104D145
                                    • ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 0104D15B
                                    • ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 0104D16E
                                    • SetCapture.USER32(?), ref: 0104D177
                                    • ClientToScreen.USER32(?,?), ref: 0104D1DC
                                    • ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 0104D1E9
                                    • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 0104D203
                                    • ReleaseCapture.USER32 ref: 0104D20E
                                    • GetCursorPos.USER32(?), ref: 0104D248
                                    • ScreenToClient.USER32(?,?), ref: 0104D255
                                    • SendMessageW.USER32(?,00001012,00000000,?), ref: 0104D2B1
                                    • SendMessageW.USER32 ref: 0104D2DF
                                    • SendMessageW.USER32(?,00001111,00000000,?), ref: 0104D31C
                                    • SendMessageW.USER32 ref: 0104D34B
                                    • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 0104D36C
                                    • SendMessageW.USER32(?,0000110B,00000009,?), ref: 0104D37B
                                    • GetCursorPos.USER32(?), ref: 0104D39B
                                    • ScreenToClient.USER32(?,?), ref: 0104D3A8
                                    • GetParent.USER32(?), ref: 0104D3C8
                                    • SendMessageW.USER32(?,00001012,00000000,?), ref: 0104D431
                                    • SendMessageW.USER32 ref: 0104D462
                                    • ClientToScreen.USER32(?,?), ref: 0104D4C0
                                    • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 0104D4F0
                                    • SendMessageW.USER32(?,00001111,00000000,?), ref: 0104D51A
                                    • SendMessageW.USER32 ref: 0104D53D
                                    • ClientToScreen.USER32(?,?), ref: 0104D58F
                                    • TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 0104D5C3
                                      • Part of subcall function 00FC25DB: GetWindowLongW.USER32(?,000000EB), ref: 00FC25EC
                                    • GetWindowLongW.USER32(?,000000F0), ref: 0104D65F
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
                                    • String ID: @GUI_DRAGID$F
                                    • API String ID: 3977979337-4164748364
                                    • Opcode ID: 54cd8ddce78d8114f8cc6e181f49efc3ec22fce8cace83a8388bf8a94f7b2b56
                                    • Instruction ID: cf7a391e6659eaa18b4db3871dbb4860fb414c74fcaf84db2daa78508a55fc03
                                    • Opcode Fuzzy Hash: 54cd8ddce78d8114f8cc6e181f49efc3ec22fce8cace83a8388bf8a94f7b2b56
                                    • Instruction Fuzzy Hash: 2D42BEB4205241AFE725DF68C984FAABFE5FF48354F04056DF6D5872A1C736A840CB92
                                    Function 0104804A Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 571windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SendMessageW.USER32(?,00000400,00000000,00000000), ref: 0104873F
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: MessageSend
                                    • String ID: %d/%02d/%02d
                                    • API String ID: 3850602802-328681919
                                    • Opcode ID: 2832f18cfc75a377396424ef4e49ac60a4ac3198b2b500326c326dc68084ddc6
                                    • Instruction ID: d76cf44dc4275493cfdcfb024a090ded35eb1490b16b901f724a6f9dfbf180d4
                                    • Opcode Fuzzy Hash: 2832f18cfc75a377396424ef4e49ac60a4ac3198b2b500326c326dc68084ddc6
                                    • Instruction Fuzzy Hash: 8E1213B0500245ABEB259FA8CD89FAE7BF8FF49750F00856AFA95EA191DB748540CB10
                                    Function 00FD710E Relevance: 48.8, APIs: 19, Strings: 6, Instructions: 5093COMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: _memmove$_memset
                                    • String ID: DEFINE$Q\E$[:<:]]$[:>:]]$\b(?<=\w)$\b(?=\w)
                                    • API String ID: 1357608183-1798697756
                                    • Opcode ID: af6937b09511c39889588a2e3751a1cd7b8400b7facfab1d037aabcae3de7fe5
                                    • Instruction ID: 94fe261d8f19de269f3eca581cbdbd4c11bd9119e01c993aa6ff0a4a9b65a679
                                    • Opcode Fuzzy Hash: af6937b09511c39889588a2e3751a1cd7b8400b7facfab1d037aabcae3de7fe5
                                    • Instruction Fuzzy Hash: A8939171E00215DBDB24DF98C8817ADB7F1FF48320F2885AAE985EB395E7749981DB40
                                    Function 00FC4A35 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetForegroundWindow.USER32(00000000,?), ref: 00FC4A3D
                                    • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00FFDA8E
                                    • IsIconic.USER32(?), ref: 00FFDA97
                                    • ShowWindow.USER32(?,00000009), ref: 00FFDAA4
                                    • SetForegroundWindow.USER32(?), ref: 00FFDAAE
                                    • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00FFDAC4
                                    • GetCurrentThreadId.KERNEL32 ref: 00FFDACB
                                    • GetWindowThreadProcessId.USER32(?,00000000), ref: 00FFDAD7
                                    • AttachThreadInput.USER32(?,00000000,00000001), ref: 00FFDAE8
                                    • AttachThreadInput.USER32(?,00000000,00000001), ref: 00FFDAF0
                                    • AttachThreadInput.USER32(00000000,?,00000001), ref: 00FFDAF8
                                    • SetForegroundWindow.USER32(?), ref: 00FFDAFB
                                    • MapVirtualKeyW.USER32(00000012,00000000), ref: 00FFDB10
                                    • keybd_event.USER32(00000012,00000000), ref: 00FFDB1B
                                    • MapVirtualKeyW.USER32(00000012,00000000), ref: 00FFDB25
                                    • keybd_event.USER32(00000012,00000000), ref: 00FFDB2A
                                    • MapVirtualKeyW.USER32(00000012,00000000), ref: 00FFDB33
                                    • keybd_event.USER32(00000012,00000000), ref: 00FFDB38
                                    • MapVirtualKeyW.USER32(00000012,00000000), ref: 00FFDB42
                                    • keybd_event.USER32(00000012,00000000), ref: 00FFDB47
                                    • SetForegroundWindow.USER32(?), ref: 00FFDB4A
                                    • AttachThreadInput.USER32(?,?,00000000), ref: 00FFDB71
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
                                    • String ID: Shell_TrayWnd
                                    • API String ID: 4125248594-2988720461
                                    • Opcode ID: 2083cab603aae1556ece71562a545e63597b45ebb9a712245bafcf7b99d075a3
                                    • Instruction ID: 14f72b0facbe07754ba3db60e6e61433e768529b22ed09ef54b63158d704d455
                                    • Opcode Fuzzy Hash: 2083cab603aae1556ece71562a545e63597b45ebb9a712245bafcf7b99d075a3
                                    • Instruction Fuzzy Hash: D7319FB5A8031CBBEB306FA59D89F7F3E6CEF44B60F104015FB00EA190C6B55900ABA4
                                    Function 01018858 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 224COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 01018CC3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 01018D0D
                                      • Part of subcall function 01018CC3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 01018D3A
                                      • Part of subcall function 01018CC3: GetLastError.KERNEL32 ref: 01018D47
                                    • _memset.LIBCMT ref: 0101889B
                                    • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 010188ED
                                    • CloseHandle.KERNEL32(?), ref: 010188FE
                                    • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 01018915
                                    • GetProcessWindowStation.USER32 ref: 0101892E
                                    • SetProcessWindowStation.USER32(00000000), ref: 01018938
                                    • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 01018952
                                      • Part of subcall function 01018713: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,01018851), ref: 01018728
                                      • Part of subcall function 01018713: CloseHandle.KERNEL32(?,?,01018851), ref: 0101873A
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
                                    • String ID: $default$winsta0
                                    • API String ID: 2063423040-1027155976
                                    • Opcode ID: 17426ba6c7ed4eda4fa142c63ed2aca72e01364d46733d3338bc3064dddf93c4
                                    • Instruction ID: f2d3a18f4916b2dc3e1a93db0dfca67da4432a8bfc9c5aac7206bb24898925b7
                                    • Opcode Fuzzy Hash: 17426ba6c7ed4eda4fa142c63ed2aca72e01364d46733d3338bc3064dddf93c4
                                    • Instruction Fuzzy Hash: 36814FB6D0024ABFEF11DFA8DD44AEE7BB8FF05305F08815AF990A6154D7398A14DB60
                                    Function 0103425A Relevance: 30.2, APIs: 20, Instructions: 167clipboardCOMMON
                                    Download Yara Rule
                                    APIs
                                    • OpenClipboard.USER32(0104F910), ref: 01034284
                                    • IsClipboardFormatAvailable.USER32(0000000D), ref: 01034292
                                    • GetClipboardData.USER32(0000000D), ref: 0103429A
                                    • CloseClipboard.USER32 ref: 010342A6
                                    • GlobalLock.KERNEL32(00000000), ref: 010342C2
                                    • CloseClipboard.USER32 ref: 010342CC
                                    • GlobalUnlock.KERNEL32(00000000), ref: 010342E1
                                    • IsClipboardFormatAvailable.USER32(00000001), ref: 010342EE
                                    • GetClipboardData.USER32(00000001), ref: 010342F6
                                    • GlobalLock.KERNEL32(00000000), ref: 01034303
                                    • GlobalUnlock.KERNEL32(00000000), ref: 01034337
                                    • CloseClipboard.USER32 ref: 01034447
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: Clipboard$Global$Close$AvailableDataFormatLockUnlock$Open
                                    • String ID:
                                    • API String ID: 3222323430-0
                                    • Opcode ID: e28a9b5ff094c309f25d7cae2b2ac6b647dcdfb2250f66e6a6a4a28474e3dc27
                                    • Instruction ID: 2d3aa62b0cd9c0d04471d6c602c5da866f350841dd73c84835b4a5c419731c37
                                    • Opcode Fuzzy Hash: e28a9b5ff094c309f25d7cae2b2ac6b647dcdfb2250f66e6a6a4a28474e3dc27
                                    • Instruction Fuzzy Hash: 58518FB9204303ABD311AF69EE86F6E77ACAF84B00F004529F5D6D6191DF79D9048B62
                                    Function 0102C9C7 Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • FindFirstFileW.KERNEL32(?,?), ref: 0102C9F8
                                    • FindClose.KERNEL32(00000000), ref: 0102CA4C
                                    • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0102CA71
                                    • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0102CA88
                                    • FileTimeToSystemTime.KERNEL32(?,?), ref: 0102CAAF
                                    • __swprintf.LIBCMT ref: 0102CAFB
                                    • __swprintf.LIBCMT ref: 0102CB3E
                                      • Part of subcall function 00FC7F41: _memmove.LIBCMT ref: 00FC7F82
                                    • __swprintf.LIBCMT ref: 0102CB92
                                      • Part of subcall function 00FE38D8: __woutput_l.LIBCMT ref: 00FE3931
                                    • __swprintf.LIBCMT ref: 0102CBE0
                                      • Part of subcall function 00FE38D8: __flsbuf.LIBCMT ref: 00FE3953
                                      • Part of subcall function 00FE38D8: __flsbuf.LIBCMT ref: 00FE396B
                                    • __swprintf.LIBCMT ref: 0102CC2F
                                    • __swprintf.LIBCMT ref: 0102CC7E
                                    • __swprintf.LIBCMT ref: 0102CCCD
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
                                    • String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
                                    • API String ID: 3953360268-2428617273
                                    • Opcode ID: 8246f4c85465e6774ce25d088b6b3773667ff704a2392b858cdc43bcd1b4482c
                                    • Instruction ID: 04800fd5ec1c840ba9d975b6d8d15e96aed7afb9b3e2009d7fd6e85c1f907847
                                    • Opcode Fuzzy Hash: 8246f4c85465e6774ce25d088b6b3773667ff704a2392b858cdc43bcd1b4482c
                                    • Instruction Fuzzy Hash: 7CA15FB2408345ABD710EB65CE86EAFB7ECAF84700F40491DF585C3191EB78DA08DB62
                                    Function 0102F200 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 0102F221
                                    • _wcscmp.LIBCMT ref: 0102F236
                                    • _wcscmp.LIBCMT ref: 0102F24D
                                    • GetFileAttributesW.KERNEL32(?), ref: 0102F25F
                                    • SetFileAttributesW.KERNEL32(?,?), ref: 0102F279
                                    • FindNextFileW.KERNEL32(00000000,?), ref: 0102F291
                                    • FindClose.KERNEL32(00000000), ref: 0102F29C
                                    • FindFirstFileW.KERNEL32(*.*,?), ref: 0102F2B8
                                    • _wcscmp.LIBCMT ref: 0102F2DF
                                    • _wcscmp.LIBCMT ref: 0102F2F6
                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 0102F308
                                    • SetCurrentDirectoryW.KERNEL32(0107A5A0), ref: 0102F326
                                    • FindNextFileW.KERNEL32(00000000,00000010), ref: 0102F330
                                    • FindClose.KERNEL32(00000000), ref: 0102F33D
                                    • FindClose.KERNEL32(00000000), ref: 0102F34F
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
                                    • String ID: *.*
                                    • API String ID: 1803514871-438819550
                                    • Opcode ID: 60c071c229fd0a523425075cadbbba6cf034fa3a5a88ad1f9ad5fea67eea62dd
                                    • Instruction ID: 686070ed8eac03766aafa56be816abe9fc7ff8f429e043015ccfc10f2b6a7368
                                    • Opcode Fuzzy Hash: 60c071c229fd0a523425075cadbbba6cf034fa3a5a88ad1f9ad5fea67eea62dd
                                    • Instruction Fuzzy Hash: 5931F97660022B6FDB20DAB9DC9CEDE7BFC9F092A1F148195E980D3050EB35DA45CB64
                                    Function 01040AE2 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 01040BDE
                                    • RegCreateKeyExW.ADVAPI32(?,?,00000000,0104F910,00000000,?,00000000,?,?), ref: 01040C4C
                                    • RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 01040C94
                                    • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 01040D1D
                                    • RegCloseKey.ADVAPI32(?), ref: 0104103D
                                    • RegCloseKey.ADVAPI32(00000000), ref: 0104104A
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: Close$ConnectCreateRegistryValue
                                    • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                                    • API String ID: 536824911-966354055
                                    • Opcode ID: 36fa88c24e5c6882122c72086c267d6408d3fbbef5154b3c6fddfee7e4072fc9
                                    • Instruction ID: 5644c0fb82c1db8ac7f48d6071cf2f06e349d3268ace53f17e3408ee76d3b2dc
                                    • Opcode Fuzzy Hash: 36fa88c24e5c6882122c72086c267d6408d3fbbef5154b3c6fddfee7e4072fc9
                                    • Instruction Fuzzy Hash: EB028D752046029FCB14EF29C985E2AB7E5FF88710F05846DF98A9B761CB79EC40DB81
                                    Function 0102F35D Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 0102F37E
                                    • _wcscmp.LIBCMT ref: 0102F393
                                    • _wcscmp.LIBCMT ref: 0102F3AA
                                      • Part of subcall function 010245C1: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 010245DC
                                    • FindNextFileW.KERNEL32(00000000,?), ref: 0102F3D9
                                    • FindClose.KERNEL32(00000000), ref: 0102F3E4
                                    • FindFirstFileW.KERNEL32(*.*,?), ref: 0102F400
                                    • _wcscmp.LIBCMT ref: 0102F427
                                    • _wcscmp.LIBCMT ref: 0102F43E
                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 0102F450
                                    • SetCurrentDirectoryW.KERNEL32(0107A5A0), ref: 0102F46E
                                    • FindNextFileW.KERNEL32(00000000,00000010), ref: 0102F478
                                    • FindClose.KERNEL32(00000000), ref: 0102F485
                                    • FindClose.KERNEL32(00000000), ref: 0102F497
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
                                    • String ID: *.*
                                    • API String ID: 1824444939-438819550
                                    • Opcode ID: e903157c0471cabe1a25a234ac2d283f1b97de4a99cf8da0490ca80ea98ae7bd
                                    • Instruction ID: 3939c2a3638435939f8bf36f501735eaf98bf1be64ee9c045d5c057bac3ef404
                                    • Opcode Fuzzy Hash: e903157c0471cabe1a25a234ac2d283f1b97de4a99cf8da0490ca80ea98ae7bd
                                    • Instruction Fuzzy Hash: C631FA7550122B6FDB20AA79DC88ADE7BFC9F092A1F144195E9C0D3090DB75DA44CB64
                                    Function 010181F7 Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0101874A: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 01018766
                                      • Part of subcall function 0101874A: GetLastError.KERNEL32(?,0101822A,?,?,?), ref: 01018770
                                      • Part of subcall function 0101874A: GetProcessHeap.KERNEL32(00000008,?,?,0101822A,?,?,?), ref: 0101877F
                                      • Part of subcall function 0101874A: HeapAlloc.KERNEL32(00000000,?,0101822A,?,?,?), ref: 01018786
                                      • Part of subcall function 0101874A: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0101879D
                                      • Part of subcall function 010187E7: GetProcessHeap.KERNEL32(00000008,01018240,00000000,00000000,?,01018240,?), ref: 010187F3
                                      • Part of subcall function 010187E7: HeapAlloc.KERNEL32(00000000,?,01018240,?), ref: 010187FA
                                      • Part of subcall function 010187E7: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,01018240,?), ref: 0101880B
                                    • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 0101825B
                                    • _memset.LIBCMT ref: 01018270
                                    • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 0101828F
                                    • GetLengthSid.ADVAPI32(?), ref: 010182A0
                                    • GetAce.ADVAPI32(?,00000000,?), ref: 010182DD
                                    • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 010182F9
                                    • GetLengthSid.ADVAPI32(?), ref: 01018316
                                    • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 01018325
                                    • HeapAlloc.KERNEL32(00000000), ref: 0101832C
                                    • GetLengthSid.ADVAPI32(?,00000008,?), ref: 0101834D
                                    • CopySid.ADVAPI32(00000000), ref: 01018354
                                    • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 01018385
                                    • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 010183AB
                                    • SetUserObjectSecurity.USER32(?,00000004,?), ref: 010183BF
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
                                    • String ID:
                                    • API String ID: 3996160137-0
                                    • Opcode ID: 7d7c97a0aaa8a2bdcd1d8b958af619b8327b0464e6248441c246e5fdda5ad538
                                    • Instruction ID: cbc3c99b3c2c163c81f0aa440f22402fb584fbc30612cffd72df5bc753cf1182
                                    • Opcode Fuzzy Hash: 7d7c97a0aaa8a2bdcd1d8b958af619b8327b0464e6248441c246e5fdda5ad538
                                    • Instruction Fuzzy Hash: 0F617C7590020AAFDF14DFA8DD84AEEBBB9FF04200F04C15AF955A7294DB399A01DB60
                                    Function 00FD6843 Relevance: 18.4, Strings: 14, Instructions: 883COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)
                                    • API String ID: 0-4052911093
                                    • Opcode ID: d73192275475527b772414cfc022a9a27a5cebfc8bd198e66f15e2178d571af4
                                    • Instruction ID: e5c79fd77671ef6b50e43699bc5fdbddfce0d7b9d3d395c88f89725d30e1da84
                                    • Opcode Fuzzy Hash: d73192275475527b772414cfc022a9a27a5cebfc8bd198e66f15e2178d571af4
                                    • Instruction Fuzzy Hash: 81727271E00219DBDB18CF68D8807ADB7F6FF48310F1881AAE999EB394D7749941DB90
                                    Function 01040665 Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 010410A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,01040038,?,?), ref: 010410BC
                                    • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 01040737
                                      • Part of subcall function 00FC9997: __itow.LIBCMT ref: 00FC99C2
                                      • Part of subcall function 00FC9997: __swprintf.LIBCMT ref: 00FC9A0C
                                    • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 010407D6
                                    • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 0104086E
                                    • RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 01040AAD
                                    • RegCloseKey.ADVAPI32(00000000), ref: 01040ABA
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
                                    • String ID:
                                    • API String ID: 1240663315-0
                                    • Opcode ID: dd3c105eb0041b6695eb6122b30351771acc55a71b21175f65cd97b88cdac3a1
                                    • Instruction ID: f70d9755ba02cd4900e7ca3394f76d2c4441ee153bae463e918ddd4d3ef57441
                                    • Opcode Fuzzy Hash: dd3c105eb0041b6695eb6122b30351771acc55a71b21175f65cd97b88cdac3a1
                                    • Instruction Fuzzy Hash: 9FE17D71204201AFCB14DF29C985E6ABBE8FF88714F04896DF58ADB265DB35ED01CB52
                                    Function 01020219 Relevance: 16.6, APIs: 11, Instructions: 120keyboardCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetKeyboardState.USER32(?), ref: 01020241
                                    • GetAsyncKeyState.USER32(000000A0), ref: 010202C2
                                    • GetKeyState.USER32(000000A0), ref: 010202DD
                                    • GetAsyncKeyState.USER32(000000A1), ref: 010202F7
                                    • GetKeyState.USER32(000000A1), ref: 0102030C
                                    • GetAsyncKeyState.USER32(00000011), ref: 01020324
                                    • GetKeyState.USER32(00000011), ref: 01020336
                                    • GetAsyncKeyState.USER32(00000012), ref: 0102034E
                                    • GetKeyState.USER32(00000012), ref: 01020360
                                    • GetAsyncKeyState.USER32(0000005B), ref: 01020378
                                    • GetKeyState.USER32(0000005B), ref: 0102038A
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: State$Async$Keyboard
                                    • String ID:
                                    • API String ID: 541375521-0
                                    • Opcode ID: 4e4376f95228cecdb01f4a859161e98994454f8e2af295aceb2d645ca9fe7fc6
                                    • Instruction ID: 16d72109504159aa8d68255a0692aa95314a5acb8e9e5675f0c02747c5431e97
                                    • Opcode Fuzzy Hash: 4e4376f95228cecdb01f4a859161e98994454f8e2af295aceb2d645ca9fe7fc6
                                    • Instruction Fuzzy Hash: 9241D9746047DA6FFFB28A6C84043A6BEE46F02340F08C0DEE6C6461C7E7A555C887A2
                                    Function 01034458 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                                    • String ID:
                                    • API String ID: 1737998785-0
                                    • Opcode ID: 4edd8424470326145187b7c63c67b6918bbfcc0992eb6f8fa72c19e5646d80ce
                                    • Instruction ID: ff00440354aff274a7889ec3aa26606ad20f242f3b4e5cee167302bf36aa03d2
                                    • Opcode Fuzzy Hash: 4edd8424470326145187b7c63c67b6918bbfcc0992eb6f8fa72c19e5646d80ce
                                    • Instruction Fuzzy Hash: A221C9793006129FDB219F69ED49F6E77A8EF44711F00805AF9C6CB2A5CB7AAD00CB54
                                    Function 01023A2B Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00FC48AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00FC48A1,?,?,00FC37C0,?), ref: 00FC48CE
                                      • Part of subcall function 01024CD3: GetFileAttributesW.KERNEL32(?,01023947), ref: 01024CD4
                                    • FindFirstFileW.KERNEL32(?,?), ref: 01023ADF
                                    • DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 01023B87
                                    • MoveFileW.KERNEL32(?,?), ref: 01023B9A
                                    • DeleteFileW.KERNEL32(?,?,?,?,?), ref: 01023BB7
                                    • FindNextFileW.KERNEL32(00000000,00000010), ref: 01023BD9
                                    • FindClose.KERNEL32(00000000,?,?,?,?), ref: 01023BF5
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
                                    • String ID: \*.*
                                    • API String ID: 4002782344-1173974218
                                    • Opcode ID: b04951bf6eb65f1efb8f83fbfce2d81c4f7f2c311b60735b7186062a1457bdf1
                                    • Instruction ID: 8d728da8082c0e0aacb50baf8b73efd5e22c0386ce3ecf41c9f253a5613f705c
                                    • Opcode Fuzzy Hash: b04951bf6eb65f1efb8f83fbfce2d81c4f7f2c311b60735b7186062a1457bdf1
                                    • Instruction Fuzzy Hash: F851633180125E9ACF15FBA4CE93EEDB7B9AF18300F6441A9E58177091DF296F09DB60
                                    Function 0102F65E Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00FC7F41: _memmove.LIBCMT ref: 00FC7F82
                                    • FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 0102F6AB
                                    • Sleep.KERNEL32(0000000A), ref: 0102F6DB
                                    • _wcscmp.LIBCMT ref: 0102F6EF
                                    • _wcscmp.LIBCMT ref: 0102F70A
                                    • FindNextFileW.KERNEL32(?,?), ref: 0102F7A8
                                    • FindClose.KERNEL32(00000000), ref: 0102F7BE
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
                                    • String ID: *.*
                                    • API String ID: 713712311-438819550
                                    • Opcode ID: 4aba90532e07acf6a73c4bdc5289523f149f95d5bf9008c1cb4ab11fb4f2c51e
                                    • Instruction ID: b4511ec4f0967d16eae9e63b47c205abb70f5c38c89cfd50c0269488e35bf9cb
                                    • Opcode Fuzzy Hash: 4aba90532e07acf6a73c4bdc5289523f149f95d5bf9008c1cb4ab11fb4f2c51e
                                    • Instruction Fuzzy Hash: 6F41AF7190021B9FDF61EF68CD89EEEBBB4FF05350F14459AE894A3190DB359A44CB90
                                    Function 00FD4140 Relevance: 11.6, APIs: 1, Strings: 5, Instructions: 1132COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: ERCP$VUUU$VUUU$VUUU$VUUU
                                    • API String ID: 0-1546025612
                                    • Opcode ID: ce4d4ba344302b3f548ed25106c882fd932786b3949d59985f5d90bcc83d188c
                                    • Instruction ID: 6d0aed1e80f38552843c95dba0625cc776b3b4847f380836ce0cdb9abde9d2ca
                                    • Opcode Fuzzy Hash: ce4d4ba344302b3f548ed25106c882fd932786b3949d59985f5d90bcc83d188c
                                    • Instruction Fuzzy Hash: C5A27371D0021ACBEF25CF58C9907ADB7B2BF44314F1881AAD996A7380D734AD81EF51
                                    Function 00FD58C0 Relevance: 11.0, APIs: 7, Instructions: 532COMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: _memmove
                                    • String ID:
                                    • API String ID: 4104443479-0
                                    • Opcode ID: e6351714a6ba615870fffbcbe4d197df40e7a7ba964f4be475091ac76dcb88ae
                                    • Instruction ID: d3cf0c596feb3439809623000febf15a9dc83b4fa80f432ab40f158443feb1d4
                                    • Opcode Fuzzy Hash: e6351714a6ba615870fffbcbe4d197df40e7a7ba964f4be475091ac76dcb88ae
                                    • Instruction Fuzzy Hash: 8A12DE70A0060ADFDF14DFA5C981AEEB7F6FF48300F14412AE486A7255EB3AAD51DB50
                                    Function 0102545F Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 01018CC3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 01018D0D
                                      • Part of subcall function 01018CC3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 01018D3A
                                      • Part of subcall function 01018CC3: GetLastError.KERNEL32 ref: 01018D47
                                    • ExitWindowsEx.USER32(?,00000000), ref: 0102549B
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
                                    • String ID: $@$SeShutdownPrivilege
                                    • API String ID: 2234035333-194228
                                    • Opcode ID: 609d7be520e32b907b5bc78627caeb05ccfc0700cdefe409fb7f77605f2dfcf1
                                    • Instruction ID: 418a9fd985b55aabd1ad42c4fb03464bd9f1e1d9ad76c31af52627156763ea5b
                                    • Opcode Fuzzy Hash: 609d7be520e32b907b5bc78627caeb05ccfc0700cdefe409fb7f77605f2dfcf1
                                    • Instruction Fuzzy Hash: 53014C71B562325BF778567CDC4ABFAF2A8EB0425BF140061FDC6D60C2DE954C004298
                                    Function 01036596 Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON
                                    Download Yara Rule
                                    APIs
                                    • socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 010365EF
                                    • WSAGetLastError.WSOCK32(00000000), ref: 010365FE
                                    • bind.WSOCK32(00000000,?,00000010), ref: 0103661A
                                    • listen.WSOCK32(00000000,00000005), ref: 01036629
                                    • WSAGetLastError.WSOCK32(00000000), ref: 01036643
                                    • closesocket.WSOCK32(00000000,00000000), ref: 01036657
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: ErrorLast$bindclosesocketlistensocket
                                    • String ID:
                                    • API String ID: 1279440585-0
                                    • Opcode ID: af4e7968fa7737151c244c702d1442d8703d87b9c0b8002882b3898e6d7b186a
                                    • Instruction ID: 11e8c4d10e74779b4ffe6241e5017376a03e0c6286f5b1154717eb0dbabc26f0
                                    • Opcode Fuzzy Hash: af4e7968fa7737151c244c702d1442d8703d87b9c0b8002882b3898e6d7b186a
                                    • Instruction Fuzzy Hash: 4F21C375200211AFDB10EF68C989F6EB7E9EF89310F118159E996E72C1CB79AD00DB51
                                    Function 00FD5680 Relevance: 8.0, APIs: 5, Instructions: 516COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00FE0FF6: std::exception::exception.LIBCMT ref: 00FE102C
                                      • Part of subcall function 00FE0FF6: __CxxThrowException@8.LIBCMT ref: 00FE1041
                                    • _memmove.LIBCMT ref: 0101062F
                                    • _memmove.LIBCMT ref: 01010744
                                    • _memmove.LIBCMT ref: 010107EB
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: _memmove$Exception@8Throwstd::exception::exception
                                    • String ID:
                                    • API String ID: 1300846289-0
                                    • Opcode ID: 4ed0df7a436d20f14876f254902f1c36968b7e4f7a7a2c29c34094da8ae82cc0
                                    • Instruction ID: 818234a8f8e011390c694e351e11cbed824b95407c721fa405e3feb0e965a6b5
                                    • Opcode Fuzzy Hash: 4ed0df7a436d20f14876f254902f1c36968b7e4f7a7a2c29c34094da8ae82cc0
                                    • Instruction Fuzzy Hash: D002AF70E00209DBDF04DF65D981AAEBBB5FF44300F1480A9F886DB259EB39DA51DB91
                                    Function 00FC1287 Relevance: 7.9, APIs: 5, Instructions: 379COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00FC2612: GetWindowLongW.USER32(?,000000EB), ref: 00FC2623
                                    • DefDlgProcW.USER32(?,?,?,?,?), ref: 00FC19FA
                                    • GetSysColor.USER32(0000000F), ref: 00FC1A4E
                                    • SetBkColor.GDI32(?,00000000), ref: 00FC1A61
                                      • Part of subcall function 00FC1290: DefDlgProcW.USER32(?,00000020,?), ref: 00FC12D8
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: ColorProc$LongWindow
                                    • String ID:
                                    • API String ID: 3744519093-0
                                    • Opcode ID: e06de5c28f90fe10f5a008b3aa09b0fb121bda40bc8f05f05b6e044d7432903d
                                    • Instruction ID: 60dcac6c8343017f4a808803fcbbcebfbd4de1c7e473f93980601c454f91dc40
                                    • Opcode Fuzzy Hash: e06de5c28f90fe10f5a008b3aa09b0fb121bda40bc8f05f05b6e044d7432903d
                                    • Instruction Fuzzy Hash: 74A13BB250644BBAE734AA298E86FBF355CFF83361B14011DF542D5197CA2DCC21B2B1
                                    Function 01036A5A Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 010380A0: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 010380CB
                                    • socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 01036AB1
                                    • WSAGetLastError.WSOCK32(00000000), ref: 01036ADA
                                    • bind.WSOCK32(00000000,?,00000010), ref: 01036B13
                                    • WSAGetLastError.WSOCK32(00000000), ref: 01036B20
                                    • closesocket.WSOCK32(00000000,00000000), ref: 01036B34
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: ErrorLast$bindclosesocketinet_addrsocket
                                    • String ID:
                                    • API String ID: 99427753-0
                                    • Opcode ID: 5ea990b164cf006b5a803eb20f9651491d1da73bd9b919cdbfe05e383be22c97
                                    • Instruction ID: 5e3f3a81d71d31ed16d5df46e5d03533cfb8702d53b15bf5cadbdb36ed159ef6
                                    • Opcode Fuzzy Hash: 5ea990b164cf006b5a803eb20f9651491d1da73bd9b919cdbfe05e383be22c97
                                    • Instruction Fuzzy Hash: C341D475700611AFEB10AF68DD87F6E77E8DB44B10F04805CF95AAB3C2CAB99D019B91
                                    Function 010455FD Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: Window$EnabledForegroundIconicVisibleZoomed
                                    • String ID:
                                    • API String ID: 292994002-0
                                    • Opcode ID: 0c6ba2f2ff1c0ef33c991350af335a0866f2c2090dcab3a4529017aba78642f0
                                    • Instruction ID: cdecad418fbc24b8134fb1da9768c0e65accc14b1443b0cf249b530e14c1acbe
                                    • Opcode Fuzzy Hash: 0c6ba2f2ff1c0ef33c991350af335a0866f2c2090dcab3a4529017aba78642f0
                                    • Instruction Fuzzy Hash: C011C4B53005126FE7216F2AED85B2F7BD8EF48721F004079F986D7241CB799901CAA4
                                    Function 0102C602 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CoInitialize.OLE32(00000000), ref: 0102C69D
                                    • CoCreateInstance.OLE32(01052D6C,00000000,00000001,01052BDC,?), ref: 0102C6B5
                                      • Part of subcall function 00FC7F41: _memmove.LIBCMT ref: 00FC7F82
                                    • CoUninitialize.OLE32 ref: 0102C922
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: CreateInitializeInstanceUninitialize_memmove
                                    • String ID: .lnk
                                    • API String ID: 2683427295-24824748
                                    • Opcode ID: dc5201b58bca9a030bba124d306725965e85e3b617be01f09d3b4f4b6b2c2d3f
                                    • Instruction ID: a37d6b5d580fcba3039c69bc45ac0d9789697d2e82e10a154eac293cd047ce23
                                    • Opcode Fuzzy Hash: dc5201b58bca9a030bba124d306725965e85e3b617be01f09d3b4f4b6b2c2d3f
                                    • Instruction Fuzzy Hash: 07A12B71108206AFD300EF64CD86EABB7ECEF94704F00495CF1969B191DBB5EA49DB92
                                    Function 0103C304 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMON
                                    Download Yara Rule
                                    APIs
                                    • LoadLibraryA.KERNEL32(kernel32.dll,?,01001D88,?), ref: 0103C312
                                    • GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0103C324
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: AddressLibraryLoadProc
                                    • String ID: GetSystemWow64DirectoryW$kernel32.dll
                                    • API String ID: 2574300362-1816364905
                                    • Opcode ID: b7bfd4939f32a719189c1fd0dfd7bdd004432492a437b920ad822114fe921d5c
                                    • Instruction ID: 40edbbd27e4d94a04ec065bce403fa941952ea2782a458e9590f97154eca3de8
                                    • Opcode Fuzzy Hash: b7bfd4939f32a719189c1fd0dfd7bdd004432492a437b920ad822114fe921d5c
                                    • Instruction Fuzzy Hash: 97E0C2F8600303CFEB314F2EC654A5676D8EF49244B80C86EE8C5E6220E774D440CBA0
                                    Function 00FD3190 Relevance: 6.6, APIs: 4, Instructions: 587COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: __itow__swprintf
                                    • String ID:
                                    • API String ID: 674341424-0
                                    • Opcode ID: befacca9f9ce8e1109dd48adb236e17e22f1632dbf78bc373e0aa12d7a2b7b51
                                    • Instruction ID: a01408d7bc764e4b2ab223ee1cb3882b98f1bbee04edb1f2963b09d7db0a1c04
                                    • Opcode Fuzzy Hash: befacca9f9ce8e1109dd48adb236e17e22f1632dbf78bc373e0aa12d7a2b7b51
                                    • Instruction Fuzzy Hash: 9622AC715083029FD725DF28C881B6EB7E5AF84710F08491EF6CA97391DB79EA04DB92
                                    Function 0103F121 Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateToolhelp32Snapshot.KERNEL32 ref: 0103F151
                                    • Process32FirstW.KERNEL32(00000000,?), ref: 0103F15F
                                      • Part of subcall function 00FC7F41: _memmove.LIBCMT ref: 00FC7F82
                                    • Process32NextW.KERNEL32(00000000,?), ref: 0103F21F
                                    • CloseHandle.KERNEL32(00000000,?,?,?), ref: 0103F22E
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
                                    • String ID:
                                    • API String ID: 2576544623-0
                                    • Opcode ID: d122cc72c9dda29826312464353f72ebe281f242cec57e77945c5171ebd14e33
                                    • Instruction ID: 6adf5865106df99ed537fce1726483b9c8b64f0b2a5ebf21400516673e7fb9bd
                                    • Opcode Fuzzy Hash: d122cc72c9dda29826312464353f72ebe281f242cec57e77945c5171ebd14e33
                                    • Instruction Fuzzy Hash: 6C517C71508302AFD320EF24DD86F6BBBE8AF94B10F10481DF59597291EB74A908DB92
                                    Function 0101EB07 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 561stringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • lstrlenW.KERNEL32(?,?,?,00000000), ref: 0101EB19
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: lstrlen
                                    • String ID: ($|
                                    • API String ID: 1659193697-1631851259
                                    • Opcode ID: 9c5991d836c957bbc743b2fcab53316dfa94695def6ab5b18ca1330bcc7ca0fb
                                    • Instruction ID: b26db33889195eb5d1dfa31da0068ffb512770c78ad7bd6ef41c26896c46a2bd
                                    • Opcode Fuzzy Hash: 9c5991d836c957bbc743b2fcab53316dfa94695def6ab5b18ca1330bcc7ca0fb
                                    • Instruction Fuzzy Hash: D8323775A007059FDB29CF19C480A6AB7F1FF48320B15C5AEE99ADB3A5D770E981CB40
                                    Function 010325E2 Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,01031AFE,00000000), ref: 010326D5
                                    • InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 0103270C
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: Internet$AvailableDataFileQueryRead
                                    • String ID:
                                    • API String ID: 599397726-0
                                    • Opcode ID: 77070525a6259001311f3ae5e79db721f8d95f9fa6821de34dac543beb6f2e35
                                    • Instruction ID: c8a82743eda69aaa03e3586e052f85ac36674788dffb5c9dbd68fb0ef6c998cb
                                    • Opcode Fuzzy Hash: 77070525a6259001311f3ae5e79db721f8d95f9fa6821de34dac543beb6f2e35
                                    • Instruction Fuzzy Hash: 0741F375900209BFEB21DA59DD84EBFB7FCFF84724F0040AAF681A6140EB759E41A650
                                    Function 0102B59E Relevance: 4.6, APIs: 3, Instructions: 73COMMON
                                    Download Yara Rule
                                    APIs
                                    • SetErrorMode.KERNEL32(00000001), ref: 0102B5AE
                                    • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 0102B608
                                    • SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 0102B655
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: ErrorMode$DiskFreeSpace
                                    • String ID:
                                    • API String ID: 1682464887-0
                                    • Opcode ID: 61fc4eb641d221a986bc50570dc1fdef5a9951ffc4c17543d8cf2a05472f20e6
                                    • Instruction ID: a27a5ea0a3137b503f3548f7ed8cbebe455fd9510af48fa5b3891837dc1c83b0
                                    • Opcode Fuzzy Hash: 61fc4eb641d221a986bc50570dc1fdef5a9951ffc4c17543d8cf2a05472f20e6
                                    • Instruction Fuzzy Hash: 30219D75A00519EFCB00EFA5D984EEEBBB8FF48310F0480A9E945AB351CB35A905CF50
                                    Function 01018CC3 Relevance: 4.6, APIs: 3, Instructions: 67COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00FE0FF6: std::exception::exception.LIBCMT ref: 00FE102C
                                      • Part of subcall function 00FE0FF6: __CxxThrowException@8.LIBCMT ref: 00FE1041
                                    • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 01018D0D
                                    • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 01018D3A
                                    • GetLastError.KERNEL32 ref: 01018D47
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
                                    • String ID:
                                    • API String ID: 1922334811-0
                                    • Opcode ID: 7a7ae9e4d9770886dba49f019c6c845ee44630e80c79bb7e4cd73d3e86a24594
                                    • Instruction ID: 97f06949b3006621c2cd7708e033babfa29bb43e7a8add5e6fbff29093e3c3dc
                                    • Opcode Fuzzy Hash: 7a7ae9e4d9770886dba49f019c6c845ee44630e80c79bb7e4cd73d3e86a24594
                                    • Instruction Fuzzy Hash: 5311BFB1414309AFE328AF58DC85D6BB7F9FB44710B10C52EF89683205EB74A9408B60
                                    Function 01024021 Relevance: 4.6, APIs: 3, Instructions: 61fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0102404B
                                    • DeviceIoControl.KERNEL32(00000000,002D1400,00000007,0000000C,?,0000000C,?,00000000), ref: 01024088
                                    • CloseHandle.KERNEL32(00000000,?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 01024091
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: CloseControlCreateDeviceFileHandle
                                    • String ID:
                                    • API String ID: 33631002-0
                                    • Opcode ID: 63786eeb24ba6042bc4f869ee99f1e54509c31de85d9c64c0a5617903cdeb824
                                    • Instruction ID: bfd208df7a634348a006ba66b23d9460a964fadaeb38642e1589d0a2d53e02e0
                                    • Opcode Fuzzy Hash: 63786eeb24ba6042bc4f869ee99f1e54509c31de85d9c64c0a5617903cdeb824
                                    • Instruction Fuzzy Hash: B8117CB1D00239BEE7209AECDC84FAFBBBCEB08610F000656FA44E7181C2B9594487A1
                                    Function 01024C03 Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 01024C2C
                                    • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 01024C43
                                    • FreeSid.ADVAPI32(?), ref: 01024C53
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: AllocateCheckFreeInitializeMembershipToken
                                    • String ID:
                                    • API String ID: 3429775523-0
                                    • Opcode ID: ffa8cfe6bbd20d0c91a92372532dcf7b5967a96dd7e05e436f935a25ce6f5ae5
                                    • Instruction ID: a1b0f4fcd513d41c1f68377624c3015b73edb64253f0d9ff37d01260e1757e2b
                                    • Opcode Fuzzy Hash: ffa8cfe6bbd20d0c91a92372532dcf7b5967a96dd7e05e436f935a25ce6f5ae5
                                    • Instruction Fuzzy Hash: 09F04F7591130DBFDF14DFF4D989AAEBBBCEF08201F5044A9A501E2180D6756A048B50
                                    Function 00FCE060 Relevance: 3.5, APIs: 2, Instructions: 539COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 706b07b032c6b1e2e808cec48d316bc578cf3a5697e499099816cece417f4667
                                    • Instruction ID: dd51dfcd61b2fca17bc32c948e80d40c6eeec90229df8f61c43261cef8826180
                                    • Opcode Fuzzy Hash: 706b07b032c6b1e2e808cec48d316bc578cf3a5697e499099816cece417f4667
                                    • Instruction Fuzzy Hash: 1A22AD75E00216CFDB24DF58C682BAABBB0FF04310F14846DE9969B381D735A985EB91
                                    Function 01024F21 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 31COMMON
                                    Download Yara Rule
                                    APIs
                                    • mouse_event.USER32(00000800,00000000,00000000,00000088,00000000), ref: 01024F55
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: mouse_event
                                    • String ID: DOWN
                                    • API String ID: 2434400541-711622031
                                    • Opcode ID: 88bbd8902e5fa89b9fda8dd0d1e4af77c0054c08023beb91385a65d191e85fca
                                    • Instruction ID: 1f014c770f08fdc9cab9f959315ed8c185247ca3a4ed43ac93b13e6c385a40f5
                                    • Opcode Fuzzy Hash: 88bbd8902e5fa89b9fda8dd0d1e4af77c0054c08023beb91385a65d191e85fca
                                    • Instruction Fuzzy Hash: 47E0CD7555C7B23CB99425197C0FEF713CC8B52131F11028AF990D50C1ED992C8215FC
                                    Function 0102C93C Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • FindFirstFileW.KERNEL32(?,?), ref: 0102C966
                                    • FindClose.KERNEL32(00000000), ref: 0102C996
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: Find$CloseFileFirst
                                    • String ID:
                                    • API String ID: 2295610775-0
                                    • Opcode ID: 67155c26f9ed0075b050eaa3cd3876e890c3927671875a965440b7338ba93f84
                                    • Instruction ID: 1f45282fd0ea2f80dc9cc3b2f6e7eab774d90da47bcc0048eace0ce2b81707d4
                                    • Opcode Fuzzy Hash: 67155c26f9ed0075b050eaa3cd3876e890c3927671875a965440b7338ba93f84
                                    • Instruction Fuzzy Hash: D9118E766046119FD710EF29D949A2AF7E9EF84324F00851EF8A9C7291DB78AC00CB81
                                    Function 0102A2D5 Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,0103977D,?,0104FB84,?), ref: 0102A302
                                    • FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,0103977D,?,0104FB84,?), ref: 0102A314
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: ErrorFormatLastMessage
                                    • String ID:
                                    • API String ID: 3479602957-0
                                    • Opcode ID: 530067526e7dad7b69471e1d2da9a9145744a7ca21f407b646a7427a1744f6e3
                                    • Instruction ID: f0804ff3c79286de3a0bdc51ba6936777327e160e4453cb8ce82ed3ffd2198db
                                    • Opcode Fuzzy Hash: 530067526e7dad7b69471e1d2da9a9145744a7ca21f407b646a7427a1744f6e3
                                    • Instruction Fuzzy Hash: 45F0893554422DE7D721AEA4CC49FEA776DBF08751F008155F948D7141DA749544CBE0
                                    Function 01018713 Relevance: 3.0, APIs: 2, Instructions: 22COMMON
                                    Download Yara Rule
                                    APIs
                                    • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,01018851), ref: 01018728
                                    • CloseHandle.KERNEL32(?,?,01018851), ref: 0101873A
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: AdjustCloseHandlePrivilegesToken
                                    • String ID:
                                    • API String ID: 81990902-0
                                    • Opcode ID: abaa853970deea3a613e310c4add574e428adb877a17bd2428e26fb4c0095406
                                    • Instruction ID: 9dfc3e782e16a8657f64e9e64431520e6eaafbd23fa0d38e975d88bc693af7a1
                                    • Opcode Fuzzy Hash: abaa853970deea3a613e310c4add574e428adb877a17bd2428e26fb4c0095406
                                    • Instruction Fuzzy Hash: 06E04676000641EFE7712B26ED08D73BBE9FB003507108829B99680834CB36AC90EB10
                                    Function 00FEA395 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • SetUnhandledExceptionFilter.KERNEL32(00000000,?,00FE8F97,?,?,?,00000001), ref: 00FEA39A
                                    • UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 00FEA3A3
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: ExceptionFilterUnhandled
                                    • String ID:
                                    • API String ID: 3192549508-0
                                    • Opcode ID: b23b5e83bd0310d7bf37c586638e2c19fa78cace12fccb80073330dbeaeef515
                                    • Instruction ID: bb07037f817804cbf8aa4bb7de2f176aa55bf24a310ff98fa8e38a3ff17c59e7
                                    • Opcode Fuzzy Hash: b23b5e83bd0310d7bf37c586638e2c19fa78cace12fccb80073330dbeaeef515
                                    • Instruction Fuzzy Hash: 16B092F505420AABCA102B99E949F883F68EB44AA3F408010F64D84054CBE754508B91
                                    Function 00FEF419 Relevance: 2.1, APIs: 1, Instructions: 645COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 41c7f0d9b6f76d7cea05d41e13b6d5fbedc3f81df51fd5c028b973f7e4c003a1
                                    • Instruction ID: c070a543e200d800b647d187868b197cd5f5db5df32a1f6975a7201d8b7f9c9b
                                    • Opcode Fuzzy Hash: 41c7f0d9b6f76d7cea05d41e13b6d5fbedc3f81df51fd5c028b973f7e4c003a1
                                    • Instruction Fuzzy Hash: BA323632D29F414DE7239535D832336B248AFB73D4F64D737E819B5A9AEB29C4836200
                                    Function 00FF267E Relevance: 1.8, APIs: 1, Instructions: 294COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: d08bb0a4fcaf705f49e1e5cf49fc60980ce96e5a6b9f2d4c1b8fe4ad51e898dd
                                    • Instruction ID: 0d2737b424c3f3b8bf0c082180b596ff412e1c33ab66e4382d2bfe6ce1c45cbb
                                    • Opcode Fuzzy Hash: d08bb0a4fcaf705f49e1e5cf49fc60980ce96e5a6b9f2d4c1b8fe4ad51e898dd
                                    • Instruction Fuzzy Hash: E4B1E030E2AF418DD72396398831337BA4CAFBB2C9B51D71BFC5675D26EB2685834240
                                    Function 01028B13 Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                                    Download Yara Rule
                                    APIs
                                    • __time64.LIBCMT ref: 01028B25
                                      • Part of subcall function 00FE543A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,010291F8,00000000,?,?,?,?,010293A9,00000000,?), ref: 00FE5443
                                      • Part of subcall function 00FE543A: __aulldiv.LIBCMT ref: 00FE5463
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: Time$FileSystem__aulldiv__time64
                                    • String ID:
                                    • API String ID: 2893107130-0
                                    • Opcode ID: c55a76a3161fe8746c6200d2aa0a72f8f566fb2d1cdf1c5484c00a0bd3c438f1
                                    • Instruction ID: e6a5a543d70d21fd211ca2fa6a2d4479b1064ad8fde73c499f1e510e5a020b80
                                    • Opcode Fuzzy Hash: c55a76a3161fe8746c6200d2aa0a72f8f566fb2d1cdf1c5484c00a0bd3c438f1
                                    • Instruction Fuzzy Hash: A121E4726355108BC72ACF29D441B52B3E1EBA5311B288E6CD0F5CB2C0CA75B905CB94
                                    Function 010341FD Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON
                                    Download Yara Rule
                                    APIs
                                    • BlockInput.USER32(00000001), ref: 01034218
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: BlockInput
                                    • String ID:
                                    • API String ID: 3456056419-0
                                    • Opcode ID: 8dc4da7184afaffe59b3542d5898895be3ce23dc97edade2c5d45a974bba17ba
                                    • Instruction ID: 057f6bbf6f902cd9315162ad3a929c0d6feca6a0c073851e24507fb2fc40c282
                                    • Opcode Fuzzy Hash: 8dc4da7184afaffe59b3542d5898895be3ce23dc97edade2c5d45a974bba17ba
                                    • Instruction Fuzzy Hash: 5DE048752441159FC710DF59D945E5AF7DCAF94760F018019FC49DB352DAB4E8408B90
                                    Function 01018C93 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                    Download Yara Rule
                                    APIs
                                    • LogonUserW.ADVAPI32(?,00000001,?,?,00000000,010188D1), ref: 01018CB3
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: LogonUser
                                    • String ID:
                                    • API String ID: 1244722697-0
                                    • Opcode ID: 516746485f31bde0765aec4314f03c09abeaaae3c4585bd144a212a6ce0d9265
                                    • Instruction ID: 95a0c2074e34b002979582194e31d00a2a9b2ca88fd0ea86fc0e8266788f9588
                                    • Opcode Fuzzy Hash: 516746485f31bde0765aec4314f03c09abeaaae3c4585bd144a212a6ce0d9265
                                    • Instruction Fuzzy Hash: 3BD05E3226050EBBEF018EA8DD01EAF3B69EB04B01F408111FE15C5090C776D835AF60
                                    Function 01002230 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetUserNameW.ADVAPI32(?,?), ref: 01002242
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: NameUser
                                    • String ID:
                                    • API String ID: 2645101109-0
                                    • Opcode ID: ede4b890b138d629c709b3c38883c5fbfb9b19ea10fe06ac8a5f7046cb88eba4
                                    • Instruction ID: f27273387535e839688edfc06459c46e087e07f49f4bd9144a6b12bc36de1914
                                    • Opcode Fuzzy Hash: ede4b890b138d629c709b3c38883c5fbfb9b19ea10fe06ac8a5f7046cb88eba4
                                    • Instruction Fuzzy Hash: 45C04CF5800109DBDB15DB90D688DEE77BCAB04304F104055A141F2140D7749B448B71
                                    Function 00FEA364 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                    Download Yara Rule
                                    APIs
                                    • SetUnhandledExceptionFilter.KERNEL32(?), ref: 00FEA36A
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: ExceptionFilterUnhandled
                                    • String ID:
                                    • API String ID: 3192549508-0
                                    • Opcode ID: a1113394a7a91d3e62b39f446db0b4db96821a2d18792700748f43ce13ab6d97
                                    • Instruction ID: e2acddabd37b928522f9286b3b6c77d078014bc10b01becd397146ab4cd442f0
                                    • Opcode Fuzzy Hash: a1113394a7a91d3e62b39f446db0b4db96821a2d18792700748f43ce13ab6d97
                                    • Instruction Fuzzy Hash: D4A012B000010DA78A001A45E8048447F5CD6005917008010F40C4001187B354104680
                                    Function 00FD8A0E Relevance: .6, Instructions: 608COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: f6f2d2eb0a29e12bd6fb37aebf3666dce712a56d3389c50b0a18be9d13c622cc
                                    • Instruction ID: e64dadec69773dfd6c773c92505e3ba71bcf09e28e54a2cc95ef4aa78e124236
                                    • Opcode Fuzzy Hash: f6f2d2eb0a29e12bd6fb37aebf3666dce712a56d3389c50b0a18be9d13c622cc
                                    • Instruction Fuzzy Hash: BB224B31911116CBDF388F19D89467D77A2FB82394F2C846BD8829F395DB389D82DB60
                                    Function 00FE2405 Relevance: .3, Instructions: 345COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                                    • Instruction ID: b08c72a7b92294e1b79326385b18db26e08267b162795b2396f407a8086ce651
                                    • Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                                    • Instruction Fuzzy Hash: 76C190326051D309DF6D863B943413EBAE56AA27B131A0B6EE4B3CB5C5FF20D564F620
                                    Function 00FE283A Relevance: .3, Instructions: 341COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                                    • Instruction ID: 9dc724789f6c140d1813bd601d1322f2d832e42e1cc3633806d23a91e65c924a
                                    • Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                                    • Instruction Fuzzy Hash: 50C1BF336051D30ADBAD463BD43413EBBE56AA27B131A176DE4B2CB4C5FF20D664B620
                                    Function 00FE1BB8 Relevance: .3, Instructions: 323COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                    • Instruction ID: ba0bcffb9c1b1587216c65a119040e6ca96b6c09160500111873c45e133ecc5a
                                    • Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                    • Instruction Fuzzy Hash: E9C16D326091D309DF2D463B943417EBAE17AA27B131A0B6DE8B2CB5D4EF30D564F660
                                    Function 00E53660 Relevance: .1, Instructions: 92COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043193490.0000000000E50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E50000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_e50000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
                                    • Instruction ID: 1da68de73f5742385c83a43129459c6e263c70760a1f8acf3af35a41355270ca
                                    • Opcode Fuzzy Hash: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
                                    • Instruction Fuzzy Hash: 1841B571D1051CEBCF48CFADC991AEEBBF1AF88201F548299D516AB345D730AB41DB50
                                    Function 00E534F0 Relevance: .0, Instructions: 35COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043193490.0000000000E50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E50000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_e50000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
                                    • Instruction ID: 41ae45f34e75f708bc947817bea2abe0e623c8251e4de6a8e7c57d6a08f5a4e3
                                    • Opcode Fuzzy Hash: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
                                    • Instruction Fuzzy Hash: 85019279A00209EFCB48DFA8C5909AEF7F5FB48350F209599EC19A7701E731AE41DB80
                                    Function 00E53550 Relevance: .0, Instructions: 35COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043193490.0000000000E50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E50000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_e50000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
                                    • Instruction ID: 52d55d041ee69fc120e2b4cccb4173e27f533931dbd974efa76075729979c1c1
                                    • Opcode Fuzzy Hash: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
                                    • Instruction Fuzzy Hash: 2C019279A00109EFCB44DFA8C5909AEFBF5FB48350F209599EC19A7701E730AE45DB80
                                    Function 00E51E70 Relevance: .0, Instructions: 6COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043193490.0000000000E50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E50000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_e50000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
                                    • Instruction ID: 2052e7d0eb43af8a57a5c2d707c06396f1b84aee57587abda472ed480d51124b
                                    • Opcode Fuzzy Hash: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
                                    • Instruction Fuzzy Hash: 1AB012310527488BC2118B89E008B1073ECA308E04F1000B0D40C07B01827874008D48
                                    Function 01037B1B Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 491filecommemoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • DeleteObject.GDI32(00000000), ref: 01037B70
                                    • DeleteObject.GDI32(00000000), ref: 01037B82
                                    • DestroyWindow.USER32 ref: 01037B90
                                    • GetDesktopWindow.USER32 ref: 01037BAA
                                    • GetWindowRect.USER32(00000000), ref: 01037BB1
                                    • SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 01037CF2
                                    • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 01037D02
                                    • CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 01037D4A
                                    • GetClientRect.USER32(00000000,?), ref: 01037D56
                                    • CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 01037D90
                                    • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 01037DB2
                                    • GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 01037DC5
                                    • GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 01037DD0
                                    • GlobalLock.KERNEL32(00000000), ref: 01037DD9
                                    • ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 01037DE8
                                    • GlobalUnlock.KERNEL32(00000000), ref: 01037DF1
                                    • CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 01037DF8
                                    • GlobalFree.KERNEL32(00000000), ref: 01037E03
                                    • CreateStreamOnHGlobal.OLE32(00000000,00000001,88C00000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 01037E15
                                    • OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,01052CAC,00000000), ref: 01037E2B
                                    • GlobalFree.KERNEL32(00000000), ref: 01037E3B
                                    • CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 01037E61
                                    • SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 01037E80
                                    • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 01037EA2
                                    • ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0103808F
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
                                    • String ID: $AutoIt v3$DISPLAY$static
                                    • API String ID: 2211948467-2373415609
                                    • Opcode ID: aaf0ab19ab341205bf071bd254bf8bfac9cadae145f1310b7c477f0b00fff8c6
                                    • Instruction ID: a806223dea2b7766698c591388e88b9022bee6284c49b7afeff992ae8e258a9c
                                    • Opcode Fuzzy Hash: aaf0ab19ab341205bf071bd254bf8bfac9cadae145f1310b7c477f0b00fff8c6
                                    • Instruction Fuzzy Hash: 310291B590011AEFDB24DFA8DD89EAE7BB9FF48310F048158F945AB295CB759D00CB60
                                    Function 010437F3 Relevance: 51.1, APIs: 6, Strings: 23, Instructions: 365windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CharUpperBuffW.USER32(?,?,0104F910), ref: 010438AF
                                    • IsWindowVisible.USER32(?), ref: 010438D3
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: BuffCharUpperVisibleWindow
                                    • String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
                                    • API String ID: 4105515805-45149045
                                    • Opcode ID: 1a3d27777b9f109d2aa48a65ad20f8c7ad465acc97dea38d97735c127f4793ca
                                    • Instruction ID: bff33928ad77d62b5d91dff93ed824c5d3bab580008c655bf7222bb45805b8e1
                                    • Opcode Fuzzy Hash: 1a3d27777b9f109d2aa48a65ad20f8c7ad465acc97dea38d97735c127f4793ca
                                    • Instruction Fuzzy Hash: B0D1B170204316DBCB24EF15C995AAE7BE1BF94354F00446CB8C65F2A2CF79E94ACB85
                                    Function 0104A849 Relevance: 49.8, APIs: 33, Instructions: 274COMMON
                                    Download Yara Rule
                                    APIs
                                    • SetTextColor.GDI32(?,00000000), ref: 0104A89F
                                    • GetSysColorBrush.USER32(0000000F), ref: 0104A8D0
                                    • GetSysColor.USER32(0000000F), ref: 0104A8DC
                                    • SetBkColor.GDI32(?,000000FF), ref: 0104A8F6
                                    • SelectObject.GDI32(?,?), ref: 0104A905
                                    • InflateRect.USER32(?,000000FF,000000FF), ref: 0104A930
                                    • GetSysColor.USER32(00000010), ref: 0104A938
                                    • CreateSolidBrush.GDI32(00000000), ref: 0104A93F
                                    • FrameRect.USER32(?,?,00000000), ref: 0104A94E
                                    • DeleteObject.GDI32(00000000), ref: 0104A955
                                    • InflateRect.USER32(?,000000FE,000000FE), ref: 0104A9A0
                                    • FillRect.USER32(?,?,?), ref: 0104A9D2
                                    • GetWindowLongW.USER32(?,000000F0), ref: 0104A9FD
                                      • Part of subcall function 0104AB60: GetSysColor.USER32(00000012), ref: 0104AB99
                                      • Part of subcall function 0104AB60: SetTextColor.GDI32(?,?), ref: 0104AB9D
                                      • Part of subcall function 0104AB60: GetSysColorBrush.USER32(0000000F), ref: 0104ABB3
                                      • Part of subcall function 0104AB60: GetSysColor.USER32(0000000F), ref: 0104ABBE
                                      • Part of subcall function 0104AB60: GetSysColor.USER32(00000011), ref: 0104ABDB
                                      • Part of subcall function 0104AB60: CreatePen.GDI32(00000000,00000001,00743C00), ref: 0104ABE9
                                      • Part of subcall function 0104AB60: SelectObject.GDI32(?,00000000), ref: 0104ABFA
                                      • Part of subcall function 0104AB60: SetBkColor.GDI32(?,00000000), ref: 0104AC03
                                      • Part of subcall function 0104AB60: SelectObject.GDI32(?,?), ref: 0104AC10
                                      • Part of subcall function 0104AB60: InflateRect.USER32(?,000000FF,000000FF), ref: 0104AC2F
                                      • Part of subcall function 0104AB60: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0104AC46
                                      • Part of subcall function 0104AB60: GetWindowLongW.USER32(00000000,000000F0), ref: 0104AC5B
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
                                    • String ID:
                                    • API String ID: 4124339563-0
                                    • Opcode ID: 5e00279d8c3d088a786db5da6ba425f672a8c625ca2a8b7291f8c537a65b629f
                                    • Instruction ID: c42c9059b6e0cb47b1241efff7f2a83a07509ef2c2443709bb46f9ef6a159a9d
                                    • Opcode Fuzzy Hash: 5e00279d8c3d088a786db5da6ba425f672a8c625ca2a8b7291f8c537a65b629f
                                    • Instruction Fuzzy Hash: 31A1A2B5108302EFD7219F68DD88A5B7BE9FF89321F000A29FAA2971D1D735D844CB51
                                    Function 00FC2C18 Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 486windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • DestroyWindow.USER32(?,?,?), ref: 00FC2CA2
                                    • DeleteObject.GDI32(00000000), ref: 00FC2CE8
                                    • DeleteObject.GDI32(00000000), ref: 00FC2CF3
                                    • DestroyIcon.USER32(00000000,?,?,?), ref: 00FC2CFE
                                    • DestroyWindow.USER32(00000000,?,?,?), ref: 00FC2D09
                                    • SendMessageW.USER32(?,00001308,?,00000000), ref: 00FFC68B
                                    • ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00FFC6C4
                                    • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00FFCAED
                                      • Part of subcall function 00FC1B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00FC2036,?,00000000,?,?,?,?,00FC16CB,00000000,?), ref: 00FC1B9A
                                    • SendMessageW.USER32(?,00001053), ref: 00FFCB2A
                                    • SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00FFCB41
                                    • ImageList_Destroy.COMCTL32(00000000,?,?), ref: 00FFCB57
                                    • ImageList_Destroy.COMCTL32(00000000,?,?), ref: 00FFCB62
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
                                    • String ID: 0
                                    • API String ID: 464785882-4108050209
                                    • Opcode ID: b40a9af67b01e42d17074cc23e799de85a7a121e38015b9eae71dfaf0dac1079
                                    • Instruction ID: b8cae5465f6a3d910a9bceb3e2a529d98a33003a45fe3a0582e25c298c87d196
                                    • Opcode Fuzzy Hash: b40a9af67b01e42d17074cc23e799de85a7a121e38015b9eae71dfaf0dac1079
                                    • Instruction Fuzzy Hash: 3012A03590021AEFDB24DF24CA85BB9BBE1FF44320F14456DEA85DB262C735E841EB90
                                    Function 010377BE Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • DestroyWindow.USER32(00000000), ref: 010377F1
                                    • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 010378B0
                                    • SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 010378EE
                                    • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 01037900
                                    • CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 01037946
                                    • GetClientRect.USER32(00000000,?), ref: 01037952
                                    • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 01037996
                                    • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 010379A5
                                    • GetStockObject.GDI32(00000011), ref: 010379B5
                                    • SelectObject.GDI32(00000000,00000000), ref: 010379B9
                                    • GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 010379C9
                                    • GetDeviceCaps.GDI32(00000000,0000005A), ref: 010379D2
                                    • DeleteDC.GDI32(00000000), ref: 010379DB
                                    • CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 01037A07
                                    • SendMessageW.USER32(00000030,00000000,00000001), ref: 01037A1E
                                    • CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 01037A59
                                    • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 01037A6D
                                    • SendMessageW.USER32(00000404,00000001,00000000), ref: 01037A7E
                                    • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 01037AAE
                                    • GetStockObject.GDI32(00000011), ref: 01037AB9
                                    • SendMessageW.USER32(00000030,00000000,?,50000000), ref: 01037AC4
                                    • ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 01037ACE
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
                                    • String ID: AutoIt v3$DISPLAY$msctls_progress32$static
                                    • API String ID: 2910397461-517079104
                                    • Opcode ID: 403b5516b61653b0a588cac2d789b68cbe17b1a7beecf85b93f8ed068dcba8de
                                    • Instruction ID: a504dc59e669b91f2887219447487e92a680361c7a1de9778b946d7592efaee4
                                    • Opcode Fuzzy Hash: 403b5516b61653b0a588cac2d789b68cbe17b1a7beecf85b93f8ed068dcba8de
                                    • Instruction Fuzzy Hash: 95A196B5A40606BFEB24DF68DD4AFAE7BB9EB44710F014154FA54A71D0C779AD00CB60
                                    Function 0102AF7B Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON
                                    Download Yara Rule
                                    APIs
                                    • SetErrorMode.KERNEL32(00000001), ref: 0102AF89
                                    • GetDriveTypeW.KERNEL32(?,0104FAC0,?,\\.\,0104F910), ref: 0102B066
                                    • SetErrorMode.KERNEL32(00000000,0104FAC0,?,\\.\,0104F910), ref: 0102B1C4
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: ErrorMode$DriveType
                                    • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
                                    • API String ID: 2907320926-4222207086
                                    • Opcode ID: d2f50c295c85d0ffac26ab17174a065477130a0c53c905c0015438d1dc2c10be
                                    • Instruction ID: 0218adf4346e0520db469ca07c4e59ace30f7f94e9241b97c4a168295f6f3456
                                    • Opcode Fuzzy Hash: d2f50c295c85d0ffac26ab17174a065477130a0c53c905c0015438d1dc2c10be
                                    • Instruction Fuzzy Hash: 3651D130B84716EBCB10EB15CE92DBCB7B0FB54641764805EF4CBAB250CA79AD41CB45
                                    Function 00FC6A3C Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 275COMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: __wcsnicmp
                                    • String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
                                    • API String ID: 1038674560-86951937
                                    • Opcode ID: a0a92042ffbb39a991d875aec8e1d255727529ccdc9fd50dcea5f8f69b1832b5
                                    • Instruction ID: 59d236a816cd00372725bd10534d8511f77ecc2d121c9c008cfe9c33b7e17e9e
                                    • Opcode Fuzzy Hash: a0a92042ffbb39a991d875aec8e1d255727529ccdc9fd50dcea5f8f69b1832b5
                                    • Instruction Fuzzy Hash: 79814A71A04247ABCB24BE21CE97FBF3759AF14710F044029FD41EA0A1EB69DE41F690
                                    Function 0104AB60 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetSysColor.USER32(00000012), ref: 0104AB99
                                    • SetTextColor.GDI32(?,?), ref: 0104AB9D
                                    • GetSysColorBrush.USER32(0000000F), ref: 0104ABB3
                                    • GetSysColor.USER32(0000000F), ref: 0104ABBE
                                    • CreateSolidBrush.GDI32(?), ref: 0104ABC3
                                    • GetSysColor.USER32(00000011), ref: 0104ABDB
                                    • CreatePen.GDI32(00000000,00000001,00743C00), ref: 0104ABE9
                                    • SelectObject.GDI32(?,00000000), ref: 0104ABFA
                                    • SetBkColor.GDI32(?,00000000), ref: 0104AC03
                                    • SelectObject.GDI32(?,?), ref: 0104AC10
                                    • InflateRect.USER32(?,000000FF,000000FF), ref: 0104AC2F
                                    • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0104AC46
                                    • GetWindowLongW.USER32(00000000,000000F0), ref: 0104AC5B
                                    • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0104ACA7
                                    • GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0104ACCE
                                    • InflateRect.USER32(?,000000FD,000000FD), ref: 0104ACEC
                                    • DrawFocusRect.USER32(?,?), ref: 0104ACF7
                                    • GetSysColor.USER32(00000011), ref: 0104AD05
                                    • SetTextColor.GDI32(?,00000000), ref: 0104AD0D
                                    • DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 0104AD21
                                    • SelectObject.GDI32(?,0104A869), ref: 0104AD38
                                    • DeleteObject.GDI32(?), ref: 0104AD43
                                    • SelectObject.GDI32(?,?), ref: 0104AD49
                                    • DeleteObject.GDI32(?), ref: 0104AD4E
                                    • SetTextColor.GDI32(?,?), ref: 0104AD54
                                    • SetBkColor.GDI32(?,?), ref: 0104AD5E
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                                    • String ID:
                                    • API String ID: 1996641542-0
                                    • Opcode ID: 01d740b0bec4143b5dc76993f6197ab7d6fba1f3d4a054527b5bff7ff8c1376d
                                    • Instruction ID: 6676ae296849584af1c6c83f06e8f41e410f46f792a9a5e8c8fc8bfee03ee246
                                    • Opcode Fuzzy Hash: 01d740b0bec4143b5dc76993f6197ab7d6fba1f3d4a054527b5bff7ff8c1376d
                                    • Instruction Fuzzy Hash: EF6191B5900209EFDF219FA8DD88EAE7BB9FB08320F104565FA51AB291D7759940CF90
                                    Function 01048C44 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 401windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 01048D34
                                    • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 01048D45
                                    • CharNextW.USER32(0000014E), ref: 01048D74
                                    • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 01048DB5
                                    • SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 01048DCB
                                    • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 01048DDC
                                    • SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 01048DF9
                                    • SetWindowTextW.USER32(?,0000014E), ref: 01048E45
                                    • SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 01048E5B
                                    • SendMessageW.USER32(?,00001002,00000000,?), ref: 01048E8C
                                    • _memset.LIBCMT ref: 01048EB1
                                    • SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 01048EFA
                                    • _memset.LIBCMT ref: 01048F59
                                    • SendMessageW.USER32(?,00001053,000000FF,?), ref: 01048F83
                                    • SendMessageW.USER32(?,00001074,?,00000001), ref: 01048FDB
                                    • SendMessageW.USER32(?,0000133D,?,?), ref: 01049088
                                    • InvalidateRect.USER32(?,00000000,00000001), ref: 010490AA
                                    • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 010490F4
                                    • SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 01049121
                                    • DrawMenuBar.USER32(?), ref: 01049130
                                    • SetWindowTextW.USER32(?,0000014E), ref: 01049158
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
                                    • String ID: 0
                                    • API String ID: 1073566785-4108050209
                                    • Opcode ID: f2ea9a5402dd46691fd499e49d17385fc73ae28534fa81905e239f8da5d3db88
                                    • Instruction ID: de15dfd70bf457fe1718f6b0d63df0b4ad0dc38b63ffbd1ea237b82dbd74e30c
                                    • Opcode Fuzzy Hash: f2ea9a5402dd46691fd499e49d17385fc73ae28534fa81905e239f8da5d3db88
                                    • Instruction Fuzzy Hash: B1E1B4B4901209ABDF209FA5CCC8EEF7BB8FF09754F0085AAFA959A190D7758641CF50
                                    Function 01044B16 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetCursorPos.USER32(?), ref: 01044C51
                                    • GetDesktopWindow.USER32 ref: 01044C66
                                    • GetWindowRect.USER32(00000000), ref: 01044C6D
                                    • GetWindowLongW.USER32(?,000000F0), ref: 01044CCF
                                    • DestroyWindow.USER32(?), ref: 01044CFB
                                    • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 01044D24
                                    • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 01044D42
                                    • SendMessageW.USER32(?,00000439,00000000,00000030), ref: 01044D68
                                    • SendMessageW.USER32(?,00000421,?,?), ref: 01044D7D
                                    • SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 01044D90
                                    • IsWindowVisible.USER32(?), ref: 01044DB0
                                    • SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 01044DCB
                                    • SendMessageW.USER32(?,00000411,00000001,00000030), ref: 01044DDF
                                    • GetWindowRect.USER32(?,?), ref: 01044DF7
                                    • MonitorFromPoint.USER32(?,?,00000002), ref: 01044E1D
                                    • GetMonitorInfoW.USER32(00000000,?), ref: 01044E37
                                    • CopyRect.USER32(?,?), ref: 01044E4E
                                    • SendMessageW.USER32(?,00000412,00000000), ref: 01044EB9
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
                                    • String ID: ($0$tooltips_class32
                                    • API String ID: 698492251-4156429822
                                    • Opcode ID: dc4745004e8933d05c654bea73b4708350c5a05d6df386f21259467189a0cf67
                                    • Instruction ID: 48e894bc250555cd757f3059c0f09554ca2ae632cf322b66d37acf1c0f890e91
                                    • Opcode Fuzzy Hash: dc4745004e8933d05c654bea73b4708350c5a05d6df386f21259467189a0cf67
                                    • Instruction Fuzzy Hash: 14B17DB1608341AFD754DF29C989B5ABBE4BF88310F00892CF5D9DB291DB75D804CB95
                                    Function 010246D6 Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 179COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetFileVersionInfoSizeW.VERSION(?,?), ref: 010246E8
                                    • GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 0102470E
                                    • _wcscpy.LIBCMT ref: 0102473C
                                    • _wcscmp.LIBCMT ref: 01024747
                                    • _wcscat.LIBCMT ref: 0102475D
                                    • _wcsstr.LIBCMT ref: 01024768
                                    • VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 01024784
                                    • _wcscat.LIBCMT ref: 010247CD
                                    • _wcscat.LIBCMT ref: 010247D4
                                    • _wcsncpy.LIBCMT ref: 010247FF
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: _wcscat$FileInfoVersion$QuerySizeValue_wcscmp_wcscpy_wcsncpy_wcsstr
                                    • String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
                                    • API String ID: 699586101-1459072770
                                    • Opcode ID: 195dd782a6f5511ec2bba122fce398c0e580a65fbb9b198c18e69501990dd41c
                                    • Instruction ID: 20769d3fed07107bafff9641fce845a0715074dc252447592b4869b3ac95152c
                                    • Opcode Fuzzy Hash: 195dd782a6f5511ec2bba122fce398c0e580a65fbb9b198c18e69501990dd41c
                                    • Instruction Fuzzy Hash: 64416B71A00291BBE710B77A9C47EBF77BCEF01710F04016AF941E7142EB79A601A7A5
                                    Function 00FC27D9 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 286windowtimeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00FC28BC
                                    • GetSystemMetrics.USER32(00000007), ref: 00FC28C4
                                    • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00FC28EF
                                    • GetSystemMetrics.USER32(00000008), ref: 00FC28F7
                                    • GetSystemMetrics.USER32(00000004), ref: 00FC291C
                                    • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00FC2939
                                    • AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00FC2949
                                    • CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00FC297C
                                    • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00FC2990
                                    • GetClientRect.USER32(00000000,000000FF), ref: 00FC29AE
                                    • GetStockObject.GDI32(00000011), ref: 00FC29CA
                                    • SendMessageW.USER32(00000000,00000030,00000000), ref: 00FC29D5
                                      • Part of subcall function 00FC2344: GetCursorPos.USER32(?), ref: 00FC2357
                                      • Part of subcall function 00FC2344: ScreenToClient.USER32(010867B0,?), ref: 00FC2374
                                      • Part of subcall function 00FC2344: GetAsyncKeyState.USER32(00000001), ref: 00FC2399
                                      • Part of subcall function 00FC2344: GetAsyncKeyState.USER32(00000002), ref: 00FC23A7
                                    • SetTimer.USER32(00000000,00000000,00000028,00FC1256), ref: 00FC29FC
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                                    • String ID: AutoIt v3 GUI
                                    • API String ID: 1458621304-248962490
                                    • Opcode ID: 9bcd03cc4b390774b9f3168af13909ce06eb81c5a8964a2858c3f62d0a979e8d
                                    • Instruction ID: 0d69264aa33b7c29492c8b44fcc978ae17a4398bc8131ba5f6b649f1fae04ff5
                                    • Opcode Fuzzy Hash: 9bcd03cc4b390774b9f3168af13909ce06eb81c5a8964a2858c3f62d0a979e8d
                                    • Instruction Fuzzy Hash: F8B18075A0020BEFDB24DF68DA85FAD7BB4FF08310F114219FA55E6294DB799800DB90
                                    Function 01044069 Relevance: 28.3, APIs: 3, Strings: 13, Instructions: 283windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CharUpperBuffW.USER32(?,?), ref: 010440F6
                                    • SendMessageW.USER32(?,00001032,00000000,00000000), ref: 010441B6
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: BuffCharMessageSendUpper
                                    • String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
                                    • API String ID: 3974292440-719923060
                                    • Opcode ID: fa7cce0dfed28b756ac9d0e972ced77ab06ad44c0824ebceaee5280b9cb8dd4f
                                    • Instruction ID: a50686ae4ef0dbd1f30517b3439c90ce8ee5614afab6c3b64e69a0e286e1b561
                                    • Opcode Fuzzy Hash: fa7cce0dfed28b756ac9d0e972ced77ab06ad44c0824ebceaee5280b9cb8dd4f
                                    • Instruction Fuzzy Hash: C5A18E702143029BCB14EF24CE92F6AB7E5BF84314F04896CA8D69B692DF78EC05CB51
                                    Function 010352F0 Relevance: 27.1, APIs: 18, Instructions: 124COMMON
                                    Download Yara Rule
                                    APIs
                                    • LoadCursorW.USER32(00000000,00007F89), ref: 01035309
                                    • LoadCursorW.USER32(00000000,00007F8A), ref: 01035314
                                    • LoadCursorW.USER32(00000000,00007F00), ref: 0103531F
                                    • LoadCursorW.USER32(00000000,00007F03), ref: 0103532A
                                    • LoadCursorW.USER32(00000000,00007F8B), ref: 01035335
                                    • LoadCursorW.USER32(00000000,00007F01), ref: 01035340
                                    • LoadCursorW.USER32(00000000,00007F81), ref: 0103534B
                                    • LoadCursorW.USER32(00000000,00007F88), ref: 01035356
                                    • LoadCursorW.USER32(00000000,00007F80), ref: 01035361
                                    • LoadCursorW.USER32(00000000,00007F86), ref: 0103536C
                                    • LoadCursorW.USER32(00000000,00007F83), ref: 01035377
                                    • LoadCursorW.USER32(00000000,00007F85), ref: 01035382
                                    • LoadCursorW.USER32(00000000,00007F82), ref: 0103538D
                                    • LoadCursorW.USER32(00000000,00007F84), ref: 01035398
                                    • LoadCursorW.USER32(00000000,00007F04), ref: 010353A3
                                    • LoadCursorW.USER32(00000000,00007F02), ref: 010353AE
                                    • GetCursorInfo.USER32(?), ref: 010353BE
                                    • GetLastError.KERNEL32(00000001,00000000), ref: 010353E9
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: Cursor$Load$ErrorInfoLast
                                    • String ID:
                                    • API String ID: 3215588206-0
                                    • Opcode ID: dfe7195430f015a13c50b1e10f55b0612a5bfc8861ebe5aa45ec5b904f47ebc3
                                    • Instruction ID: 89d4e85903ac44d87f5df2d23e7f531e632e38c10c91681963b4aaabecd764af
                                    • Opcode Fuzzy Hash: dfe7195430f015a13c50b1e10f55b0612a5bfc8861ebe5aa45ec5b904f47ebc3
                                    • Instruction Fuzzy Hash: 07414370E083196ADB109FBA8C49D6EFFFCEF91B50F10452FA549E7290DAB89501CE51
                                    Function 0101AA64 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetClassNameW.USER32(?,?,00000100), ref: 0101AAA5
                                    • __swprintf.LIBCMT ref: 0101AB46
                                    • _wcscmp.LIBCMT ref: 0101AB59
                                    • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 0101ABAE
                                    • _wcscmp.LIBCMT ref: 0101ABEA
                                    • GetClassNameW.USER32(?,?,00000400), ref: 0101AC21
                                    • GetDlgCtrlID.USER32(?), ref: 0101AC73
                                    • GetWindowRect.USER32(?,?), ref: 0101ACA9
                                    • GetParent.USER32(?), ref: 0101ACC7
                                    • ScreenToClient.USER32(00000000), ref: 0101ACCE
                                    • GetClassNameW.USER32(?,?,00000100), ref: 0101AD48
                                    • _wcscmp.LIBCMT ref: 0101AD5C
                                    • GetWindowTextW.USER32(?,?,00000400), ref: 0101AD82
                                    • _wcscmp.LIBCMT ref: 0101AD96
                                      • Part of subcall function 00FE386C: _iswctype.LIBCMT ref: 00FE3874
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
                                    • String ID: %s%u
                                    • API String ID: 3744389584-679674701
                                    • Opcode ID: f09d1e0bab78b6e8272746edae6ec8b603f703f2bf441d4fac77bfdbe2f3aad4
                                    • Instruction ID: 4c25d6ce40bf311e5cedfdae06e5b88ee5491c36bb69bc2df0374a00cc74b773
                                    • Opcode Fuzzy Hash: f09d1e0bab78b6e8272746edae6ec8b603f703f2bf441d4fac77bfdbe2f3aad4
                                    • Instruction Fuzzy Hash: 3EA1FD71305686EFD715EE68C884BAABBE8FF04315F404629FADAC3185DB38E545CB90
                                    Function 0101B397 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetClassNameW.USER32(00000008,?,00000400), ref: 0101B3DB
                                    • _wcscmp.LIBCMT ref: 0101B3EC
                                    • GetWindowTextW.USER32(00000001,?,00000400), ref: 0101B414
                                    • CharUpperBuffW.USER32(?,00000000), ref: 0101B431
                                    • _wcscmp.LIBCMT ref: 0101B44F
                                    • _wcsstr.LIBCMT ref: 0101B460
                                    • GetClassNameW.USER32(00000018,?,00000400), ref: 0101B498
                                    • _wcscmp.LIBCMT ref: 0101B4A8
                                    • GetWindowTextW.USER32(00000002,?,00000400), ref: 0101B4CF
                                    • GetClassNameW.USER32(00000018,?,00000400), ref: 0101B518
                                    • _wcscmp.LIBCMT ref: 0101B528
                                    • GetClassNameW.USER32(00000010,?,00000400), ref: 0101B550
                                    • GetWindowRect.USER32(00000004,?), ref: 0101B5B9
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
                                    • String ID: @$ThumbnailClass
                                    • API String ID: 1788623398-1539354611
                                    • Opcode ID: f84bddabd504117a49673e9b55e431906faedee68fad9bf7e65e88130fc882b5
                                    • Instruction ID: 3b2d5cbdfcc2f533e27be158888341f6280ff5605d4e7b6f688c59c39263b865
                                    • Opcode Fuzzy Hash: f84bddabd504117a49673e9b55e431906faedee68fad9bf7e65e88130fc882b5
                                    • Instruction Fuzzy Hash: 4081CF710083069BEB11DF19C985FAA7BE8FF44314F0885A9FDC58A09ADB3CD945CBA1
                                    Function 0101B1E0 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: __wcsnicmp
                                    • String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
                                    • API String ID: 1038674560-1810252412
                                    • Opcode ID: 03ffda5206e49e52c39fe8bd22c036e83557175aee52a5b539162df8f8493fa6
                                    • Instruction ID: bf906cc2b85eecad6fcafa485073fe077dfd7d20649641ce320a98287874de22
                                    • Opcode Fuzzy Hash: 03ffda5206e49e52c39fe8bd22c036e83557175aee52a5b539162df8f8493fa6
                                    • Instruction Fuzzy Hash: C131A031A44306A6DB10FA62CE47FEEB7B4AF14B60F60012DF481760D6EF6D6E08D955
                                    Function 0101C4C1 Relevance: 25.7, APIs: 17, Instructions: 169windowtimeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • LoadIconW.USER32(00000063), ref: 0101C4D4
                                    • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 0101C4E6
                                    • SetWindowTextW.USER32(?,?), ref: 0101C4FD
                                    • GetDlgItem.USER32(?,000003EA), ref: 0101C512
                                    • SetWindowTextW.USER32(00000000,?), ref: 0101C518
                                    • GetDlgItem.USER32(?,000003E9), ref: 0101C528
                                    • SetWindowTextW.USER32(00000000,?), ref: 0101C52E
                                    • SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 0101C54F
                                    • SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 0101C569
                                    • GetWindowRect.USER32(?,?), ref: 0101C572
                                    • SetWindowTextW.USER32(?,?), ref: 0101C5DD
                                    • GetDesktopWindow.USER32 ref: 0101C5E3
                                    • GetWindowRect.USER32(00000000), ref: 0101C5EA
                                    • MoveWindow.USER32(?,?,?,?,00000000,00000000), ref: 0101C636
                                    • GetClientRect.USER32(?,?), ref: 0101C643
                                    • PostMessageW.USER32(?,00000005,00000000,00000000), ref: 0101C668
                                    • SetTimer.USER32(?,0000040A,00000000,00000000), ref: 0101C693
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
                                    • String ID:
                                    • API String ID: 3869813825-0
                                    • Opcode ID: 692f594a158804cb9672937444fb4852770d93d56d4f3b643630bed89ec1fb3b
                                    • Instruction ID: 33180d19443c83411e0a6bccd0a359586ad4b3cd8428632e810c370006c227aa
                                    • Opcode Fuzzy Hash: 692f594a158804cb9672937444fb4852770d93d56d4f3b643630bed89ec1fb3b
                                    • Instruction Fuzzy Hash: CA51617094070AAFEB20DFA8DE85B6EBBF5FF04705F004958E686A25A4C779E944CB50
                                    Function 0104A428 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • _memset.LIBCMT ref: 0104A4C8
                                    • DestroyWindow.USER32(?,?), ref: 0104A542
                                      • Part of subcall function 00FC7D2C: _memmove.LIBCMT ref: 00FC7D66
                                    • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 0104A5BC
                                    • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 0104A5DE
                                    • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0104A5F1
                                    • DestroyWindow.USER32(00000000), ref: 0104A613
                                    • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00FC0000,00000000), ref: 0104A64A
                                    • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0104A663
                                    • GetDesktopWindow.USER32 ref: 0104A67C
                                    • GetWindowRect.USER32(00000000), ref: 0104A683
                                    • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0104A69B
                                    • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 0104A6B3
                                      • Part of subcall function 00FC25DB: GetWindowLongW.USER32(?,000000EB), ref: 00FC25EC
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
                                    • String ID: 0$tooltips_class32
                                    • API String ID: 1297703922-3619404913
                                    • Opcode ID: 4af28a1ce099683c55e639ac04736e7f4fe32ccf03a8e4ab79ca9443ca73c36d
                                    • Instruction ID: 379f638d7d0791fe695189d67530a9cbefdf5f0ca7d2b084e298ca55d927f94e
                                    • Opcode Fuzzy Hash: 4af28a1ce099683c55e639ac04736e7f4fe32ccf03a8e4ab79ca9443ca73c36d
                                    • Instruction Fuzzy Hash: 0C717CB5244205EFE720DF28C885F6A7BE5FB88300F44456DFAC687251D776E905CB61
                                    Function 0104C8EE Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 181windowfileCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00FC2612: GetWindowLongW.USER32(?,000000EB), ref: 00FC2623
                                    • DragQueryPoint.SHELL32(?,?), ref: 0104C917
                                      • Part of subcall function 0104ADF1: ClientToScreen.USER32(?,?), ref: 0104AE1A
                                      • Part of subcall function 0104ADF1: GetWindowRect.USER32(?,?), ref: 0104AE90
                                      • Part of subcall function 0104ADF1: PtInRect.USER32(?,?,0104C304), ref: 0104AEA0
                                    • SendMessageW.USER32(?,000000B0,?,?), ref: 0104C980
                                    • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 0104C98B
                                    • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 0104C9AE
                                    • _wcscat.LIBCMT ref: 0104C9DE
                                    • SendMessageW.USER32(?,000000C2,00000001,?), ref: 0104C9F5
                                    • SendMessageW.USER32(?,000000B0,?,?), ref: 0104CA0E
                                    • SendMessageW.USER32(?,000000B1,?,?), ref: 0104CA25
                                    • SendMessageW.USER32(?,000000B1,?,?), ref: 0104CA47
                                    • DragFinish.SHELL32(?), ref: 0104CA4E
                                    • DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 0104CB41
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
                                    • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
                                    • API String ID: 169749273-3440237614
                                    • Opcode ID: eeacc0637e171d01c005238c7d8e02e486d9d29b2586b17ec4c694af73845d9d
                                    • Instruction ID: 79c2c68db08e8154ebe8f7ea3773b94a54181c4a0e08bfb491f225bf4299e55d
                                    • Opcode Fuzzy Hash: eeacc0637e171d01c005238c7d8e02e486d9d29b2586b17ec4c694af73845d9d
                                    • Instruction Fuzzy Hash: 8A619CB1108302AFC710EF64CD85E9FBBE8EF88750F000A1DF5D5961A1DB759A09DB92
                                    Function 01044619 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CharUpperBuffW.USER32(?,?), ref: 010446AB
                                    • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 010446F6
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: BuffCharMessageSendUpper
                                    • String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
                                    • API String ID: 3974292440-4258414348
                                    • Opcode ID: a616b81e21b381446c0072b1f3d165300f043a4ca174a81118ce3a28eec86230
                                    • Instruction ID: 98a90872809e7599f46cb850fa78923eef203ceceb95bc0116ab3f20e3c96c05
                                    • Opcode Fuzzy Hash: a616b81e21b381446c0072b1f3d165300f043a4ca174a81118ce3a28eec86230
                                    • Instruction Fuzzy Hash: 67919F746043029BCB14EF14C891B6DB7E1BF94314F0044ACA8D69B7A2CF79ED4ADB41
                                    Function 0102A5BD Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00FC9997: __itow.LIBCMT ref: 00FC99C2
                                      • Part of subcall function 00FC9997: __swprintf.LIBCMT ref: 00FC9A0C
                                    • CharLowerBuffW.USER32(?,?), ref: 0102A636
                                    • GetDriveTypeW.KERNEL32 ref: 0102A683
                                    • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0102A6CB
                                    • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0102A702
                                    • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0102A730
                                      • Part of subcall function 00FC7D2C: _memmove.LIBCMT ref: 00FC7D66
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
                                    • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
                                    • API String ID: 2698844021-4113822522
                                    • Opcode ID: 1645336393eb420027497e0de83c8c7902310c6933f762767d692afaa24da409
                                    • Instruction ID: 791e93c8ea47caa3f78d35661c0aa968f3c2393ef3697ee42d99e153ad594963
                                    • Opcode Fuzzy Hash: 1645336393eb420027497e0de83c8c7902310c6933f762767d692afaa24da409
                                    • Instruction Fuzzy Hash: DE5129716043069FC710EF25CD82D6AB7E4FF88718F04495CF89A97251DB39AE09DB51
                                    Function 0102A45A Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 0102A47A
                                    • __swprintf.LIBCMT ref: 0102A49C
                                    • CreateDirectoryW.KERNEL32(?,00000000), ref: 0102A4D9
                                    • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 0102A4FE
                                    • _memset.LIBCMT ref: 0102A51D
                                    • _wcsncpy.LIBCMT ref: 0102A559
                                    • DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 0102A58E
                                    • CloseHandle.KERNEL32(00000000), ref: 0102A599
                                    • RemoveDirectoryW.KERNEL32(?), ref: 0102A5A2
                                    • CloseHandle.KERNEL32(00000000), ref: 0102A5AC
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
                                    • String ID: :$\$\??\%s
                                    • API String ID: 2733774712-3457252023
                                    • Opcode ID: 9401c972ef9423836056ddecb8503b2332a9877aaf62978ecc3890b5e1754d6d
                                    • Instruction ID: ef987a842248cc86656e45d6cde76b37c474024b90152a616632af4b8cb2472c
                                    • Opcode Fuzzy Hash: 9401c972ef9423836056ddecb8503b2332a9877aaf62978ecc3890b5e1754d6d
                                    • Instruction Fuzzy Hash: F631D2B560012AABDB219FA4DC88FEB77BCEF88701F1041B6FA48D3055EB7493448B24
                                    Function 0102DB04 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON
                                    Download Yara Rule
                                    APIs
                                    • __wsplitpath.LIBCMT ref: 0102DC7B
                                    • _wcscat.LIBCMT ref: 0102DC93
                                    • _wcscat.LIBCMT ref: 0102DCA5
                                    • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 0102DCBA
                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 0102DCCE
                                    • GetFileAttributesW.KERNEL32(?), ref: 0102DCE6
                                    • SetFileAttributesW.KERNEL32(?,00000000), ref: 0102DD00
                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 0102DD12
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
                                    • String ID: *.*
                                    • API String ID: 34673085-438819550
                                    • Opcode ID: f698f4c8425d69a178e1001cf494dd09d1adeb2479c2e03a885bf7eb5f4b0311
                                    • Instruction ID: aea918371ce5fd2f03f6f7b17f131b9b11ee4c6a71cb96f24016393e9790a27f
                                    • Opcode Fuzzy Hash: f698f4c8425d69a178e1001cf494dd09d1adeb2479c2e03a885bf7eb5f4b0311
                                    • Instruction Fuzzy Hash: 4681D171504255DFDB60EFA8C8959AEB7E8BB88310F18886EF9C9C7211E634ED44CB52
                                    Function 0104C49C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00FC2612: GetWindowLongW.USER32(?,000000EB), ref: 00FC2623
                                    • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 0104C4EC
                                    • GetFocus.USER32 ref: 0104C4FC
                                    • GetDlgCtrlID.USER32(00000000), ref: 0104C507
                                    • _memset.LIBCMT ref: 0104C632
                                    • GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 0104C65D
                                    • GetMenuItemCount.USER32(?), ref: 0104C67D
                                    • GetMenuItemID.USER32(?,00000000), ref: 0104C690
                                    • GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 0104C6C4
                                    • GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 0104C70C
                                    • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 0104C744
                                    • DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 0104C779
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
                                    • String ID: 0
                                    • API String ID: 1296962147-4108050209
                                    • Opcode ID: 97c07802e85496d954a3e54d770e1eb86c35e185423b2985d4edd6b93aa36509
                                    • Instruction ID: 935b489cf732cc905725ce976b578e20fe037bf8e10c7056debe5cdca7ecdde2
                                    • Opcode Fuzzy Hash: 97c07802e85496d954a3e54d770e1eb86c35e185423b2985d4edd6b93aa36509
                                    • Instruction Fuzzy Hash: 68818FB01093019FE761DF18CAC4A6BBBE8FB88314F00456DF9D593251D731E905CBA2
                                    Function 010183F4 Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0101874A: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 01018766
                                      • Part of subcall function 0101874A: GetLastError.KERNEL32(?,0101822A,?,?,?), ref: 01018770
                                      • Part of subcall function 0101874A: GetProcessHeap.KERNEL32(00000008,?,?,0101822A,?,?,?), ref: 0101877F
                                      • Part of subcall function 0101874A: HeapAlloc.KERNEL32(00000000,?,0101822A,?,?,?), ref: 01018786
                                      • Part of subcall function 0101874A: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0101879D
                                      • Part of subcall function 010187E7: GetProcessHeap.KERNEL32(00000008,01018240,00000000,00000000,?,01018240,?), ref: 010187F3
                                      • Part of subcall function 010187E7: HeapAlloc.KERNEL32(00000000,?,01018240,?), ref: 010187FA
                                      • Part of subcall function 010187E7: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,01018240,?), ref: 0101880B
                                    • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 01018458
                                    • _memset.LIBCMT ref: 0101846D
                                    • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 0101848C
                                    • GetLengthSid.ADVAPI32(?), ref: 0101849D
                                    • GetAce.ADVAPI32(?,00000000,?), ref: 010184DA
                                    • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 010184F6
                                    • GetLengthSid.ADVAPI32(?), ref: 01018513
                                    • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 01018522
                                    • HeapAlloc.KERNEL32(00000000), ref: 01018529
                                    • GetLengthSid.ADVAPI32(?,00000008,?), ref: 0101854A
                                    • CopySid.ADVAPI32(00000000), ref: 01018551
                                    • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 01018582
                                    • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 010185A8
                                    • SetUserObjectSecurity.USER32(?,00000004,?), ref: 010185BC
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
                                    • String ID:
                                    • API String ID: 3996160137-0
                                    • Opcode ID: b2f6e3508c03a77d3cca0204a58a4c30524f51b02ac28ff11c54aab36fa9c959
                                    • Instruction ID: 2c7064d297ee35d75116c86521a13552edc59dcdacbab66726ab3174468bd597
                                    • Opcode Fuzzy Hash: b2f6e3508c03a77d3cca0204a58a4c30524f51b02ac28ff11c54aab36fa9c959
                                    • Instruction Fuzzy Hash: D3615E7590020AAFDF10DF98DD84AEEBBB9FF44310F04815AF955A7284DB399A15CF60
                                    Function 0103762D Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetDC.USER32(00000000), ref: 010376A2
                                    • CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 010376AE
                                    • CreateCompatibleDC.GDI32(?), ref: 010376BA
                                    • SelectObject.GDI32(00000000,?), ref: 010376C7
                                    • StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 0103771B
                                    • GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 01037757
                                    • GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 0103777B
                                    • SelectObject.GDI32(00000006,?), ref: 01037783
                                    • DeleteObject.GDI32(?), ref: 0103778C
                                    • DeleteDC.GDI32(00000006), ref: 01037793
                                    • ReleaseDC.USER32(00000000,?), ref: 0103779E
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
                                    • String ID: (
                                    • API String ID: 2598888154-3887548279
                                    • Opcode ID: f551f24cf9e1790d23b3bf15dbfc8a0fe55fa0cd27a4c46fdf83e198796b404d
                                    • Instruction ID: d60a38849504d3118e6f4c6a3b5574a47726b163e3673341c937bc56070afd35
                                    • Opcode Fuzzy Hash: f551f24cf9e1790d23b3bf15dbfc8a0fe55fa0cd27a4c46fdf83e198796b404d
                                    • Instruction Fuzzy Hash: 7A514CB5900209EFDB25CFA8C984EAEBBF9FF88710F14851DF99997210D735A840CB60
                                    Function 0102A0B5 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 156COMMON
                                    Download Yara Rule
                                    APIs
                                    • LoadStringW.USER32(00000066,?,00000FFF,0104FB78), ref: 0102A0FC
                                      • Part of subcall function 00FC7F41: _memmove.LIBCMT ref: 00FC7F82
                                    • LoadStringW.USER32(?,?,00000FFF,?), ref: 0102A11E
                                    • __swprintf.LIBCMT ref: 0102A177
                                    • __swprintf.LIBCMT ref: 0102A190
                                    • _wprintf.LIBCMT ref: 0102A246
                                    • _wprintf.LIBCMT ref: 0102A264
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: LoadString__swprintf_wprintf$_memmove
                                    • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                                    • API String ID: 311963372-2391861430
                                    • Opcode ID: 680726c6a5ac98f71caa3676bdcb07defe36b6062ad9e385e5d33e7ca029ebd4
                                    • Instruction ID: afde35f4e4c6d853ac188b1ba9d3d66ffe1917dc06c6359124960b5d41f25884
                                    • Opcode Fuzzy Hash: 680726c6a5ac98f71caa3676bdcb07defe36b6062ad9e385e5d33e7ca029ebd4
                                    • Instruction Fuzzy Hash: E6516F7290421AAADF15FBE4CE86EEEB779AF04300F1001A9F54567051DB3A6F48EF60
                                    Function 00FC6BEC Relevance: 19.7, APIs: 4, Strings: 7, Instructions: 478COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00FE0B9B: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00FC6C6C,?,00008000), ref: 00FE0BB7
                                      • Part of subcall function 00FC48AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00FC48A1,?,?,00FC37C0,?), ref: 00FC48CE
                                    • SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00FC6D0D
                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 00FC6E5A
                                      • Part of subcall function 00FC59CD: _wcscpy.LIBCMT ref: 00FC5A05
                                      • Part of subcall function 00FE387D: _iswctype.LIBCMT ref: 00FE3885
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
                                    • String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
                                    • API String ID: 537147316-1018226102
                                    • Opcode ID: 3a54abce3896ac3502934988a798076decedaa88e262a5a36d67695f28c2435e
                                    • Instruction ID: 6e1ece3c943f28b6cf53d242f5158281c296860b38ecdc45df93c82c972a3755
                                    • Opcode Fuzzy Hash: 3a54abce3896ac3502934988a798076decedaa88e262a5a36d67695f28c2435e
                                    • Instruction Fuzzy Hash: 7F0289315083429FC724EF24C982EAFBBE5AF98754F04091DF5C6972A1DB34E949EB42
                                    Function 00FC45DF Relevance: 19.7, APIs: 13, Instructions: 215windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • _memset.LIBCMT ref: 00FC45F9
                                    • GetMenuItemCount.USER32(01086890), ref: 00FFD7CD
                                    • GetMenuItemCount.USER32(01086890), ref: 00FFD87D
                                    • GetCursorPos.USER32(?), ref: 00FFD8C1
                                    • SetForegroundWindow.USER32(00000000), ref: 00FFD8CA
                                    • TrackPopupMenuEx.USER32(01086890,00000000,?,00000000,00000000,00000000), ref: 00FFD8DD
                                    • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00FFD8E9
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow_memset
                                    • String ID:
                                    • API String ID: 2751501086-0
                                    • Opcode ID: a1f7073be8a628b4d687ae60fb8e6a181542e6c64f368f73de1e8ba4f4e03150
                                    • Instruction ID: 4b7b10187384f3e656c11ef5053f6c669536fa1c44fc0a11f66a106dabd541d9
                                    • Opcode Fuzzy Hash: a1f7073be8a628b4d687ae60fb8e6a181542e6c64f368f73de1e8ba4f4e03150
                                    • Instruction Fuzzy Hash: 1F710972A4121ABBEB309F54DD89FBABF65FF05374F200216F6156A1E0C7B56810EB90
                                    Function 010410A5 Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON
                                    Download Yara Rule
                                    APIs
                                    • CharUpperBuffW.USER32(?,?,?,?,?,?,?,01040038,?,?), ref: 010410BC
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: BuffCharUpper
                                    • String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
                                    • API String ID: 3964851224-909552448
                                    • Opcode ID: 1ffae9be09d4efba0875aef29fe363c1f2783ee63a458c176b9ec032f13ee201
                                    • Instruction ID: 72bf68602e79e9a6c75d958706e7d7191a2cdcde38d3c532f58aa9a268f4531c
                                    • Opcode Fuzzy Hash: 1ffae9be09d4efba0875aef29fe363c1f2783ee63a458c176b9ec032f13ee201
                                    • Instruction Fuzzy Hash: 93414BB055028B9BCF21EF94DE81AEE3764BF45310F404464FCD19B292DF75A99ACBA0
                                    Function 01025569 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00FC7D2C: _memmove.LIBCMT ref: 00FC7D66
                                      • Part of subcall function 00FC7A84: _memmove.LIBCMT ref: 00FC7B0D
                                    • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 010255D2
                                    • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 010255E8
                                    • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 010255F9
                                    • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 0102560B
                                    • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0102561C
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: SendString$_memmove
                                    • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                                    • API String ID: 2279737902-1007645807
                                    • Opcode ID: 076626d24b51d7ae3fc6099ad9c9712c75af5cde4a78c9333833585a3e572e6c
                                    • Instruction ID: 55b072a02d98347341838f9420fa97aa93b28ba64655021a5e456c685e889e1f
                                    • Opcode Fuzzy Hash: 076626d24b51d7ae3fc6099ad9c9712c75af5cde4a78c9333833585a3e572e6c
                                    • Instruction Fuzzy Hash: A311E620A5026AB9E720BA66DC8ADFFBF7CEF85B00F04445DB485A7091DEA41D04C9A4
                                    Function 010248F3 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
                                    • String ID: 0.0.0.0
                                    • API String ID: 208665112-3771769585
                                    • Opcode ID: bd50e7334370f3f750d3428a20aff88cee22f4cb3427517088f693009f9696fd
                                    • Instruction ID: 6847a996192befbdb983c3f212e0ff5e8481720a203ba18888abe58bd2b4efd2
                                    • Opcode Fuzzy Hash: bd50e7334370f3f750d3428a20aff88cee22f4cb3427517088f693009f9696fd
                                    • Instruction Fuzzy Hash: D8112775A04125ABEB20EB29ED49EDE77FCEF00710F0401BAF584D6041EFB99A819751
                                    Function 01025217 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • timeGetTime.WINMM ref: 0102521C
                                      • Part of subcall function 00FE0719: timeGetTime.WINMM(?,75A8B400,00FD0FF9), ref: 00FE071D
                                    • Sleep.KERNEL32(0000000A), ref: 01025248
                                    • EnumThreadWindows.USER32(?,Function_000651CA,00000000), ref: 0102526C
                                    • FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 0102528E
                                    • SetActiveWindow.USER32 ref: 010252AD
                                    • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 010252BB
                                    • SendMessageW.USER32(00000010,00000000,00000000), ref: 010252DA
                                    • Sleep.KERNEL32(000000FA), ref: 010252E5
                                    • IsWindow.USER32 ref: 010252F1
                                    • EndDialog.USER32(00000000), ref: 01025302
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
                                    • String ID: BUTTON
                                    • API String ID: 1194449130-3405671355
                                    • Opcode ID: c3ace3f4bae6ea409589f3ae5b8a200f922b674804c422eaf7f5db77af8732e3
                                    • Instruction ID: 0fafb17964c58a76fadb44a109ed7244ff2bdab15a6413b897ce9df2e65a7ca2
                                    • Opcode Fuzzy Hash: c3ace3f4bae6ea409589f3ae5b8a200f922b674804c422eaf7f5db77af8732e3
                                    • Instruction Fuzzy Hash: EC21F6B4204346EFE7205B38EEC8B6E3BA9EB0A356F501058F1C1851D8DBAF9C048775
                                    Function 0102D7F8 Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00FC9997: __itow.LIBCMT ref: 00FC99C2
                                      • Part of subcall function 00FC9997: __swprintf.LIBCMT ref: 00FC9A0C
                                    • CoInitialize.OLE32(00000000), ref: 0102D855
                                    • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 0102D8E8
                                    • SHGetDesktopFolder.SHELL32(?), ref: 0102D8FC
                                    • CoCreateInstance.OLE32(01052D7C,00000000,00000001,0107A89C,?), ref: 0102D948
                                    • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 0102D9B7
                                    • CoTaskMemFree.OLE32(?,?), ref: 0102DA0F
                                    • _memset.LIBCMT ref: 0102DA4C
                                    • SHBrowseForFolderW.SHELL32(?), ref: 0102DA88
                                    • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 0102DAAB
                                    • CoTaskMemFree.OLE32(00000000), ref: 0102DAB2
                                    • CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 0102DAE9
                                    • CoUninitialize.OLE32(00000001,00000000), ref: 0102DAEB
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
                                    • String ID:
                                    • API String ID: 1246142700-0
                                    • Opcode ID: e5a7e377d9319b50db46b7f54e2777bf9d13cbe7dd66e377e0627ec925a4810b
                                    • Instruction ID: 08b293327973a913f87daf22a6534c3f09da8d61233384baf4bafd90870b2b03
                                    • Opcode Fuzzy Hash: e5a7e377d9319b50db46b7f54e2777bf9d13cbe7dd66e377e0627ec925a4810b
                                    • Instruction Fuzzy Hash: ACB14E75A00119AFDB04DFA8C989EAEBBF9FF88300B048499F949DB251DB75ED41CB50
                                    Function 0102052C Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetKeyboardState.USER32(?), ref: 010205A7
                                    • SetKeyboardState.USER32(?), ref: 01020612
                                    • GetAsyncKeyState.USER32(000000A0), ref: 01020632
                                    • GetKeyState.USER32(000000A0), ref: 01020649
                                    • GetAsyncKeyState.USER32(000000A1), ref: 01020678
                                    • GetKeyState.USER32(000000A1), ref: 01020689
                                    • GetAsyncKeyState.USER32(00000011), ref: 010206B5
                                    • GetKeyState.USER32(00000011), ref: 010206C3
                                    • GetAsyncKeyState.USER32(00000012), ref: 010206EC
                                    • GetKeyState.USER32(00000012), ref: 010206FA
                                    • GetAsyncKeyState.USER32(0000005B), ref: 01020723
                                    • GetKeyState.USER32(0000005B), ref: 01020731
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: State$Async$Keyboard
                                    • String ID:
                                    • API String ID: 541375521-0
                                    • Opcode ID: df8bc09ef03b926bc6bebdb71d288c965bc24dab9f6e7acb408edab1e2252b91
                                    • Instruction ID: 66a21cb796df45eb8ef590b6ec8212aef2453db4e1fbf7c00121cc14761ad38f
                                    • Opcode Fuzzy Hash: df8bc09ef03b926bc6bebdb71d288c965bc24dab9f6e7acb408edab1e2252b91
                                    • Instruction Fuzzy Hash: 5A512C70A047B819FB75DBB488547EBBFF49F01280F0845C9DAC2561C6DA74978CCB61
                                    Function 0101C72A Relevance: 18.2, APIs: 12, Instructions: 174COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetDlgItem.USER32(?,00000001), ref: 0101C746
                                    • GetWindowRect.USER32(00000000,?), ref: 0101C758
                                    • MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 0101C7B6
                                    • GetDlgItem.USER32(?,00000002), ref: 0101C7C1
                                    • GetWindowRect.USER32(00000000,?), ref: 0101C7D3
                                    • MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 0101C827
                                    • GetDlgItem.USER32(?,000003E9), ref: 0101C835
                                    • GetWindowRect.USER32(00000000,?), ref: 0101C846
                                    • MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 0101C889
                                    • GetDlgItem.USER32(?,000003EA), ref: 0101C897
                                    • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 0101C8B4
                                    • InvalidateRect.USER32(?,00000000,00000001), ref: 0101C8C1
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: Window$ItemMoveRect$Invalidate
                                    • String ID:
                                    • API String ID: 3096461208-0
                                    • Opcode ID: 0bd9cdf719ab75e41f7120c33cf44fc356ec72beb7f85186aa5df910b0b88485
                                    • Instruction ID: 2de1ac9efd6ceed0b39bc83aaefdd35b4c3faddc74fe05914ec970cef2eb9394
                                    • Opcode Fuzzy Hash: 0bd9cdf719ab75e41f7120c33cf44fc356ec72beb7f85186aa5df910b0b88485
                                    • Instruction Fuzzy Hash: A85153B5B00205AFEB18CF7CDE89AAEBBB5FB88310F14816DF555D6294D775D9008B10
                                    Function 00FC201B Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00FC1B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00FC2036,?,00000000,?,?,?,?,00FC16CB,00000000,?), ref: 00FC1B9A
                                    • DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 00FC20D3
                                    • KillTimer.USER32(-00000001,?,?,?,?,00FC16CB,00000000,?,?,00FC1AE2,?,?), ref: 00FC216E
                                    • DestroyAcceleratorTable.USER32(00000000), ref: 00FFBEF6
                                    • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00FC16CB,00000000,?,?,00FC1AE2,?,?), ref: 00FFBF27
                                    • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00FC16CB,00000000,?,?,00FC1AE2,?,?), ref: 00FFBF3E
                                    • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00FC16CB,00000000,?,?,00FC1AE2,?,?), ref: 00FFBF5A
                                    • DeleteObject.GDI32(00000000), ref: 00FFBF6C
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
                                    • String ID:
                                    • API String ID: 641708696-0
                                    • Opcode ID: 92e4d7d97726e3a9be57c7786365f8788bbe16765134fb43bdc1cebb82b5dfc5
                                    • Instruction ID: 19a7b43bc52c8e53eac19e692d75b794347a186d84ddf40db5afcd7a469abd83
                                    • Opcode Fuzzy Hash: 92e4d7d97726e3a9be57c7786365f8788bbe16765134fb43bdc1cebb82b5dfc5
                                    • Instruction Fuzzy Hash: D861A075904606DFCB35AF18CA89B3977F1FF40322F14451DE5C2865A8C77AA891EF80
                                    Function 00FC21A5 Relevance: 18.1, APIs: 12, Instructions: 132COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00FC25DB: GetWindowLongW.USER32(?,000000EB), ref: 00FC25EC
                                    • GetSysColor.USER32(0000000F), ref: 00FC21D3
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: ColorLongWindow
                                    • String ID:
                                    • API String ID: 259745315-0
                                    • Opcode ID: 7439157c6fbf389b4d71c134bc677e39051ac3385bebad3b3781dd1461f21c74
                                    • Instruction ID: d5ac86ca2419e936a82a37b2bb9cf8addb196fe772f61dcd173454c3dfb59a30
                                    • Opcode Fuzzy Hash: 7439157c6fbf389b4d71c134bc677e39051ac3385bebad3b3781dd1461f21c74
                                    • Instruction Fuzzy Hash: 1D4125354001459FEB219F28DA89FF93B65EB06330F184359FEA58A1E6C7328C42FB60
                                    Function 0102AB12 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183COMMON
                                    Download Yara Rule
                                    APIs
                                    • CharLowerBuffW.USER32(?,?,0104F910), ref: 0102AB76
                                    • GetDriveTypeW.KERNEL32(00000061,0107A620,00000061), ref: 0102AC40
                                    • _wcscpy.LIBCMT ref: 0102AC6A
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: BuffCharDriveLowerType_wcscpy
                                    • String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
                                    • API String ID: 2820617543-1000479233
                                    • Opcode ID: 9af4da0a9a3e8604ec851d07337b4a0dca4c2406d8d83092609a3f6763bff3b1
                                    • Instruction ID: 0cb85804919a9f58134a4dba3fd39422f0f173379a0cf1a79cac068c401ebd03
                                    • Opcode Fuzzy Hash: 9af4da0a9a3e8604ec851d07337b4a0dca4c2406d8d83092609a3f6763bff3b1
                                    • Instruction Fuzzy Hash: 0951AA30208312DBC720EF18CD82EAEB7A5EF84310F14481DF5C69B6A2DF75A949DB52
                                    Function 00FC9997 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: __i64tow__itow__swprintf
                                    • String ID: %.15g$0x%p$False$True
                                    • API String ID: 421087845-2263619337
                                    • Opcode ID: c66386701d984db7a7ade787a7838cd362d3b05d326baf0c239c4349055a7441
                                    • Instruction ID: e3fb74a36be0082ae174813839661ceeb4ef0febfc0702000e23c11254407534
                                    • Opcode Fuzzy Hash: c66386701d984db7a7ade787a7838cd362d3b05d326baf0c239c4349055a7441
                                    • Instruction Fuzzy Hash: 47411672A0420AABDB349B35DD46F7A73E8EF44310F20446EE649D7251EEB59941EB10
                                    Function 010473C1 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • _memset.LIBCMT ref: 010473D9
                                    • CreateMenu.USER32 ref: 010473F4
                                    • SetMenu.USER32(?,00000000), ref: 01047403
                                    • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 01047490
                                    • IsMenu.USER32(?), ref: 010474A6
                                    • CreatePopupMenu.USER32 ref: 010474B0
                                    • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 010474DD
                                    • DrawMenuBar.USER32 ref: 010474E5
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
                                    • String ID: 0$F
                                    • API String ID: 176399719-3044882817
                                    • Opcode ID: 40b3932b48d91e6b9ca2044cb8709a3f9dbdf0bb003c9c90486c886878e53631
                                    • Instruction ID: 0c9d3352f5fea480b7dd8b4b5ebbe318ee9fc32139ddb8aa15b900043f9cefd7
                                    • Opcode Fuzzy Hash: 40b3932b48d91e6b9ca2044cb8709a3f9dbdf0bb003c9c90486c886878e53631
                                    • Instruction Fuzzy Hash: 27414CB9A00205EFDB20DF68D984EAABBF5FF49310F144069FA95A7351DB35A910CF90
                                    Function 0104772A Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 010477CD
                                    • CreateCompatibleDC.GDI32(00000000), ref: 010477D4
                                    • SendMessageW.USER32(?,00000173,00000000,00000000), ref: 010477E7
                                    • SelectObject.GDI32(00000000,00000000), ref: 010477EF
                                    • GetPixel.GDI32(00000000,00000000,00000000), ref: 010477FA
                                    • DeleteDC.GDI32(00000000), ref: 01047803
                                    • GetWindowLongW.USER32(?,000000EC), ref: 0104780D
                                    • SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 01047821
                                    • DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 0104782D
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
                                    • String ID: static
                                    • API String ID: 2559357485-2160076837
                                    • Opcode ID: 069596b31f1038f881b748c40d2d0acecb8652dc0499e252f84d3c4334264054
                                    • Instruction ID: b241ca93bd7b179c67c567f2a504be2a2a55b9224ae0354e91646062e5d848c0
                                    • Opcode Fuzzy Hash: 069596b31f1038f881b748c40d2d0acecb8652dc0499e252f84d3c4334264054
                                    • Instruction Fuzzy Hash: 2A3180B5101116BBEF229F78DC88FDA3BA9FF0D320F110224FA95A6090C736D811DBA4
                                    Function 00FE7040 Relevance: 16.8, APIs: 11, Instructions: 258COMMON
                                    Download Yara Rule
                                    APIs
                                    • _memset.LIBCMT ref: 00FE707B
                                      • Part of subcall function 00FE8D68: __getptd_noexit.LIBCMT ref: 00FE8D68
                                    • __gmtime64_s.LIBCMT ref: 00FE7114
                                    • __gmtime64_s.LIBCMT ref: 00FE714A
                                    • __gmtime64_s.LIBCMT ref: 00FE7167
                                    • __allrem.LIBCMT ref: 00FE71BD
                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00FE71D9
                                    • __allrem.LIBCMT ref: 00FE71F0
                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00FE720E
                                    • __allrem.LIBCMT ref: 00FE7225
                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00FE7243
                                    • __invoke_watson.LIBCMT ref: 00FE72B4
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
                                    • String ID:
                                    • API String ID: 384356119-0
                                    • Opcode ID: 85949ae18b549cd2d12431497598bef6b028e5a4746e3945652a320069ef6a5a
                                    • Instruction ID: c09d1dfd7bc8e9f8ed3262cbe60fd7c7b6ef81639e0397a47531a7f481ac2b2f
                                    • Opcode Fuzzy Hash: 85949ae18b549cd2d12431497598bef6b028e5a4746e3945652a320069ef6a5a
                                    • Instruction Fuzzy Hash: 7471E872E04757ABD714BE7ACC41B6BB3A8AF10730F14422AF614E7691E774E940AB90
                                    Function 01022A16 Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON
                                    Download Yara Rule
                                    APIs
                                    • _memset.LIBCMT ref: 01022A31
                                    • GetMenuItemInfoW.USER32(01086890,000000FF,00000000,00000030), ref: 01022A92
                                    • SetMenuItemInfoW.USER32(01086890,00000004,00000000,00000030), ref: 01022AC8
                                    • Sleep.KERNEL32(000001F4), ref: 01022ADA
                                    • GetMenuItemCount.USER32(?), ref: 01022B1E
                                    • GetMenuItemID.USER32(?,00000000), ref: 01022B3A
                                    • GetMenuItemID.USER32(?,-00000001), ref: 01022B64
                                    • GetMenuItemID.USER32(?,?), ref: 01022BA9
                                    • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 01022BEF
                                    • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 01022C03
                                    • SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 01022C24
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: ItemMenu$Info$CheckCountRadioSleep_memset
                                    • String ID:
                                    • API String ID: 4176008265-0
                                    • Opcode ID: 102532fc3a3855cc6400153a21ae5ea4b4d62a69f6d3dd52420dbc06633557a7
                                    • Instruction ID: 106370fc8b0acfc3f248f13167a0f5ffb990436b86674c5f8b5b44a2159d1d99
                                    • Opcode Fuzzy Hash: 102532fc3a3855cc6400153a21ae5ea4b4d62a69f6d3dd52420dbc06633557a7
                                    • Instruction Fuzzy Hash: B261B4B090025AAFEB22CFE8D988DFE7BB8EB45304F144599E9C197241D736AD45CB21
                                    Function 01047192 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 01047214
                                    • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 01047217
                                    • GetWindowLongW.USER32(?,000000F0), ref: 0104723B
                                    • _memset.LIBCMT ref: 0104724C
                                    • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0104725E
                                    • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 010472D6
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: MessageSend$LongWindow_memset
                                    • String ID:
                                    • API String ID: 830647256-0
                                    • Opcode ID: 3334a13b778f04d77cd596333cdf0b10cf53f435c2b460302c7fee8ed9fbf8d9
                                    • Instruction ID: f38fef6449d4c2228115f49c98d6f5cedb7ba48373df96deb8c427d71bb787e8
                                    • Opcode Fuzzy Hash: 3334a13b778f04d77cd596333cdf0b10cf53f435c2b460302c7fee8ed9fbf8d9
                                    • Instruction Fuzzy Hash: 37618FB5900208EFDB20DFA8CC81EEE77F8EB09710F1441A9FA94A7391D775A941CB50
                                    Function 0101710E Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 01017135
                                    • SafeArrayAllocData.OLEAUT32(?), ref: 0101718E
                                    • VariantInit.OLEAUT32(?), ref: 010171A0
                                    • SafeArrayAccessData.OLEAUT32(?,?), ref: 010171C0
                                    • VariantCopy.OLEAUT32(?,?), ref: 01017213
                                    • SafeArrayUnaccessData.OLEAUT32(?), ref: 01017227
                                    • VariantClear.OLEAUT32(?), ref: 0101723C
                                    • SafeArrayDestroyData.OLEAUT32(?), ref: 01017249
                                    • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 01017252
                                    • VariantClear.OLEAUT32(?), ref: 01017264
                                    • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0101726F
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                                    • String ID:
                                    • API String ID: 2706829360-0
                                    • Opcode ID: 81220e4279c08530c16eef0f949fcd65820147cb5ea9fa08ad1e9386b5cf7153
                                    • Instruction ID: 8a81458fa2502ba68ce235f6d63333451f37953bfa9412559f631166371edaad
                                    • Opcode Fuzzy Hash: 81220e4279c08530c16eef0f949fcd65820147cb5ea9fa08ad1e9386b5cf7153
                                    • Instruction Fuzzy Hash: 8841727590011AAFCB14DF68D988DEDBBB9FF48350F008069F985A7215CF39A945CB90
                                    Function 010386D0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00FC9997: __itow.LIBCMT ref: 00FC99C2
                                      • Part of subcall function 00FC9997: __swprintf.LIBCMT ref: 00FC9A0C
                                    • CoInitialize.OLE32 ref: 01038718
                                    • CoUninitialize.OLE32 ref: 01038723
                                    • CoCreateInstance.OLE32(?,00000000,00000017,01052BEC,?), ref: 01038783
                                    • IIDFromString.OLE32(?,?), ref: 010387F6
                                    • VariantInit.OLEAUT32(?), ref: 01038890
                                    • VariantClear.OLEAUT32(?), ref: 010388F1
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
                                    • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                                    • API String ID: 834269672-1287834457
                                    • Opcode ID: 2c7ce1d6faeaa9890e551335228aede1ad29d4507be7b6effcfbc6274523eb21
                                    • Instruction ID: 7349168f18160fc44b3318a1e62c8392e86aa3f54abb29f9c2ccacbe1725bc51
                                    • Opcode Fuzzy Hash: 2c7ce1d6faeaa9890e551335228aede1ad29d4507be7b6effcfbc6274523eb21
                                    • Instruction Fuzzy Hash: 2B61B2706083029FD711DF28D948F5EBBE8AF85714F04898EF5C59B291C774E948CB92
                                    Function 01035A45 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • WSAStartup.WSOCK32(00000101,?), ref: 01035AA6
                                    • inet_addr.WSOCK32(?,?,?), ref: 01035AEB
                                    • gethostbyname.WSOCK32(?), ref: 01035AF7
                                    • IcmpCreateFile.IPHLPAPI ref: 01035B05
                                    • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 01035B75
                                    • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 01035B8B
                                    • IcmpCloseHandle.IPHLPAPI(00000000), ref: 01035C00
                                    • WSACleanup.WSOCK32 ref: 01035C06
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
                                    • String ID: Ping
                                    • API String ID: 1028309954-2246546115
                                    • Opcode ID: aee5abb0b5c839434c5891def88241d950083f68829d1f7c8e8d644d4de58d0a
                                    • Instruction ID: e3e28da2d7faa743799441e6bca21da34d90434347bc1fb5dd698271397f92bc
                                    • Opcode Fuzzy Hash: aee5abb0b5c839434c5891def88241d950083f68829d1f7c8e8d644d4de58d0a
                                    • Instruction Fuzzy Hash: 485190316047019FD721DF28CD89B2ABBE8EF84710F048969F995DB2A1DB78E840DF41
                                    Function 0102B72E Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON
                                    Download Yara Rule
                                    APIs
                                    • SetErrorMode.KERNEL32(00000001), ref: 0102B73B
                                    • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 0102B7B1
                                    • GetLastError.KERNEL32 ref: 0102B7BB
                                    • SetErrorMode.KERNEL32(00000000,READY), ref: 0102B828
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: Error$Mode$DiskFreeLastSpace
                                    • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                                    • API String ID: 4194297153-14809454
                                    • Opcode ID: 0978b10324001ac8cc6f239da6694f0066586af3f962bec3a6139ab94f2bd425
                                    • Instruction ID: 332d0a101d187ce2b520392d5a5bf2dadb76705e137573120323d7f2e6bb2cb5
                                    • Opcode Fuzzy Hash: 0978b10324001ac8cc6f239da6694f0066586af3f962bec3a6139ab94f2bd425
                                    • Instruction Fuzzy Hash: 4C31B235A0021A9FDB50EF68CD85EBE7BF4FF44700F18806AE585DB292DB759942CB50
                                    Function 01019471 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00FC7F41: _memmove.LIBCMT ref: 00FC7F82
                                      • Part of subcall function 0101B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 0101B0E7
                                    • SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 010194F6
                                    • GetDlgCtrlID.USER32 ref: 01019501
                                    • GetParent.USER32 ref: 0101951D
                                    • SendMessageW.USER32(00000000,?,00000111,?), ref: 01019520
                                    • GetDlgCtrlID.USER32(?), ref: 01019529
                                    • GetParent.USER32(?), ref: 01019545
                                    • SendMessageW.USER32(00000000,?,?,00000111), ref: 01019548
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: MessageSend$CtrlParent$ClassName_memmove
                                    • String ID: ComboBox$ListBox
                                    • API String ID: 1536045017-1403004172
                                    • Opcode ID: 6a165724d6d2ecd4b5fa1aaf07c536c914eea3796834b691e1ec5dff0afd2d32
                                    • Instruction ID: 1bef25fea2f5601c23881a8e24fa5c1a26eb7a866ae5e05dcf8c3070838a815d
                                    • Opcode Fuzzy Hash: 6a165724d6d2ecd4b5fa1aaf07c536c914eea3796834b691e1ec5dff0afd2d32
                                    • Instruction Fuzzy Hash: 9621F174A00205BBDF00AB69CCD5EFEBBB4EF49350F000159B9A297295DB7E9518DB20
                                    Function 0101955C Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00FC7F41: _memmove.LIBCMT ref: 00FC7F82
                                      • Part of subcall function 0101B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 0101B0E7
                                    • SendMessageW.USER32(?,00000186,00000002,00000000), ref: 010195DF
                                    • GetDlgCtrlID.USER32 ref: 010195EA
                                    • GetParent.USER32 ref: 01019606
                                    • SendMessageW.USER32(00000000,?,00000111,?), ref: 01019609
                                    • GetDlgCtrlID.USER32(?), ref: 01019612
                                    • GetParent.USER32(?), ref: 0101962E
                                    • SendMessageW.USER32(00000000,?,?,00000111), ref: 01019631
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: MessageSend$CtrlParent$ClassName_memmove
                                    • String ID: ComboBox$ListBox
                                    • API String ID: 1536045017-1403004172
                                    • Opcode ID: 221ef6ad381d09d78e6109f42507a4ee75a14f4fd605165afeff15af71b4fe56
                                    • Instruction ID: 19976381138c170e88db36afc4bf066f4ccfa3a9ce5ebaa961e5ae42b8d6c76b
                                    • Opcode Fuzzy Hash: 221ef6ad381d09d78e6109f42507a4ee75a14f4fd605165afeff15af71b4fe56
                                    • Instruction Fuzzy Hash: 8D21D374900205BBDF00ABB5CCD5EFEBBB8EF58300F000159B99197199DB7E9519DB20
                                    Function 01019645 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 72windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetParent.USER32 ref: 01019651
                                    • GetClassNameW.USER32(00000000,?,00000100), ref: 01019666
                                    • _wcscmp.LIBCMT ref: 01019678
                                    • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 010196F3
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: ClassMessageNameParentSend_wcscmp
                                    • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                                    • API String ID: 1704125052-3381328864
                                    • Opcode ID: bb128bd0978fb9c7f560f6d4e266953c457e5c7cc2a21af5da2c3281ff5f853d
                                    • Instruction ID: 89354ce76c998eaaaef2dedb314c77034008b3dc729f289e602e52c9555205f9
                                    • Opcode Fuzzy Hash: bb128bd0978fb9c7f560f6d4e266953c457e5c7cc2a21af5da2c3281ff5f853d
                                    • Instruction Fuzzy Hash: 74115C7A648313BAF611252ADC2FDA677DC9B09378F10001AF940E5096FE6E6500C768
                                    Function 01038BC0 Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • VariantInit.OLEAUT32(?), ref: 01038BEC
                                    • CoInitialize.OLE32(00000000), ref: 01038C19
                                    • CoUninitialize.OLE32 ref: 01038C23
                                    • GetRunningObjectTable.OLE32(00000000,?), ref: 01038D23
                                    • SetErrorMode.KERNEL32(00000001,00000029), ref: 01038E50
                                    • CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,01052C0C), ref: 01038E84
                                    • CoGetObject.OLE32(?,00000000,01052C0C,?), ref: 01038EA7
                                    • SetErrorMode.KERNEL32(00000000), ref: 01038EBA
                                    • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 01038F3A
                                    • VariantClear.OLEAUT32(?), ref: 01038F4A
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
                                    • String ID:
                                    • API String ID: 2395222682-0
                                    • Opcode ID: 340284ef5ca951b3c6131b7dd5b1f6664c2f4b8040994c57d03563af2b51e843
                                    • Instruction ID: d52d11481a64b3f29c42682d7a51293d5b78fed81184917cb0088db4f7145dda
                                    • Opcode Fuzzy Hash: 340284ef5ca951b3c6131b7dd5b1f6664c2f4b8040994c57d03563af2b51e843
                                    • Instruction Fuzzy Hash: 37C127B1208306AFD700DF68C98496BBBE9FF89748F004A9DF5899B251DB71ED05CB52
                                    Function 01024189 Relevance: 15.1, APIs: 10, Instructions: 108windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • __swprintf.LIBCMT ref: 0102419D
                                    • __swprintf.LIBCMT ref: 010241AA
                                      • Part of subcall function 00FE38D8: __woutput_l.LIBCMT ref: 00FE3931
                                    • FindResourceW.KERNEL32(?,?,0000000E), ref: 010241D4
                                    • LoadResource.KERNEL32(?,00000000), ref: 010241E0
                                    • LockResource.KERNEL32(00000000), ref: 010241ED
                                    • FindResourceW.KERNEL32(?,?,00000003), ref: 0102420D
                                    • LoadResource.KERNEL32(?,00000000), ref: 0102421F
                                    • SizeofResource.KERNEL32(?,00000000), ref: 0102422E
                                    • LockResource.KERNEL32(?), ref: 0102423A
                                    • CreateIconFromResourceEx.USER32(?,?,00000001,00030000,00000000,00000000,00000000), ref: 0102429B
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: Resource$FindLoadLock__swprintf$CreateFromIconSizeof__woutput_l
                                    • String ID:
                                    • API String ID: 1433390588-0
                                    • Opcode ID: 81da1dfe2c8887e2a16802a900f455d20cd2eab0ba0b8642d5fdc2f396ea7abf
                                    • Instruction ID: fc1d51308d888d1a64518ad4705c25236c862e2939d8c013b7d9d45d59aeeb1d
                                    • Opcode Fuzzy Hash: 81da1dfe2c8887e2a16802a900f455d20cd2eab0ba0b8642d5fdc2f396ea7abf
                                    • Instruction Fuzzy Hash: 7C31C1B5A0122AAFDB219FA5DE88EBF7BACEF05301F044555F981D2140D779DA11CBB0
                                    Function 010216DE Relevance: 15.1, APIs: 10, Instructions: 89threadCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetCurrentThreadId.KERNEL32 ref: 01021700
                                    • GetForegroundWindow.USER32(00000000,?,?,?,?,?,01020778,?,00000001), ref: 01021714
                                    • GetWindowThreadProcessId.USER32(00000000), ref: 0102171B
                                    • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,01020778,?,00000001), ref: 0102172A
                                    • GetWindowThreadProcessId.USER32(?,00000000), ref: 0102173C
                                    • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,01020778,?,00000001), ref: 01021755
                                    • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,01020778,?,00000001), ref: 01021767
                                    • AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,01020778,?,00000001), ref: 010217AC
                                    • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,01020778,?,00000001), ref: 010217C1
                                    • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,01020778,?,00000001), ref: 010217CC
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: Thread$AttachInput$Window$Process$CurrentForeground
                                    • String ID:
                                    • API String ID: 2156557900-0
                                    • Opcode ID: 5ee7027b5ce8c50979c3025bdc274488fc8118ae256f74d074bc6cb70d871a35
                                    • Instruction ID: 55e9cf9bfd32eb2735a84342cdec4386219881c7a649c4706141f555e3d8243b
                                    • Opcode Fuzzy Hash: 5ee7027b5ce8c50979c3025bdc274488fc8118ae256f74d074bc6cb70d871a35
                                    • Instruction Fuzzy Hash: A331B475600614BBEB319F29D984B6E7BF9BB89711F204055F9C0C628AD7799940CB90
                                    Function 00FCFBBD Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 264comCOMMON
                                    Download Yara Rule
                                    APIs
                                    • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00FCFC06
                                    • OleUninitialize.OLE32(?,00000000), ref: 00FCFCA5
                                    • UnregisterHotKey.USER32(?), ref: 00FCFDFC
                                    • DestroyWindow.USER32(?), ref: 01004A00
                                    • FreeLibrary.KERNEL32(?), ref: 01004A65
                                    • VirtualFree.KERNEL32(?,00000000,00008000), ref: 01004A92
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
                                    • String ID: close all
                                    • API String ID: 469580280-3243417748
                                    • Opcode ID: 3aeff553afe28915e030095c0d30327da908938913d8938afc716fc3f6df859e
                                    • Instruction ID: 446da47fa6da12458685a4e63c76fdd7f1de48b163972a118f8a54300e14234a
                                    • Opcode Fuzzy Hash: 3aeff553afe28915e030095c0d30327da908938913d8938afc716fc3f6df859e
                                    • Instruction Fuzzy Hash: 5CA1CD317012138FDB2AEF14CA95F69F7A1BF04700F1442ADE94AAB292CB34AD56DF54
                                    Function 0101A693 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON
                                    Download Yara Rule
                                    APIs
                                    • EnumChildWindows.USER32(?,0101AA64), ref: 0101A9A2
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: ChildEnumWindows
                                    • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
                                    • API String ID: 3555792229-1603158881
                                    • Opcode ID: 0215038d09b370ca31335d275327de10829f527c29a81b83b3f9178be62ad8ec
                                    • Instruction ID: 2043d53cada96c10b37b45fdc4c39e621ca4b5d43cf6d52f2281d43233ca77b5
                                    • Opcode Fuzzy Hash: 0215038d09b370ca31335d275327de10829f527c29a81b83b3f9178be62ad8ec
                                    • Instruction Fuzzy Hash: F491A230A01687EBDB58EF64C881BEDFBB5BF04314F008159D9CAA7145DF386A99DB90
                                    Function 00FC2E26 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SetWindowLongW.USER32(?,000000EB), ref: 00FC2EAE
                                      • Part of subcall function 00FC1DB3: GetClientRect.USER32(?,?), ref: 00FC1DDC
                                      • Part of subcall function 00FC1DB3: GetWindowRect.USER32(?,?), ref: 00FC1E1D
                                      • Part of subcall function 00FC1DB3: ScreenToClient.USER32(?,?), ref: 00FC1E45
                                    • GetDC.USER32 ref: 00FFCF82
                                    • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00FFCF95
                                    • SelectObject.GDI32(00000000,00000000), ref: 00FFCFA3
                                    • SelectObject.GDI32(00000000,00000000), ref: 00FFCFB8
                                    • ReleaseDC.USER32(?,00000000), ref: 00FFCFC0
                                    • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 00FFD04B
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
                                    • String ID: U
                                    • API String ID: 4009187628-3372436214
                                    • Opcode ID: 785be575d9860315501aa33e2aff1377a363d9ac24e23a9c79ca01a62703c4c1
                                    • Instruction ID: 595ffe933c7277aace115b234fd4c795e1c6e498151137c704106655649370cd
                                    • Opcode Fuzzy Hash: 785be575d9860315501aa33e2aff1377a363d9ac24e23a9c79ca01a62703c4c1
                                    • Instruction Fuzzy Hash: CE71D77180020EDFCF219F64C985BBA7BB6FF49360F144269EE959A1A9C7358C41FB60
                                    Function 0104C27C Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149windowCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00FC2612: GetWindowLongW.USER32(?,000000EB), ref: 00FC2623
                                      • Part of subcall function 00FC2344: GetCursorPos.USER32(?), ref: 00FC2357
                                      • Part of subcall function 00FC2344: ScreenToClient.USER32(010867B0,?), ref: 00FC2374
                                      • Part of subcall function 00FC2344: GetAsyncKeyState.USER32(00000001), ref: 00FC2399
                                      • Part of subcall function 00FC2344: GetAsyncKeyState.USER32(00000002), ref: 00FC23A7
                                    • ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?), ref: 0104C2E4
                                    • ImageList_EndDrag.COMCTL32 ref: 0104C2EA
                                    • ReleaseCapture.USER32 ref: 0104C2F0
                                    • SetWindowTextW.USER32(?,00000000), ref: 0104C39A
                                    • SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 0104C3AD
                                    • DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?), ref: 0104C48F
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
                                    • String ID: @GUI_DRAGFILE$@GUI_DROPID
                                    • API String ID: 1924731296-2107944366
                                    • Opcode ID: ef42de2fb9de43d11d80ed93690064068cd796c7ff0b120784e2e78dcbb43713
                                    • Instruction ID: d5e3ca9b30c0bd804530198ff6b8dfe830d0b7e38658d6267bd9dfe818491f2d
                                    • Opcode Fuzzy Hash: ef42de2fb9de43d11d80ed93690064068cd796c7ff0b120784e2e78dcbb43713
                                    • Instruction Fuzzy Hash: 8751AEB4208306AFD710EF24CA96F6E7BE1FB88310F00452DF5D58B2A1DB7AA944DB51
                                    Function 01038F5B Relevance: 13.9, APIs: 9, Instructions: 438COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetModuleFileNameW.KERNEL32(?,?,00000104,?,0104F910), ref: 0103903D
                                    • FreeLibrary.KERNEL32(00000000,00000001,00000000,?,0104F910), ref: 01039071
                                    • QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 010391EB
                                    • SysFreeString.OLEAUT32(?), ref: 01039215
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: Free$FileLibraryModuleNamePathQueryStringType
                                    • String ID:
                                    • API String ID: 560350794-0
                                    • Opcode ID: de5b004e0a63396dc9089a0f1307055ca1d982fdca3236f47bbeba11cac9a7af
                                    • Instruction ID: 9b250065ba37dd12edeb21b8778df0499a8627d4cd7090f7e9c89276ee3be56f
                                    • Opcode Fuzzy Hash: de5b004e0a63396dc9089a0f1307055ca1d982fdca3236f47bbeba11cac9a7af
                                    • Instruction Fuzzy Hash: 9FF14D75A00109EFDF14DF98C888EAEB7B9FF89318F108099F556AB251CB71AE45CB50
                                    Function 0103F9A8 Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON
                                    Download Yara Rule
                                    APIs
                                    • _memset.LIBCMT ref: 0103F9C9
                                    • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0103FB5C
                                    • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0103FB80
                                    • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0103FBC0
                                    • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0103FBE2
                                    • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0103FD5E
                                    • GetLastError.KERNEL32(00000000,00000001,00000000), ref: 0103FD90
                                    • CloseHandle.KERNEL32(?), ref: 0103FDBF
                                    • CloseHandle.KERNEL32(?), ref: 0103FE36
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
                                    • String ID:
                                    • API String ID: 4090791747-0
                                    • Opcode ID: cb00e6a114feb2392aaa90c3e9a558df4a187339195a3e874759e8fd58d5c059
                                    • Instruction ID: ca9cc8ed1d3619a345700b387eb2a71871f220e71ca878d71529d5826c91a42a
                                    • Opcode Fuzzy Hash: cb00e6a114feb2392aaa90c3e9a558df4a187339195a3e874759e8fd58d5c059
                                    • Instruction Fuzzy Hash: 25E1C0716043429FCB14EF28C985B6ABBE5AF84350F04845DF9DA8B2A2CB75DC45CB52
                                    Function 01024F63 Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 010248AA: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,010238D3,?), ref: 010248C7
                                      • Part of subcall function 010248AA: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,010238D3,?), ref: 010248E0
                                      • Part of subcall function 01024CD3: GetFileAttributesW.KERNEL32(?,01023947), ref: 01024CD4
                                    • lstrcmpiW.KERNEL32(?,?), ref: 01024FE2
                                    • _wcscmp.LIBCMT ref: 01024FFC
                                    • MoveFileW.KERNEL32(?,?), ref: 01025017
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
                                    • String ID:
                                    • API String ID: 793581249-0
                                    • Opcode ID: a52800225b52a93733076169d9581b9332e6f6e2d6b3890fc7522d84701340d7
                                    • Instruction ID: b16bddbcacc5f4da88aea597ace4b6d3276e0dfdbd5a0692744813fd1cdf85da
                                    • Opcode Fuzzy Hash: a52800225b52a93733076169d9581b9332e6f6e2d6b3890fc7522d84701340d7
                                    • Instruction Fuzzy Hash: 555173B20083959BC764EB64DC85DDFB7ECAF84341F10492EF2C9D3151EE79A188876A
                                    Function 010488B4 Relevance: 13.7, APIs: 9, Instructions: 168COMMON
                                    Download Yara Rule
                                    APIs
                                    • InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 0104896E
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: InvalidateRect
                                    • String ID:
                                    • API String ID: 634782764-0
                                    • Opcode ID: eb54c13dbc352428e957a8988ec7546bbf8b667668430cccb9516e0dc6ab6497
                                    • Instruction ID: fdd1258a5d379f6b62818efd2dfaf62844fbba4f026ad00a95c84815c56dda23
                                    • Opcode Fuzzy Hash: eb54c13dbc352428e957a8988ec7546bbf8b667668430cccb9516e0dc6ab6497
                                    • Instruction Fuzzy Hash: 1C51D3B0500205BBFF349EA8DCC5B9D7BA4FB04310F108967F694E61D1CBB5A990CB81
                                    Function 00FC2B72 Relevance: 13.7, APIs: 9, Instructions: 161windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 00FFC547
                                    • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00FFC569
                                    • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 00FFC581
                                    • ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 00FFC59F
                                    • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00FFC5C0
                                    • DestroyIcon.USER32(00000000), ref: 00FFC5CF
                                    • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00FFC5EC
                                    • DestroyIcon.USER32(?), ref: 00FFC5FB
                                      • Part of subcall function 0104A71E: DeleteObject.GDI32(00000000), ref: 0104A757
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: Icon$DestroyExtractImageLoadMessageSend$DeleteObject
                                    • String ID:
                                    • API String ID: 2819616528-0
                                    • Opcode ID: 6c3ef8b1eeac22143ea1a322110b2620695ea7422588e77e1d8841c72e57591d
                                    • Instruction ID: 79717c661ef6cc9e0d53bab90e569baa839f3cf0004bb2b9aea3ce4b5edb87a1
                                    • Opcode Fuzzy Hash: 6c3ef8b1eeac22143ea1a322110b2620695ea7422588e77e1d8841c72e57591d
                                    • Instruction Fuzzy Hash: C7515A74A0020AAFDB24DF24CA46FAA37A5EF58360F140518F94697290DB75ED90EB90
                                    Function 01019B50 Relevance: 13.6, APIs: 9, Instructions: 66sleepkeyboardwindowCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0101AE57: GetWindowThreadProcessId.USER32(?,00000000), ref: 0101AE77
                                      • Part of subcall function 0101AE57: GetCurrentThreadId.KERNEL32 ref: 0101AE7E
                                      • Part of subcall function 0101AE57: AttachThreadInput.USER32(00000000,?,01019B65,?,00000001), ref: 0101AE85
                                    • MapVirtualKeyW.USER32(00000025,00000000), ref: 01019B70
                                    • PostMessageW.USER32(?,00000100,00000025,00000000), ref: 01019B8D
                                    • Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 01019B90
                                    • MapVirtualKeyW.USER32(00000025,00000000), ref: 01019B99
                                    • PostMessageW.USER32(?,00000100,00000027,00000000), ref: 01019BB7
                                    • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 01019BBA
                                    • MapVirtualKeyW.USER32(00000025,00000000), ref: 01019BC3
                                    • PostMessageW.USER32(?,00000101,00000027,00000000), ref: 01019BDA
                                    • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 01019BDD
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
                                    • String ID:
                                    • API String ID: 2014098862-0
                                    • Opcode ID: a867404daa0c4c8f83f9f691239d52f26709895196546cc0ddb9f90d2a3adef6
                                    • Instruction ID: 0b8b06ac6d9fac8d6e4ed33df3a88409a1dcc1e22c380f2e344a3c9b95f71fd1
                                    • Opcode Fuzzy Hash: a867404daa0c4c8f83f9f691239d52f26709895196546cc0ddb9f90d2a3adef6
                                    • Instruction Fuzzy Hash: 1111E1B5A50219BFF6206B74DC89FAA3B6DEB4C795F100415F284AB094C9F75C10DBA4
                                    Function 01018E03 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,01018A84,00000B00,?,?), ref: 01018E0C
                                    • HeapAlloc.KERNEL32(00000000,?,01018A84,00000B00,?,?), ref: 01018E13
                                    • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,01018A84,00000B00,?,?), ref: 01018E28
                                    • GetCurrentProcess.KERNEL32(?,00000000,?,01018A84,00000B00,?,?), ref: 01018E30
                                    • DuplicateHandle.KERNEL32(00000000,?,01018A84,00000B00,?,?), ref: 01018E33
                                    • GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,01018A84,00000B00,?,?), ref: 01018E43
                                    • GetCurrentProcess.KERNEL32(01018A84,00000000,?,01018A84,00000B00,?,?), ref: 01018E4B
                                    • DuplicateHandle.KERNEL32(00000000,?,01018A84,00000B00,?,?), ref: 01018E4E
                                    • CreateThread.KERNEL32(00000000,00000000,01018E74,00000000,00000000,00000000), ref: 01018E68
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
                                    • String ID:
                                    • API String ID: 1957940570-0
                                    • Opcode ID: 92df2292e70286867dd3ce00cbd5be44c9615afb89828029f29bc502ecb14473
                                    • Instruction ID: d25ba754b7db1e1c069e249ac728c3b2dd0363fddfa30633de5e5ed087854a23
                                    • Opcode Fuzzy Hash: 92df2292e70286867dd3ce00cbd5be44c9615afb89828029f29bc502ecb14473
                                    • Instruction Fuzzy Hash: 1501BBB9240309BFE720ABA9DD8DF6B3BACEB89711F004411FA45DB195CA759800CB60
                                    Function 01039428 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 263COMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: Variant$ClearInit$_memset
                                    • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
                                    • API String ID: 2862541840-625585964
                                    • Opcode ID: 05d9910e8e8c30d0ac99c411060d39bc9aa1bd176ea633e101b6f58a642728b0
                                    • Instruction ID: 69037e3eadfd935f42c50054321875e6e3970365d691e873a8d7cd9525d09417
                                    • Opcode Fuzzy Hash: 05d9910e8e8c30d0ac99c411060d39bc9aa1bd176ea633e101b6f58a642728b0
                                    • Instruction Fuzzy Hash: A191B371A00205EBDF25DFA5C844FAEBBBCEF89318F008559F555AB281D7B09944CFA0
                                    Function 01046FEF Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 01047093
                                    • SendMessageW.USER32(?,00001036,00000000,?), ref: 010470A7
                                    • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 010470C1
                                    • _wcscat.LIBCMT ref: 0104711C
                                    • SendMessageW.USER32(?,00001057,00000000,?), ref: 01047133
                                    • SendMessageW.USER32(?,00001061,?,0000000F), ref: 01047161
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: MessageSend$Window_wcscat
                                    • String ID: SysListView32
                                    • API String ID: 307300125-78025650
                                    • Opcode ID: 5928bb40eaa78b3f2928363675f002a56495a4fa0b18bbe092fbc470451edcae
                                    • Instruction ID: 97773ecc20b5ece0a198e24eade10d82465562a9c94f1dd27027b5e90543fb0c
                                    • Opcode Fuzzy Hash: 5928bb40eaa78b3f2928363675f002a56495a4fa0b18bbe092fbc470451edcae
                                    • Instruction Fuzzy Hash: 4F4191B5A00309EFEB219F68CC85BEE77E9EF08350F10057AF6C5A7192D77699848B50
                                    Function 0103EC47 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 01023E91: CreateToolhelp32Snapshot.KERNEL32 ref: 01023EB6
                                      • Part of subcall function 01023E91: Process32FirstW.KERNEL32(00000000,?), ref: 01023EC4
                                      • Part of subcall function 01023E91: CloseHandle.KERNEL32(00000000), ref: 01023F8E
                                    • OpenProcess.KERNEL32(00000001,00000000,?), ref: 0103ECB8
                                    • GetLastError.KERNEL32 ref: 0103ECCB
                                    • OpenProcess.KERNEL32(00000001,00000000,?), ref: 0103ECFA
                                    • TerminateProcess.KERNEL32(00000000,00000000), ref: 0103ED77
                                    • GetLastError.KERNEL32(00000000), ref: 0103ED82
                                    • CloseHandle.KERNEL32(00000000), ref: 0103EDB7
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
                                    • String ID: SeDebugPrivilege
                                    • API String ID: 2533919879-2896544425
                                    • Opcode ID: 0a74a5ffc57d2d1c7d438bf631d7f834ff3cedea53f8c04def328bb32dc135b0
                                    • Instruction ID: f8e6c773f96f6432fdfdc11c89ad086bc1fefd6adf51ecbc775f02ea05d8c4a2
                                    • Opcode Fuzzy Hash: 0a74a5ffc57d2d1c7d438bf631d7f834ff3cedea53f8c04def328bb32dc135b0
                                    • Instruction Fuzzy Hash: 3C41B5712042029FDB15EF18CC99F6DB7E5AF80714F08815DF9869F2C2DBB9A804CB55
                                    Function 01023226 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • LoadIconW.USER32(00000000,00007F03), ref: 010232C5
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: IconLoad
                                    • String ID: blank$info$question$stop$warning
                                    • API String ID: 2457776203-404129466
                                    • Opcode ID: 5751796727ee0d8cf9d4b51d8a6f573ed26bf7dfea98f2dc554ccdd250badb50
                                    • Instruction ID: e2d06c561c53e696028a50002ce59ad2cd41c8ca4f0c102297e9b1d397cf8221
                                    • Opcode Fuzzy Hash: 5751796727ee0d8cf9d4b51d8a6f573ed26bf7dfea98f2dc554ccdd250badb50
                                    • Instruction Fuzzy Hash: 84112B31B083A6BBE7015A59DC47D6EB7DCFF0E670F10005EF580AF182D67D664486A4
                                    Function 01024534 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 0102454E
                                    • LoadStringW.USER32(00000000), ref: 01024555
                                    • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0102456B
                                    • LoadStringW.USER32(00000000), ref: 01024572
                                    • _wprintf.LIBCMT ref: 01024598
                                    • MessageBoxW.USER32(00000000,?,?,00011010), ref: 010245B6
                                    Strings
                                    • %s (%d) : ==> %s: %s %s, xrefs: 01024593
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: HandleLoadModuleString$Message_wprintf
                                    • String ID: %s (%d) : ==> %s: %s %s
                                    • API String ID: 3648134473-3128320259
                                    • Opcode ID: 177894805b5efdba201835129e31388b7c0c1d4344db515e465bc3c83029fd69
                                    • Instruction ID: 7d7c6515c14c0847aadca8456184883a92551be2265460db750c46286569b514
                                    • Opcode Fuzzy Hash: 177894805b5efdba201835129e31388b7c0c1d4344db515e465bc3c83029fd69
                                    • Instruction Fuzzy Hash: A201DBF68002197FE720D7A4DEC9EF7776CD708300F000595BB85D2002EA355E854B70
                                    Function 0104D74C Relevance: 12.3, APIs: 8, Instructions: 257windowCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00FC2612: GetWindowLongW.USER32(?,000000EB), ref: 00FC2623
                                    • GetSystemMetrics.USER32(0000000F), ref: 0104D78A
                                    • GetSystemMetrics.USER32(0000000F), ref: 0104D7AA
                                    • MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 0104D9E5
                                    • SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 0104DA03
                                    • SendMessageW.USER32(00000003,00000469,?,00000000), ref: 0104DA24
                                    • ShowWindow.USER32(00000003,00000000), ref: 0104DA43
                                    • InvalidateRect.USER32(?,00000000,00000001), ref: 0104DA68
                                    • DefDlgProcW.USER32(?,00000005,?,?), ref: 0104DA8B
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
                                    • String ID:
                                    • API String ID: 1211466189-0
                                    • Opcode ID: 05c8309a071f82fbc7528e8cd1269571fedb6a99f5bfe39163d3d40bec074dae
                                    • Instruction ID: 1c4636f6d3579b25d4951044c690f729c5adc882b5f5f8e257d4ac906bd424dc
                                    • Opcode Fuzzy Hash: 05c8309a071f82fbc7528e8cd1269571fedb6a99f5bfe39163d3d40bec074dae
                                    • Instruction Fuzzy Hash: 28B177B5600216EBEF14CFACC5C57AD7BF2BF54701F0881B9ED889A289D735A950CB90
                                    Function 00FC2A5B Relevance: 12.1, APIs: 8, Instructions: 129COMMON
                                    Download Yara Rule
                                    APIs
                                    • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,00FFC417,00000004,00000000,00000000,00000000), ref: 00FC2ACF
                                    • ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,00FFC417,00000004,00000000,00000000,00000000,000000FF), ref: 00FC2B17
                                    • ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,00FFC417,00000004,00000000,00000000,00000000), ref: 00FFC46A
                                    • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,00FFC417,00000004,00000000,00000000,00000000), ref: 00FFC4D6
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: ShowWindow
                                    • String ID:
                                    • API String ID: 1268545403-0
                                    • Opcode ID: 5a2dd4fab95832eeb50be8e319e1b5676194bd7249e2564786217132205fac7a
                                    • Instruction ID: ee5f35f63e7ff7394cef47efeb5f9dca98081d61150fbd2039d4f519dd859a14
                                    • Opcode Fuzzy Hash: 5a2dd4fab95832eeb50be8e319e1b5676194bd7249e2564786217132205fac7a
                                    • Instruction Fuzzy Hash: DB412A71A086869BC7B9DB2C9FDAF7A3B91FF85320F14880DE18786560C67E9841F750
                                    Function 01027368 Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • InterlockedExchange.KERNEL32(?,000001F5), ref: 0102737F
                                      • Part of subcall function 00FE0FF6: std::exception::exception.LIBCMT ref: 00FE102C
                                      • Part of subcall function 00FE0FF6: __CxxThrowException@8.LIBCMT ref: 00FE1041
                                    • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 010273B6
                                    • EnterCriticalSection.KERNEL32(?), ref: 010273D2
                                    • _memmove.LIBCMT ref: 01027420
                                    • _memmove.LIBCMT ref: 0102743D
                                    • LeaveCriticalSection.KERNEL32(?), ref: 0102744C
                                    • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 01027461
                                    • InterlockedExchange.KERNEL32(?,000001F6), ref: 01027480
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
                                    • String ID:
                                    • API String ID: 256516436-0
                                    • Opcode ID: 8516d3541ab638266d37ab847f26d11e72d2cdbf8f3c1e2ffcba4a27193117a2
                                    • Instruction ID: 17a6824fd9f5b5732af7430cce0b532db692985644449915c2d70d51826788f3
                                    • Opcode Fuzzy Hash: 8516d3541ab638266d37ab847f26d11e72d2cdbf8f3c1e2ffcba4a27193117a2
                                    • Instruction Fuzzy Hash: 9131CF75900246EBDF10EF69CD85AAFBBB8FF45310B1440A5F944AB24ADB35DA10DBA0
                                    Function 01046442 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • DeleteObject.GDI32(00000000), ref: 0104645A
                                    • GetDC.USER32(00000000), ref: 01046462
                                    • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0104646D
                                    • ReleaseDC.USER32(00000000,00000000), ref: 01046479
                                    • CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 010464B5
                                    • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 010464C6
                                    • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,01049299,?,?,000000FF,00000000,?,000000FF,?), ref: 01046500
                                    • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 01046520
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                                    • String ID:
                                    • API String ID: 3864802216-0
                                    • Opcode ID: 8d62ac627dd1fa7b7ffc25e4532b813661e5ec872c4ec3298c8dc810c3212542
                                    • Instruction ID: 372aaa1822fa72986138b2f922b0545e122344ebd0aff47eeb1abaa2aa6853c2
                                    • Opcode Fuzzy Hash: 8d62ac627dd1fa7b7ffc25e4532b813661e5ec872c4ec3298c8dc810c3212542
                                    • Instruction Fuzzy Hash: EF3193B52011107FEB218F54CD85FE73FA9EF4A751F0400A5FE489A195D67A9841CBA0
                                    Function 0101C072 Relevance: 12.1, APIs: 8, Instructions: 92COMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: _memcmp
                                    • String ID:
                                    • API String ID: 2931989736-0
                                    • Opcode ID: 32ac2192bb84eca07adb2db7adb0eea1f54c5874a06b98be7b4f41493bfa9e35
                                    • Instruction ID: ae5926950b5102db7bbe2158dd79f481bd64d92381729193cb472fc50f2e4577
                                    • Opcode Fuzzy Hash: 32ac2192bb84eca07adb2db7adb0eea1f54c5874a06b98be7b4f41493bfa9e35
                                    • Instruction Fuzzy Hash: 0821D7727C1209B7F392A5278E42FAF379CAF12294B040024FE899A247E769DD11C1A6
                                    Function 0102ED8E Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 323COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00FC9997: __itow.LIBCMT ref: 00FC99C2
                                      • Part of subcall function 00FC9997: __swprintf.LIBCMT ref: 00FC9A0C
                                      • Part of subcall function 00FDFEC6: _wcscpy.LIBCMT ref: 00FDFEE9
                                    • _wcstok.LIBCMT ref: 0102EEFF
                                    • _wcscpy.LIBCMT ref: 0102EF8E
                                    • _memset.LIBCMT ref: 0102EFC1
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: _wcscpy$__itow__swprintf_memset_wcstok
                                    • String ID: X
                                    • API String ID: 774024439-3081909835
                                    • Opcode ID: 15ed9a6920f8fccd33fcf2416d3a66c4aa3e15da56ea244d2d202ad44d201392
                                    • Instruction ID: b065cd47464cb3e81e7cf0eb153cdb373ad26012739e96cbc1d3989aa1291abe
                                    • Opcode Fuzzy Hash: 15ed9a6920f8fccd33fcf2416d3a66c4aa3e15da56ea244d2d202ad44d201392
                                    • Instruction Fuzzy Hash: 7EC1AF315083529FD764EF24C986E5AB7E4BF84310F00496DF9D98B2A2DB74ED44DB82
                                    Function 01036E17 Relevance: 10.8, APIs: 7, Instructions: 250networkCOMMON
                                    Download Yara Rule
                                    APIs
                                    • __WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 01036F14
                                    • #17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 01036F35
                                    • WSAGetLastError.WSOCK32(00000000), ref: 01036F48
                                    • htons.WSOCK32(?,?,?,00000000,?), ref: 01036FFE
                                    • inet_ntoa.WSOCK32(?), ref: 01036FBB
                                      • Part of subcall function 0101AE14: _strlen.LIBCMT ref: 0101AE1E
                                      • Part of subcall function 0101AE14: _memmove.LIBCMT ref: 0101AE40
                                    • _strlen.LIBCMT ref: 01037058
                                    • _memmove.LIBCMT ref: 010370C1
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: _memmove_strlen$ErrorLasthtonsinet_ntoa
                                    • String ID:
                                    • API String ID: 3619996494-0
                                    • Opcode ID: ec751a57ddd5a6f9d86085e0b6fc67e09de57f2e84757b3672af53cf9286784b
                                    • Instruction ID: 63e12e0c3018af97015c461e8eb09dd2c0219f9707d05406f41f616d10ea6587
                                    • Opcode Fuzzy Hash: ec751a57ddd5a6f9d86085e0b6fc67e09de57f2e84757b3672af53cf9286784b
                                    • Instruction Fuzzy Hash: 0481DF75104302ABD710EB28CD86F6FB7E9AFC4714F00491CF5959B292DA79AE05CBA1
                                    Function 00FC1424 Relevance: 10.7, APIs: 7, Instructions: 219COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: e96ef96a2fd6f095c114c915078d4fec04398671391c34c170067b1c81a356f9
                                    • Instruction ID: 1d4338822af0a1421a8c9146f986375a8c977f2c3b473357a22e4fee73991aaf
                                    • Opcode Fuzzy Hash: e96ef96a2fd6f095c114c915078d4fec04398671391c34c170067b1c81a356f9
                                    • Instruction Fuzzy Hash: C071807590010AEFCB14CF58CD85FBEBB79FF86324F248149F915AA252C734AA61DB60
                                    Function 0104B60B Relevance: 10.7, APIs: 7, Instructions: 199windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • IsWindow.USER32(01546590), ref: 0104B6A5
                                    • IsWindowEnabled.USER32(01546590), ref: 0104B6B1
                                    • SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 0104B795
                                    • SendMessageW.USER32(01546590,000000B0,?,?), ref: 0104B7CC
                                    • IsDlgButtonChecked.USER32(?,?), ref: 0104B809
                                    • GetWindowLongW.USER32(01546590,000000EC), ref: 0104B82B
                                    • SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 0104B843
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: MessageSendWindow$ButtonCheckedEnabledLong
                                    • String ID:
                                    • API String ID: 4072528602-0
                                    • Opcode ID: 9de30d596e4d651011b488a885b69921cdc5de79c36d1429a2bf4a6749e859e4
                                    • Instruction ID: f2360f9b56d9a7d0c728e712d141e39bdfab7c9a59dc80f05dbe7df087ea3fa6
                                    • Opcode Fuzzy Hash: 9de30d596e4d651011b488a885b69921cdc5de79c36d1429a2bf4a6749e859e4
                                    • Instruction Fuzzy Hash: 7C719EB4604205AFEB65EF68C8D4FAA7BF9FF09340F0840A9EAC597251C736E941CB50
                                    Function 0103F732 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON
                                    Download Yara Rule
                                    APIs
                                    • _memset.LIBCMT ref: 0103F75C
                                    • _memset.LIBCMT ref: 0103F825
                                    • ShellExecuteExW.SHELL32(?), ref: 0103F86A
                                      • Part of subcall function 00FC9997: __itow.LIBCMT ref: 00FC99C2
                                      • Part of subcall function 00FC9997: __swprintf.LIBCMT ref: 00FC9A0C
                                      • Part of subcall function 00FDFEC6: _wcscpy.LIBCMT ref: 00FDFEE9
                                    • GetProcessId.KERNEL32(00000000), ref: 0103F8E1
                                    • CloseHandle.KERNEL32(00000000), ref: 0103F910
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
                                    • String ID: @
                                    • API String ID: 3522835683-2766056989
                                    • Opcode ID: cd90183cbf04a7f776d171cf514337ab5d9e255713a24aa0d64173d413d0499e
                                    • Instruction ID: c419759055dc6bf615656a4da87e47797c8eb0cd25d8dc6a31fe244dfe675aeb
                                    • Opcode Fuzzy Hash: cd90183cbf04a7f776d171cf514337ab5d9e255713a24aa0d64173d413d0499e
                                    • Instruction Fuzzy Hash: C461C075E0061ADFCB14EF54C985AAEBBF4FF88310B14805DE88AAB351CB34AD40CB90
                                    Function 0102145D Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetParent.USER32(?), ref: 0102149C
                                    • GetKeyboardState.USER32(?), ref: 010214B1
                                    • SetKeyboardState.USER32(?), ref: 01021512
                                    • PostMessageW.USER32(?,00000101,00000010,?), ref: 01021540
                                    • PostMessageW.USER32(?,00000101,00000011,?), ref: 0102155F
                                    • PostMessageW.USER32(?,00000101,00000012,?), ref: 010215A5
                                    • PostMessageW.USER32(?,00000101,0000005B,?), ref: 010215C8
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: MessagePost$KeyboardState$Parent
                                    • String ID:
                                    • API String ID: 87235514-0
                                    • Opcode ID: 7d2ec55a8b7697a9e60233923e1377b11c892661d827287dda885068ebcd5532
                                    • Instruction ID: 98e9f08d12e6e0fb1a687d0404f8a981c7188d50ac4b06f1f30cd9aa5d6c3e64
                                    • Opcode Fuzzy Hash: 7d2ec55a8b7697a9e60233923e1377b11c892661d827287dda885068ebcd5532
                                    • Instruction Fuzzy Hash: 9151C2B0A047F67EFB3646388C45BBA7EE96F06304F0C45C9E2D9558C2D7B99884D750
                                    Function 01021276 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetParent.USER32(00000000), ref: 010212B5
                                    • GetKeyboardState.USER32(?), ref: 010212CA
                                    • SetKeyboardState.USER32(?), ref: 0102132B
                                    • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 01021357
                                    • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 01021374
                                    • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 010213B8
                                    • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 010213D9
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: MessagePost$KeyboardState$Parent
                                    • String ID:
                                    • API String ID: 87235514-0
                                    • Opcode ID: 3bf59876728719ccaa536d7c0b469f2c8ccd472afe11852a3f69d431d8a29a70
                                    • Instruction ID: aee6b1df716302bb2af0cce2df254e05e2ff76b88c78311742cdc6a481be859d
                                    • Opcode Fuzzy Hash: 3bf59876728719ccaa536d7c0b469f2c8ccd472afe11852a3f69d431d8a29a70
                                    • Instruction Fuzzy Hash: 1151D8B05047E63DFB3286288C55BBA7FEA6F06304F0885C9E2D8568C2D7B5A898D750
                                    Function 0102589F Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: _wcsncpy$LocalTime
                                    • String ID:
                                    • API String ID: 2945705084-0
                                    • Opcode ID: 95b959342bbfde12c382186f302d1910bfcc6e89dfb39920e5dc930bfba85bc5
                                    • Instruction ID: 7905e644cd0193bb75c4ceebf2fb65eb373e573021e3b74e1990ecb37fbde907
                                    • Opcode Fuzzy Hash: 95b959342bbfde12c382186f302d1910bfcc6e89dfb39920e5dc930bfba85bc5
                                    • Instruction Fuzzy Hash: F741A5A5C2026876CB51EBB58C8B9CFB7ACAF05310F508466F658E3111F738E714D7AA
                                    Function 010238AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 010248AA: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,010238D3,?), ref: 010248C7
                                      • Part of subcall function 010248AA: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,010238D3,?), ref: 010248E0
                                    • lstrcmpiW.KERNEL32(?,?), ref: 010238F3
                                    • _wcscmp.LIBCMT ref: 0102390F
                                    • MoveFileW.KERNEL32(?,?), ref: 01023927
                                    • _wcscat.LIBCMT ref: 0102396F
                                    • SHFileOperationW.SHELL32(?), ref: 010239DB
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
                                    • String ID: \*.*
                                    • API String ID: 1377345388-1173974218
                                    • Opcode ID: 6a0575a4ebdcb55554856e3990f062fec8d7fc062d6262a82710487afc06eb95
                                    • Instruction ID: 0e90084cbf2e12a211a93a3a99862f695b6319c361996b701469c9635b2cff97
                                    • Opcode Fuzzy Hash: 6a0575a4ebdcb55554856e3990f062fec8d7fc062d6262a82710487afc06eb95
                                    • Instruction Fuzzy Hash: 754181B16083959AC791EF68C881ADFB7ECBF89340F00096EF5C9C7151EA39D248C752
                                    Function 01047500 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • _memset.LIBCMT ref: 01047519
                                    • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 010475C0
                                    • IsMenu.USER32(?), ref: 010475D8
                                    • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 01047620
                                    • DrawMenuBar.USER32 ref: 01047633
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: Menu$Item$DrawInfoInsert_memset
                                    • String ID: 0
                                    • API String ID: 3866635326-4108050209
                                    • Opcode ID: 5226639ed959ace99133718c2c9e5af8d5aa744a2afc0f8c2317472e1bd94ea4
                                    • Instruction ID: cd4f245f1141f5a813ac52be0910837bb36f0a6d5688ca37930d55fcf38ce715
                                    • Opcode Fuzzy Hash: 5226639ed959ace99133718c2c9e5af8d5aa744a2afc0f8c2317472e1bd94ea4
                                    • Instruction Fuzzy Hash: 15411AB5A00249EFDB20DF58D9C4E9ABBF9FF08314F048169EE959B250D735A950CF90
                                    Function 0104122D Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 0104125C
                                    • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 01041286
                                    • FreeLibrary.KERNEL32(00000000), ref: 0104133D
                                      • Part of subcall function 0104122D: RegCloseKey.ADVAPI32(?), ref: 010412A3
                                      • Part of subcall function 0104122D: FreeLibrary.KERNEL32(?), ref: 010412F5
                                      • Part of subcall function 0104122D: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 01041318
                                    • RegDeleteKeyW.ADVAPI32(?,?), ref: 010412E0
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: EnumFreeLibrary$CloseDeleteOpen
                                    • String ID:
                                    • API String ID: 395352322-0
                                    • Opcode ID: adf0140bff9599ea61fcfd01762e1ab47c86faa532b1cfa17590747fceb0dc33
                                    • Instruction ID: 5f97be1ffdd2702bb17c003ef8a6089432ca8d16d325f72dd464003556558c79
                                    • Opcode Fuzzy Hash: adf0140bff9599ea61fcfd01762e1ab47c86faa532b1cfa17590747fceb0dc33
                                    • Instruction Fuzzy Hash: 35314FF5901119BFEB159B94D9C5EFEB7BCEF08300F0041A9E591E2140DA756A859BA0
                                    Function 0104653C Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 0104655B
                                    • GetWindowLongW.USER32(01546590,000000F0), ref: 0104658E
                                    • GetWindowLongW.USER32(01546590,000000F0), ref: 010465C3
                                    • SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 010465F5
                                    • SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 0104661F
                                    • GetWindowLongW.USER32(00000000,000000F0), ref: 01046630
                                    • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 0104664A
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: LongWindow$MessageSend
                                    • String ID:
                                    • API String ID: 2178440468-0
                                    • Opcode ID: 86eaa37a7be65ad250b88d3ba86129b2deacd357e84658f742a361a2d3fbdb05
                                    • Instruction ID: 66bdcedb550671b26e9638524d95a22a308d304d1fee8bda5a7ece15d425a8ae
                                    • Opcode Fuzzy Hash: 86eaa37a7be65ad250b88d3ba86129b2deacd357e84658f742a361a2d3fbdb05
                                    • Instruction Fuzzy Hash: 513119B4604111AFDB31DF6CE8C4F593BE1FB4A750F1902A4F5858B2AADB77A840CB81
                                    Function 01036486 Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 010380A0: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 010380CB
                                    • socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 010364D9
                                    • WSAGetLastError.WSOCK32(00000000), ref: 010364E8
                                    • ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 01036521
                                    • connect.WSOCK32(00000000,?,00000010), ref: 0103652A
                                    • WSAGetLastError.WSOCK32 ref: 01036534
                                    • closesocket.WSOCK32(00000000), ref: 0103655D
                                    • ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 01036576
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
                                    • String ID:
                                    • API String ID: 910771015-0
                                    • Opcode ID: 89263313823b6982da013a44ff32f4e7c15b63746d8506130e786acb4a0df3d1
                                    • Instruction ID: 4f4e49af2035a04d6312d255add8cd40887a5a66971ebfc6abf711ce6893f56d
                                    • Opcode Fuzzy Hash: 89263313823b6982da013a44ff32f4e7c15b63746d8506130e786acb4a0df3d1
                                    • Instruction Fuzzy Hash: 8631B575600119AFEB109F18DD85FBE7BEDEB84714F00806DF989DB281DB79A904CB61
                                    Function 0101E0B5 Relevance: 10.6, APIs: 7, Instructions: 90memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0101E0FA
                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0101E120
                                    • SysAllocString.OLEAUT32(00000000), ref: 0101E123
                                    • SysAllocString.OLEAUT32 ref: 0101E144
                                    • SysFreeString.OLEAUT32 ref: 0101E14D
                                    • StringFromGUID2.OLE32(?,?,00000028), ref: 0101E167
                                    • SysAllocString.OLEAUT32(?), ref: 0101E175
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                    • String ID:
                                    • API String ID: 3761583154-0
                                    • Opcode ID: 5cc089d748aee7a5c8d7a76ca63d8d9f0a4c2017e07c91b17d12323078bc0a9f
                                    • Instruction ID: fb6076b036189ca195d136db9a7d7defa998d0c204093788aafc8ca76b0063c5
                                    • Opcode Fuzzy Hash: 5cc089d748aee7a5c8d7a76ca63d8d9f0a4c2017e07c91b17d12323078bc0a9f
                                    • Instruction Fuzzy Hash: 2821A776600109AFDB21AFACDC88CAF77ECEB09760B408165FD95CB259DE79DC418B60
                                    Function 0101FB6E Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: __wcsnicmp
                                    • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
                                    • API String ID: 1038674560-2734436370
                                    • Opcode ID: 104469b49e4d378eb073931343c3f0ef6777c811128c6f209e5663f95ebc181a
                                    • Instruction ID: 9fb8fbc3b2552855590963b2e8c0c5866bb77d8de4ed3b3bcc883f1ce33781da
                                    • Opcode Fuzzy Hash: 104469b49e4d378eb073931343c3f0ef6777c811128c6f209e5663f95ebc181a
                                    • Instruction Fuzzy Hash: 8A217CB2104253A6D331B6399E52FAB73D8FF05344F04402AFEC687146E79CA985E3A1
                                    Function 0104783C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00FC1D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00FC1D73
                                      • Part of subcall function 00FC1D35: GetStockObject.GDI32(00000011), ref: 00FC1D87
                                      • Part of subcall function 00FC1D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00FC1D91
                                    • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 010478A1
                                    • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 010478AE
                                    • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 010478B9
                                    • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 010478C8
                                    • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 010478D4
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: MessageSend$CreateObjectStockWindow
                                    • String ID: Msctls_Progress32
                                    • API String ID: 1025951953-3636473452
                                    • Opcode ID: 3febb89ce44718102afcc7f349c2f1d706e20caa7b30c34cf2796e22b51dd708
                                    • Instruction ID: f175a384b5db5b5a624edd211b36d34e8d41525399b9a8d7dbcde957629200d8
                                    • Opcode Fuzzy Hash: 3febb89ce44718102afcc7f349c2f1d706e20caa7b30c34cf2796e22b51dd708
                                    • Instruction Fuzzy Hash: A01193B155011ABFFF159E64CC85EEB7F6DEF08798F014129B644A6050C7729C21DBA4
                                    Function 00FE41C9 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize,00FE4292,?), ref: 00FE41E3
                                    • GetProcAddress.KERNEL32(00000000), ref: 00FE41EA
                                    • EncodePointer.KERNEL32(00000000), ref: 00FE41F6
                                    • DecodePointer.KERNEL32(00000001,00FE4292,?), ref: 00FE4213
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
                                    • String ID: RoInitialize$combase.dll
                                    • API String ID: 3489934621-340411864
                                    • Opcode ID: abce1ab908f0a5e2ba47f179ed56df646c18968441434528892b9ed581cf3972
                                    • Instruction ID: 183ea7576ebee70fb2909a08b472208188f64f68cac8384bc3254cb06fcf2e4e
                                    • Opcode Fuzzy Hash: abce1ab908f0a5e2ba47f179ed56df646c18968441434528892b9ed581cf3972
                                    • Instruction Fuzzy Hash: 97E012F4E90342AFEF306B75ED49B093595BB11743F508428B9D1D9088D7BF50519F10
                                    Function 00FE429E Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,00FE41B8), ref: 00FE42B8
                                    • GetProcAddress.KERNEL32(00000000), ref: 00FE42BF
                                    • EncodePointer.KERNEL32(00000000), ref: 00FE42CA
                                    • DecodePointer.KERNEL32(00FE41B8), ref: 00FE42E5
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
                                    • String ID: RoUninitialize$combase.dll
                                    • API String ID: 3489934621-2819208100
                                    • Opcode ID: 60724c58d8a832416ea83fa475050ffcce40a03856c3a9c353ec3736597bff20
                                    • Instruction ID: c7b05fe3c179ec0f2399b36e4b7fa40f45689c4c077f696141dd7c674fbdb496
                                    • Opcode Fuzzy Hash: 60724c58d8a832416ea83fa475050ffcce40a03856c3a9c353ec3736597bff20
                                    • Instruction Fuzzy Hash: 09E0BFBCA45302EBEF70AF65EE4DB093AA4BB14B46F104018F9C1D5048DB7E5500DB14
                                    Function 0102675A Relevance: 9.2, APIs: 6, Instructions: 205COMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: _memmove$__itow__swprintf
                                    • String ID:
                                    • API String ID: 3253778849-0
                                    • Opcode ID: fe2f17f79ebd84cb438237771d0d4cdbd62087dd95f3309a9b711921911bb9bb
                                    • Instruction ID: 0984039e8a2f08311dc191abf85b8631f5d16122ba368d798a310a060e7b8aeb
                                    • Opcode Fuzzy Hash: fe2f17f79ebd84cb438237771d0d4cdbd62087dd95f3309a9b711921911bb9bb
                                    • Instruction Fuzzy Hash: A661FF305042AAABDF11EF21CD82FFE3BA8AF44308F044158FD895B292DF79A901DB50
                                    Function 0104046F Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00FC7F41: _memmove.LIBCMT ref: 00FC7F82
                                      • Part of subcall function 010410A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,01040038,?,?), ref: 010410BC
                                    • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 01040548
                                    • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 01040588
                                    • RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 010405AB
                                    • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 010405D4
                                    • RegCloseKey.ADVAPI32(?,?,00000000), ref: 01040617
                                    • RegCloseKey.ADVAPI32(00000000), ref: 01040624
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
                                    • String ID:
                                    • API String ID: 4046560759-0
                                    • Opcode ID: 1f98ac2fa589e3bad3ff896cb61c5415c87e77aeae23644b55f9529643b574e7
                                    • Instruction ID: c2338fec294e8d267dd3943b2b4b0db43831e35dff6f81c24a23af2b0e5b8e93
                                    • Opcode Fuzzy Hash: 1f98ac2fa589e3bad3ff896cb61c5415c87e77aeae23644b55f9529643b574e7
                                    • Instruction Fuzzy Hash: DF516971108241AFD710EB28CD85EAFBBE8FF88704F04496DF68597291DB76E904DB92
                                    Function 01045A20 Relevance: 9.2, APIs: 6, Instructions: 160windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetMenu.USER32(?), ref: 01045A82
                                    • GetMenuItemCount.USER32(00000000), ref: 01045AB9
                                    • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 01045AE1
                                    • GetMenuItemID.USER32(?,?), ref: 01045B50
                                    • GetSubMenu.USER32(?,?), ref: 01045B5E
                                    • PostMessageW.USER32(?,00000111,?,00000000), ref: 01045BAF
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: Menu$Item$CountMessagePostString
                                    • String ID:
                                    • API String ID: 650687236-0
                                    • Opcode ID: 74da638cb7e097f82239ba3830aaf37d412dfedd916eb8765ceb47e9bd1a7cb6
                                    • Instruction ID: 3b80809884a93bd0529bee6e41e07987703482f4c5b916c7d8faabc9926d2056
                                    • Opcode Fuzzy Hash: 74da638cb7e097f82239ba3830aaf37d412dfedd916eb8765ceb47e9bd1a7cb6
                                    • Instruction Fuzzy Hash: BD5191B5A00216EFDB11DF68CD85AAEB7B4EF48310F1044A9E985BB351CB75AE40CF90
                                    Function 0101F3DD Relevance: 9.2, APIs: 6, Instructions: 159COMMON
                                    Download Yara Rule
                                    APIs
                                    • VariantInit.OLEAUT32(?), ref: 0101F3F7
                                    • VariantClear.OLEAUT32(00000013), ref: 0101F469
                                    • VariantClear.OLEAUT32(00000000), ref: 0101F4C4
                                    • _memmove.LIBCMT ref: 0101F4EE
                                    • VariantClear.OLEAUT32(?), ref: 0101F53B
                                    • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 0101F569
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: Variant$Clear$ChangeInitType_memmove
                                    • String ID:
                                    • API String ID: 1101466143-0
                                    • Opcode ID: 4c9f06770592c76e9b534734b8fb2d75d4b5a36fe7d3f008b5b2d62032abe36b
                                    • Instruction ID: ff4af890363c013e85e3d0ae7334ab92d38f78db92d30cbd59a113ac1fc77295
                                    • Opcode Fuzzy Hash: 4c9f06770592c76e9b534734b8fb2d75d4b5a36fe7d3f008b5b2d62032abe36b
                                    • Instruction Fuzzy Hash: 06516BB5A0020AEFDB10CF58D880AAABBF8FF4C354B158159EA59DB305D734E915CBA0
                                    Function 010226F9 Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • _memset.LIBCMT ref: 01022747
                                    • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 01022792
                                    • IsMenu.USER32(00000000), ref: 010227B2
                                    • CreatePopupMenu.USER32 ref: 010227E6
                                    • GetMenuItemCount.USER32(000000FF), ref: 01022844
                                    • InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 01022875
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: Menu$Item$CountCreateInfoInsertPopup_memset
                                    • String ID:
                                    • API String ID: 3311875123-0
                                    • Opcode ID: 65ccbe77380544e641ce0319b0b9264957128e5676cbccc4dd355ba75f2fbe52
                                    • Instruction ID: 64d06b8263bd2029d2f2dba0205cc56ebefabfb071a047e4de6743d0bd4a3b06
                                    • Opcode Fuzzy Hash: 65ccbe77380544e641ce0319b0b9264957128e5676cbccc4dd355ba75f2fbe52
                                    • Instruction Fuzzy Hash: A951B170A0136ADFDF25CFA8C988AAEBBF4BF44314F104299F9919B291D7B0D544CB51
                                    Function 00FC1765 Relevance: 9.1, APIs: 6, Instructions: 113COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00FC2612: GetWindowLongW.USER32(?,000000EB), ref: 00FC2623
                                    • BeginPaint.USER32(?,?,?,?,?,?), ref: 00FC179A
                                    • GetWindowRect.USER32(?,?), ref: 00FC17FE
                                    • ScreenToClient.USER32(?,?), ref: 00FC181B
                                    • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00FC182C
                                    • EndPaint.USER32(?,?), ref: 00FC1876
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: PaintWindow$BeginClientLongRectScreenViewport
                                    • String ID:
                                    • API String ID: 1827037458-0
                                    • Opcode ID: e30e193eef2508825a69883a706d730958dd6baf06c25d5fb8c6018fe492ba1d
                                    • Instruction ID: b287fe06997c3b0da90ece751c302ce143501b5d8a1a6dac318d2a83a03789bb
                                    • Opcode Fuzzy Hash: e30e193eef2508825a69883a706d730958dd6baf06c25d5fb8c6018fe492ba1d
                                    • Instruction Fuzzy Hash: 9B41A0B1508302DFD720DF24C985FBA7BE8FB4A724F14066CF9D4861A2C73A9855EB61
                                    Function 0104B958 Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • ShowWindow.USER32(010867B0,00000000,01546590,?,?,010867B0,?,0104B862,?,?), ref: 0104B9CC
                                    • EnableWindow.USER32(00000000,00000000), ref: 0104B9F0
                                    • ShowWindow.USER32(010867B0,00000000,01546590,?,?,010867B0,?,0104B862,?,?), ref: 0104BA50
                                    • ShowWindow.USER32(00000000,00000004,?,0104B862,?,?), ref: 0104BA62
                                    • EnableWindow.USER32(00000000,00000001), ref: 0104BA86
                                    • SendMessageW.USER32(?,0000130C,?,00000000), ref: 0104BAA9
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: Window$Show$Enable$MessageSend
                                    • String ID:
                                    • API String ID: 642888154-0
                                    • Opcode ID: 75627b7d0907d1216d6fabab5f1f81a161a56d45a3dfc1076e9eda7b247acce4
                                    • Instruction ID: 4b5eef2e60a8930355a746663b88afe123f8779bbe97e304b625ea0d6e4a6e02
                                    • Opcode Fuzzy Hash: 75627b7d0907d1216d6fabab5f1f81a161a56d45a3dfc1076e9eda7b247acce4
                                    • Instruction Fuzzy Hash: 694153B4600241AFDB62DF2CC5C9BA57FE0BB09315F1841F9EA888F2A6C731E855CB51
                                    Function 010373B1 Relevance: 9.1, APIs: 6, Instructions: 97COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetForegroundWindow.USER32(?,?,?,?,?,?,01035134,?,?,00000000,00000001), ref: 010373BF
                                      • Part of subcall function 01033C94: GetWindowRect.USER32(?,?), ref: 01033CA7
                                    • GetDesktopWindow.USER32 ref: 010373E9
                                    • GetWindowRect.USER32(00000000), ref: 010373F0
                                    • mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 01037422
                                      • Part of subcall function 010254E6: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 0102555E
                                    • GetCursorPos.USER32(?), ref: 0103744E
                                    • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 010374AC
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
                                    • String ID:
                                    • API String ID: 4137160315-0
                                    • Opcode ID: 40e5cc30a1450cb7859aef050eac4fa1025fa91148e9b8e5e1cfd319c7c374ae
                                    • Instruction ID: 841e63fbfec329b87f3fe31bb3ca1e3ff4f044ea50e14f3a1cfe2cbbb0811074
                                    • Opcode Fuzzy Hash: 40e5cc30a1450cb7859aef050eac4fa1025fa91148e9b8e5e1cfd319c7c374ae
                                    • Instruction Fuzzy Hash: E031B0B2504316ABD720DF58D888F9BBBE9FF98314F004919F9D997181CB75E908CB92
                                    Function 01018D5B Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 010185F1: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 01018608
                                      • Part of subcall function 010185F1: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 01018612
                                      • Part of subcall function 010185F1: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 01018621
                                      • Part of subcall function 010185F1: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 01018628
                                      • Part of subcall function 010185F1: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 0101863E
                                    • GetLengthSid.ADVAPI32(?,00000000,01018977), ref: 01018DAC
                                    • GetProcessHeap.KERNEL32(00000008,00000000), ref: 01018DB8
                                    • HeapAlloc.KERNEL32(00000000), ref: 01018DBF
                                    • CopySid.ADVAPI32(00000000,00000000,?), ref: 01018DD8
                                    • GetProcessHeap.KERNEL32(00000000,00000000,01018977), ref: 01018DEC
                                    • HeapFree.KERNEL32(00000000), ref: 01018DF3
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
                                    • String ID:
                                    • API String ID: 3008561057-0
                                    • Opcode ID: 326859dbdbf857ba19bb27a3dd29e5d2558cc029278360ccf2881a3c31fa7fa5
                                    • Instruction ID: 723fe7897d3460fbb7d73b82a97e7341cc36d854ef7044fdde410740c963fceb
                                    • Opcode Fuzzy Hash: 326859dbdbf857ba19bb27a3dd29e5d2558cc029278360ccf2881a3c31fa7fa5
                                    • Instruction Fuzzy Hash: 9A11E175500606FFDB60AFA8CD88BAE7BA9EF51315F50805AF9C597208C73A9A00CB60
                                    Function 01018AF9 Relevance: 9.1, APIs: 6, Instructions: 65processCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 01018B2A
                                    • OpenProcessToken.ADVAPI32(00000000), ref: 01018B31
                                    • CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 01018B40
                                    • CloseHandle.KERNEL32(00000004), ref: 01018B4B
                                    • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 01018B7A
                                    • DestroyEnvironmentBlock.USERENV(00000000), ref: 01018B8E
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
                                    • String ID:
                                    • API String ID: 1413079979-0
                                    • Opcode ID: 19dab303adb77ed1158703333b5d20bc9abcf937607faafa44a61fb1cf761a8e
                                    • Instruction ID: 1179b1785e6d6f1b8a18b5c994680f20cb9ac251dd67e1ccebca0f785a1e2049
                                    • Opcode Fuzzy Hash: 19dab303adb77ed1158703333b5d20bc9abcf937607faafa44a61fb1cf761a8e
                                    • Instruction Fuzzy Hash: EA111DB650120AABEB118F98ED89FDA7BE9FB45304F044055FE44A2154C27A9E609B60
                                    Function 0104C19A Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00FC12F3: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00FC134D
                                      • Part of subcall function 00FC12F3: SelectObject.GDI32(?,00000000), ref: 00FC135C
                                      • Part of subcall function 00FC12F3: BeginPath.GDI32(?), ref: 00FC1373
                                      • Part of subcall function 00FC12F3: SelectObject.GDI32(?,00000000), ref: 00FC139C
                                    • MoveToEx.GDI32(00000000,-00000002,?,00000000), ref: 0104C1C4
                                    • LineTo.GDI32(00000000,00000003,?), ref: 0104C1D8
                                    • MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 0104C1E6
                                    • LineTo.GDI32(00000000,00000000,?), ref: 0104C1F6
                                    • EndPath.GDI32(00000000), ref: 0104C206
                                    • StrokePath.GDI32(00000000), ref: 0104C216
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: Path$LineMoveObjectSelect$BeginCreateStroke
                                    • String ID:
                                    • API String ID: 43455801-0
                                    • Opcode ID: cf29c2c1f10918e90d6f3f0b07c64de7dc4859fe3fa0f9c2c0fe89c65bb7311c
                                    • Instruction ID: 91da79ab4b8c95d7388c69213b0fe3639adfec00a583c6122065f46010fe5090
                                    • Opcode Fuzzy Hash: cf29c2c1f10918e90d6f3f0b07c64de7dc4859fe3fa0f9c2c0fe89c65bb7311c
                                    • Instruction Fuzzy Hash: 0D115EB600010DBFEF219F94DD88FDA3FACEB04354F048021BA8846165C7769D54DBA0
                                    Function 00FE03A2 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON
                                    Download Yara Rule
                                    APIs
                                    • MapVirtualKeyW.USER32(0000005B,00000000), ref: 00FE03D3
                                    • MapVirtualKeyW.USER32(00000010,00000000), ref: 00FE03DB
                                    • MapVirtualKeyW.USER32(000000A0,00000000), ref: 00FE03E6
                                    • MapVirtualKeyW.USER32(000000A1,00000000), ref: 00FE03F1
                                    • MapVirtualKeyW.USER32(00000011,00000000), ref: 00FE03F9
                                    • MapVirtualKeyW.USER32(00000012,00000000), ref: 00FE0401
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: Virtual
                                    • String ID:
                                    • API String ID: 4278518827-0
                                    • Opcode ID: c246b060f32b71d6900534dba0d7e1e49e82d77212d56a50eb9fcc3cc262a4f3
                                    • Instruction ID: f38200f2867656847c097720d73222093864512debc349775a3d42b0e966fc47
                                    • Opcode Fuzzy Hash: c246b060f32b71d6900534dba0d7e1e49e82d77212d56a50eb9fcc3cc262a4f3
                                    • Instruction Fuzzy Hash: 79016CB090275A7DE3009F6A8C85B52FFA8FF19354F00411BA15C47941C7F5A868CBE5
                                    Function 0102568B Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON
                                    Download Yara Rule
                                    APIs
                                    • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 0102569B
                                    • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 010256B1
                                    • GetWindowThreadProcessId.USER32(?,?), ref: 010256C0
                                    • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 010256CF
                                    • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 010256D9
                                    • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 010256E0
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
                                    • String ID:
                                    • API String ID: 839392675-0
                                    • Opcode ID: a52256f202aa07a51422b31774e4049f841d70cf4814ad9ecc8a9c4fcee7aa83
                                    • Instruction ID: 36433969bd43e1d5cde34f50d507174e1e1cd1e9faeb08e2a2cd941a27d3beb3
                                    • Opcode Fuzzy Hash: a52256f202aa07a51422b31774e4049f841d70cf4814ad9ecc8a9c4fcee7aa83
                                    • Instruction Fuzzy Hash: 21F09675141159BBE3315A66DD4DEEF7B7CEFCBB11F000159F940D1041D7A61A0187B5
                                    Function 010274D2 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • InterlockedExchange.KERNEL32(?,?), ref: 010274E5
                                    • EnterCriticalSection.KERNEL32(?,?,00FD1044,?,?), ref: 010274F6
                                    • TerminateThread.KERNEL32(00000000,000001F6,?,00FD1044,?,?), ref: 01027503
                                    • WaitForSingleObject.KERNEL32(00000000,000003E8,?,00FD1044,?,?), ref: 01027510
                                      • Part of subcall function 01026ED7: CloseHandle.KERNEL32(00000000,?,0102751D,?,00FD1044,?,?), ref: 01026EE1
                                    • InterlockedExchange.KERNEL32(?,000001F6), ref: 01027523
                                    • LeaveCriticalSection.KERNEL32(?,?,00FD1044,?,?), ref: 0102752A
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                                    • String ID:
                                    • API String ID: 3495660284-0
                                    • Opcode ID: b96826a039c76c010020ae4038ee5bb8685a2974df09002b6c9959224d4c0a2d
                                    • Instruction ID: 281f3e3bd1c684536e971130f14ebb0eb1e1aa94050f39c793b8cddb65c50377
                                    • Opcode Fuzzy Hash: b96826a039c76c010020ae4038ee5bb8685a2974df09002b6c9959224d4c0a2d
                                    • Instruction Fuzzy Hash: 41F054BE540623ABEB212B68FFCC9DB7B69EF45302B000561F682910A8CB7A5401CB50
                                    Function 01018E74 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON
                                    Download Yara Rule
                                    APIs
                                    • WaitForSingleObject.KERNEL32(?,000000FF), ref: 01018E7F
                                    • UnloadUserProfile.USERENV(?,?), ref: 01018E8B
                                    • CloseHandle.KERNEL32(?), ref: 01018E94
                                    • CloseHandle.KERNEL32(?), ref: 01018E9C
                                    • GetProcessHeap.KERNEL32(00000000,?), ref: 01018EA5
                                    • HeapFree.KERNEL32(00000000), ref: 01018EAC
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
                                    • String ID:
                                    • API String ID: 146765662-0
                                    • Opcode ID: 625c63b03d8432b702a7b0529286dfceeee090e5ce680978e1c1777cb92f9049
                                    • Instruction ID: 90cf2ae884b947986d0168f10d42123af3509f03be4b074c3b7eb5fe976aba35
                                    • Opcode Fuzzy Hash: 625c63b03d8432b702a7b0529286dfceeee090e5ce680978e1c1777cb92f9049
                                    • Instruction Fuzzy Hash: 14E0EDBA004002BBD7112FE9EE4C906BFB9FF897227108220F255C1478CB3B5420DB50
                                    Function 01038902 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON
                                    Download Yara Rule
                                    APIs
                                    • VariantInit.OLEAUT32(?), ref: 01038928
                                    • CharUpperBuffW.USER32(?,?), ref: 01038A37
                                    • VariantClear.OLEAUT32(?), ref: 01038BAF
                                      • Part of subcall function 01027804: VariantInit.OLEAUT32(00000000), ref: 01027844
                                      • Part of subcall function 01027804: VariantCopy.OLEAUT32(00000000,?), ref: 0102784D
                                      • Part of subcall function 01027804: VariantClear.OLEAUT32(00000000), ref: 01027859
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: Variant$ClearInit$BuffCharCopyUpper
                                    • String ID: AUTOIT.ERROR$Incorrect Parameter format
                                    • API String ID: 4237274167-1221869570
                                    • Opcode ID: ccb560c901bd50f9217952aee4324a790f999645e2a4a13a57c7a40e48417f80
                                    • Instruction ID: ae932d8ea845bee59c7747cff017f64611d9dd802d925d5e6a7d27de8c8ff714
                                    • Opcode Fuzzy Hash: ccb560c901bd50f9217952aee4324a790f999645e2a4a13a57c7a40e48417f80
                                    • Instruction Fuzzy Hash: E5919F74608302DFC714DF28C58595ABBE8EFC8714F048AAEF89A8B351DB35E945CB52
                                    Function 01022F86 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00FDFEC6: _wcscpy.LIBCMT ref: 00FDFEE9
                                    • _memset.LIBCMT ref: 01023077
                                    • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 010230A6
                                    • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 01023159
                                    • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 01023187
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: ItemMenu$Info$Default_memset_wcscpy
                                    • String ID: 0
                                    • API String ID: 4152858687-4108050209
                                    • Opcode ID: 4e452453d435e990daf2a4fef3b33bb8e3772e3e8addf729ad9db4227a3a4a95
                                    • Instruction ID: 2333f6fbc83c90d96f63b26b457a94ae6e3475f2f003fda915c10f10bec2094f
                                    • Opcode Fuzzy Hash: 4e452453d435e990daf2a4fef3b33bb8e3772e3e8addf729ad9db4227a3a4a95
                                    • Instruction Fuzzy Hash: 615102316083219BE7A59E28C845B6BBBF4FF48310F140A6DFAC5DB191DB79C9448792
                                    Function 0101DA5D Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 121comlibraryloaderCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 0101DAC5
                                    • SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 0101DAFB
                                    • GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 0101DB0C
                                    • SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 0101DB8E
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: ErrorMode$AddressCreateInstanceProc
                                    • String ID: DllGetClassObject
                                    • API String ID: 753597075-1075368562
                                    • Opcode ID: ee361bc0681ade029ec7ab610bdb6f4fe4069748288ea0bdbaaaf0a05e722e63
                                    • Instruction ID: 29b97b28310d5d646912861f49f00d17d20b8f68b53063261905133e8d34dc02
                                    • Opcode Fuzzy Hash: ee361bc0681ade029ec7ab610bdb6f4fe4069748288ea0bdbaaaf0a05e722e63
                                    • Instruction Fuzzy Hash: 534185B1600209EFDB15CF99C8C8A9A7BF9FF44314F04819DAE469F209D7B5D940CBA0
                                    Function 01022C42 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • _memset.LIBCMT ref: 01022CAF
                                    • GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 01022CCB
                                    • DeleteMenu.USER32(?,00000007,00000000), ref: 01022D11
                                    • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,01086890,00000000), ref: 01022D5A
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: Menu$Delete$InfoItem_memset
                                    • String ID: 0
                                    • API String ID: 1173514356-4108050209
                                    • Opcode ID: 37df962dcbaf43c649faa7e4dc1f2199a936538c1c675859d2942b7ab4746f25
                                    • Instruction ID: 5ca3359ba41d9d1383d829a7a6d793eec5265ca512e9a299de25feb5dddfd2de
                                    • Opcode Fuzzy Hash: 37df962dcbaf43c649faa7e4dc1f2199a936538c1c675859d2942b7ab4746f25
                                    • Instruction Fuzzy Hash: 5841BF742043529FD720EF68C884B5BBBE8EF85320F14465EFAA5972A1D770E505CBA2
                                    Function 01019372 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00FC7F41: _memmove.LIBCMT ref: 00FC7F82
                                      • Part of subcall function 0101B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 0101B0E7
                                    • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 010193F6
                                    • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 01019409
                                    • SendMessageW.USER32(?,00000189,?,00000000), ref: 01019439
                                      • Part of subcall function 00FC7D2C: _memmove.LIBCMT ref: 00FC7D66
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: MessageSend$_memmove$ClassName
                                    • String ID: ComboBox$ListBox
                                    • API String ID: 365058703-1403004172
                                    • Opcode ID: 7a828211a900530a182359a85aeaba46cac81678b8b0ef3a38238962d9390510
                                    • Instruction ID: 54afbd7e9e2b4808efef86ac62ac43946e8969ade7795e476f267952ebbdca55
                                    • Opcode Fuzzy Hash: 7a828211a900530a182359a85aeaba46cac81678b8b0ef3a38238962d9390510
                                    • Instruction Fuzzy Hash: EB2146B1940105BFEB14AB75CC86DFEBBB8DF05364B00411DF9A6971E4CF3D09099A10
                                    Function 01031B21 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86networkCOMMON
                                    Download Yara Rule
                                    APIs
                                    • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 01031B40
                                    • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 01031B66
                                    • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 01031B96
                                    • InternetCloseHandle.WININET(00000000), ref: 01031BDD
                                      • Part of subcall function 01032777: GetLastError.KERNEL32(?,?,01031B0B,00000000,00000000,00000001), ref: 0103278C
                                      • Part of subcall function 01032777: SetEvent.KERNEL32(?,?,01031B0B,00000000,00000000,00000001), ref: 010327A1
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
                                    • String ID:
                                    • API String ID: 3113390036-3916222277
                                    • Opcode ID: dfd86a87e8d52eb9cf034739ddd898f5d19cdc9e270a7cebadf3f650ea9222ef
                                    • Instruction ID: 9e2eef2d0fa44eb869f4cfe3b0b297151cb9b7516de4329f00aeb394037d730f
                                    • Opcode Fuzzy Hash: dfd86a87e8d52eb9cf034739ddd898f5d19cdc9e270a7cebadf3f650ea9222ef
                                    • Instruction Fuzzy Hash: 6C21BEB5500209BFEB269F289CC4EBF76ECFB89644F00011AF585E2240EB399D0587B1
                                    Function 01046656 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00FC1D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00FC1D73
                                      • Part of subcall function 00FC1D35: GetStockObject.GDI32(00000011), ref: 00FC1D87
                                      • Part of subcall function 00FC1D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00FC1D91
                                    • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 010466D0
                                    • LoadLibraryW.KERNEL32(?), ref: 010466D7
                                    • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 010466EC
                                    • DestroyWindow.USER32(?), ref: 010466F4
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
                                    • String ID: SysAnimate32
                                    • API String ID: 4146253029-1011021900
                                    • Opcode ID: 582d942775272bf48474bdaeb584585d20373ec9200ee129cce8d691d18b48b2
                                    • Instruction ID: 833d6023ba34fc601fd57cc30bed7188b43b558cc4e5e6789066ea31e681b38e
                                    • Opcode Fuzzy Hash: 582d942775272bf48474bdaeb584585d20373ec9200ee129cce8d691d18b48b2
                                    • Instruction Fuzzy Hash: 7E218BF1200206ABEF119E68ECC0EBB77E9FB4A364F104639FA9196191E77388519760
                                    Function 0102710C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetStdHandle.KERNEL32(000000F6), ref: 0102712B
                                    • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 0102715D
                                    • GetStdHandle.KERNEL32(000000F6), ref: 0102716E
                                    • CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 010271A8
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: CreateHandle$FilePipe
                                    • String ID: nul
                                    • API String ID: 4209266947-2873401336
                                    • Opcode ID: 4be315b8e66a3e742b5dd8e14492f0f3b087c893a4f17ffbbc45dc02e99a3e9e
                                    • Instruction ID: 424b6276e9f6d9912c6e207a8f64029950755484577e942cfea4ba7da05899dd
                                    • Opcode Fuzzy Hash: 4be315b8e66a3e742b5dd8e14492f0f3b087c893a4f17ffbbc45dc02e99a3e9e
                                    • Instruction Fuzzy Hash: EB21B3756002269BEF209F6D8C44A9AB7E9AF65720F300699FDE0D72C0D7719441CB50
                                    Function 0102703E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetStdHandle.KERNEL32(0000000C), ref: 0102705E
                                    • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 01027091
                                    • GetStdHandle.KERNEL32(0000000C), ref: 010270A3
                                    • CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 010270DD
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: CreateHandle$FilePipe
                                    • String ID: nul
                                    • API String ID: 4209266947-2873401336
                                    • Opcode ID: b3a11d49d8e0bc51b13580190c0e750dc74b912a2cd0c2abca4486fa60af06c7
                                    • Instruction ID: 667eeb727a0b6c34eb994edce771695affcfcd93981e6de1bebaa207bb744663
                                    • Opcode Fuzzy Hash: b3a11d49d8e0bc51b13580190c0e750dc74b912a2cd0c2abca4486fa60af06c7
                                    • Instruction Fuzzy Hash: 46215378500226DBEF209F2DD884A9EBBE8AF54720F204659FDE1D72D0D775A854CB50
                                    Function 0102AEAB Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON
                                    Download Yara Rule
                                    APIs
                                    • SetErrorMode.KERNEL32(00000001), ref: 0102AEBF
                                    • GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 0102AF13
                                    • __swprintf.LIBCMT ref: 0102AF2C
                                    • SetErrorMode.KERNEL32(00000000,00000001,00000000,0104F910), ref: 0102AF6A
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: ErrorMode$InformationVolume__swprintf
                                    • String ID: %lu
                                    • API String ID: 3164766367-685833217
                                    • Opcode ID: 2bf1a810b7b67671e08f3e19f7170a95f675acef33c79154f7b9652398cdd307
                                    • Instruction ID: 4c2c00a575750cb319ff1ca04871f91dc50ec5dcba29f5d4e39b4fcf1506ac1f
                                    • Opcode Fuzzy Hash: 2bf1a810b7b67671e08f3e19f7170a95f675acef33c79154f7b9652398cdd307
                                    • Instruction Fuzzy Hash: 1F21B374A0010AAFCB10DF69CD85EEE7BB8EF89704B0040A9F949DB251DB75EE01DB21
                                    Function 0101A52F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 68windowCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00FC7D2C: _memmove.LIBCMT ref: 00FC7D66
                                      • Part of subcall function 0101A37C: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 0101A399
                                      • Part of subcall function 0101A37C: GetWindowThreadProcessId.USER32(?,00000000), ref: 0101A3AC
                                      • Part of subcall function 0101A37C: GetCurrentThreadId.KERNEL32 ref: 0101A3B3
                                      • Part of subcall function 0101A37C: AttachThreadInput.USER32(00000000), ref: 0101A3BA
                                    • GetFocus.USER32 ref: 0101A554
                                      • Part of subcall function 0101A3C5: GetParent.USER32(?), ref: 0101A3D3
                                    • GetClassNameW.USER32(?,?,00000100), ref: 0101A59D
                                    • EnumChildWindows.USER32(?,0101A615), ref: 0101A5C5
                                    • __swprintf.LIBCMT ref: 0101A5DF
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows__swprintf_memmove
                                    • String ID: %s%d
                                    • API String ID: 1941087503-1110647743
                                    • Opcode ID: 0de4c12516bee203509edf9c1e3c582386a50e91c00c99ced331962ff4edeb0e
                                    • Instruction ID: 256e20962f84f14144699c25ace21c93d0077a519203d869c9fb9deed7cdb203
                                    • Opcode Fuzzy Hash: 0de4c12516bee203509edf9c1e3c582386a50e91c00c99ced331962ff4edeb0e
                                    • Instruction Fuzzy Hash: B811D2B120024ABBDF10BF74DD85FEA37B8AF88300F004069B988AB046CA7859458B34
                                    Function 01022017 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49COMMON
                                    Download Yara Rule
                                    APIs
                                    • CharUpperBuffW.USER32(?,?), ref: 01022048
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: BuffCharUpper
                                    • String ID: APPEND$EXISTS$KEYS$REMOVE
                                    • API String ID: 3964851224-769500911
                                    • Opcode ID: 78e1abc6ebf89d506dc433abc0adbfcc19329ce9e55b0a6f0f1140d988ba9fdc
                                    • Instruction ID: ed793858fd7ec64ca87c5229499733ed85dad300be1ebab56379cbd311561465
                                    • Opcode Fuzzy Hash: 78e1abc6ebf89d506dc433abc0adbfcc19329ce9e55b0a6f0f1140d988ba9fdc
                                    • Instruction Fuzzy Hash: 6C115730A0011ACFCF10EFE8DD819EEB7B5FF05314B508898E895A7253EB36694ADB50
                                    Function 0103EE69 Relevance: 7.7, APIs: 5, Instructions: 247COMMON
                                    Download Yara Rule
                                    APIs
                                    • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0103EF1B
                                    • GetProcessIoCounters.KERNEL32(00000000,?), ref: 0103EF4B
                                    • GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 0103F07E
                                    • CloseHandle.KERNEL32(?), ref: 0103F0FF
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: Process$CloseCountersHandleInfoMemoryOpen
                                    • String ID:
                                    • API String ID: 2364364464-0
                                    • Opcode ID: e3cfa107d436488422ffa0cc37defea2ba11fd5f1d29394dc776845417df040e
                                    • Instruction ID: df3aa87872ad353d5ed0a9271bddb77a9240b447b540d6319262f0c246f09f00
                                    • Opcode Fuzzy Hash: e3cfa107d436488422ffa0cc37defea2ba11fd5f1d29394dc776845417df040e
                                    • Instruction Fuzzy Hash: 5981A3716047029FD720DF28CD86F6AB7E5AF88710F04881DF599DB292DBB5AC41CB52
                                    Function 010402C2 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00FC7F41: _memmove.LIBCMT ref: 00FC7F82
                                      • Part of subcall function 010410A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,01040038,?,?), ref: 010410BC
                                    • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 01040388
                                    • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 010403C7
                                    • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 0104040E
                                    • RegCloseKey.ADVAPI32(?,?), ref: 0104043A
                                    • RegCloseKey.ADVAPI32(00000000), ref: 01040447
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
                                    • String ID:
                                    • API String ID: 3440857362-0
                                    • Opcode ID: 15294239949610868dc8061f18ccd6576591f4ef786457311d82bb021076b1d8
                                    • Instruction ID: a30ce784ca45a3799b16d49275c4ad12ae9101022b64bc46adc391e006ce8582
                                    • Opcode Fuzzy Hash: 15294239949610868dc8061f18ccd6576591f4ef786457311d82bb021076b1d8
                                    • Instruction Fuzzy Hash: B6516BB1208205AFD700EB68CDC1FAEBBE8FF84704F04896DB59597291DB75E904DB52
                                    Function 0103DBDC Relevance: 7.6, APIs: 5, Instructions: 139libraryloaderCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00FC9997: __itow.LIBCMT ref: 00FC99C2
                                      • Part of subcall function 00FC9997: __swprintf.LIBCMT ref: 00FC9A0C
                                    • LoadLibraryW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 0103DC3B
                                    • GetProcAddress.KERNEL32(00000000,?), ref: 0103DCBE
                                    • GetProcAddress.KERNEL32(00000000,00000000), ref: 0103DCDA
                                    • GetProcAddress.KERNEL32(00000000,?), ref: 0103DD1B
                                    • FreeLibrary.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,?,?), ref: 0103DD35
                                      • Part of subcall function 00FC5B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,01027B20,?,?,00000000), ref: 00FC5B8C
                                      • Part of subcall function 00FC5B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,01027B20,?,?,00000000,?,?), ref: 00FC5BB0
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
                                    • String ID:
                                    • API String ID: 327935632-0
                                    • Opcode ID: 4b891774879398b2182f319795e57245eba907d7c9231c35d0bed9743b15b7bf
                                    • Instruction ID: 317258707279020feaa332733bbb0fd5d125b78b5685c0e2a7d2f2489d30f095
                                    • Opcode Fuzzy Hash: 4b891774879398b2182f319795e57245eba907d7c9231c35d0bed9743b15b7bf
                                    • Instruction Fuzzy Hash: 8D514B75A0020A9FCB01EFA8C985DADB7F8FF49310B458099E859AB312DB75ED45CF50
                                    Function 0102E7DC Relevance: 7.6, APIs: 5, Instructions: 135COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 0102E88A
                                    • GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 0102E8B3
                                    • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 0102E8F2
                                      • Part of subcall function 00FC9997: __itow.LIBCMT ref: 00FC99C2
                                      • Part of subcall function 00FC9997: __swprintf.LIBCMT ref: 00FC9A0C
                                    • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 0102E917
                                    • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 0102E91F
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
                                    • String ID:
                                    • API String ID: 1389676194-0
                                    • Opcode ID: 0606951c69f2152cd6bf32bb073e4cac35d8b0303d575d4ec0f426166e46ed34
                                    • Instruction ID: 5611c9d17f374cdb697c18bdbb9ec496092104dadbae063942f2aed5f722afd7
                                    • Opcode Fuzzy Hash: 0606951c69f2152cd6bf32bb073e4cac35d8b0303d575d4ec0f426166e46ed34
                                    • Instruction Fuzzy Hash: 53513975A00216DFCF01EF65CA85EAEBBF5EF08310B148099E849AB362CB75ED11DB50
                                    Function 0104A2C5 Relevance: 7.6, APIs: 5, Instructions: 130COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: c6e5d11faf1007f367d778e116e3936d7e81c58f3d994a25bbced3089f2de2b0
                                    • Instruction ID: bcbcb2139b6dc539235d2c7b702dfae59c07e5536bd0bcfa6a530d109ac486db
                                    • Opcode Fuzzy Hash: c6e5d11faf1007f367d778e116e3936d7e81c58f3d994a25bbced3089f2de2b0
                                    • Instruction Fuzzy Hash: 8341F2F9A40104EBD760DA2CC8C8BA9BBA4EB09311F0581B4FAD6A72D1EB7199418A50
                                    Function 00FC2344 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetCursorPos.USER32(?), ref: 00FC2357
                                    • ScreenToClient.USER32(010867B0,?), ref: 00FC2374
                                    • GetAsyncKeyState.USER32(00000001), ref: 00FC2399
                                    • GetAsyncKeyState.USER32(00000002), ref: 00FC23A7
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: AsyncState$ClientCursorScreen
                                    • String ID:
                                    • API String ID: 4210589936-0
                                    • Opcode ID: a8e3f2f422ddea6e065144c24bd92e75ee89a2ff9078d077fa9263e47600754a
                                    • Instruction ID: c4e3a94b8c58ffd3a4c08037a8ef2764d620fafebaa1f80a9dd48d63747ff2c6
                                    • Opcode Fuzzy Hash: a8e3f2f422ddea6e065144c24bd92e75ee89a2ff9078d077fa9263e47600754a
                                    • Instruction Fuzzy Hash: A5417F7590415AFBDF159FA8C944FEDBB74FF05320F20431AE968922A0C7356950EB91
                                    Function 01016920 Relevance: 7.6, APIs: 5, Instructions: 97windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0101695D
                                    • TranslateAcceleratorW.USER32(?,?,?), ref: 010169A9
                                    • TranslateMessage.USER32(?), ref: 010169D2
                                    • DispatchMessageW.USER32(?), ref: 010169DC
                                    • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 010169EB
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: Message$PeekTranslate$AcceleratorDispatch
                                    • String ID:
                                    • API String ID: 2108273632-0
                                    • Opcode ID: 05f2089925491467d09adefc027625dea32ec6231330e0038c4cd0c6a4dd095e
                                    • Instruction ID: 6448ce8684e19cc985a6dfb8926db93a50e9d97eed4bbc9878494c838057bdf2
                                    • Opcode Fuzzy Hash: 05f2089925491467d09adefc027625dea32ec6231330e0038c4cd0c6a4dd095e
                                    • Instruction Fuzzy Hash: 1E31D271904246ABEB71CE799C84FFA7BEDAB05300F1541A9E5E1C3149E7AF9085CBA0
                                    Function 01018F01 Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetWindowRect.USER32(?,?), ref: 01018F12
                                    • PostMessageW.USER32(?,00000201,00000001), ref: 01018FBC
                                    • Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 01018FC4
                                    • PostMessageW.USER32(?,00000202,00000000), ref: 01018FD2
                                    • Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 01018FDA
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: MessagePostSleep$RectWindow
                                    • String ID:
                                    • API String ID: 3382505437-0
                                    • Opcode ID: 04218b4f00b4063eb70ebc0df6de360b3d46488dbd237ccd725e5b0b489d5441
                                    • Instruction ID: e8311ddb88a1bd83947fa896efd640e2458f0103f0f77279b77a8a989d35e4c0
                                    • Opcode Fuzzy Hash: 04218b4f00b4063eb70ebc0df6de360b3d46488dbd237ccd725e5b0b489d5441
                                    • Instruction Fuzzy Hash: 2E31E2B150021AEFDB14CF6CD98CA9E7BB6EB04315F00825AFAA4A71D5C3B49A14CB50
                                    Function 0101B6AF Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • IsWindowVisible.USER32(?), ref: 0101B6C7
                                    • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 0101B6E4
                                    • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 0101B71C
                                    • CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 0101B742
                                    • _wcsstr.LIBCMT ref: 0101B74C
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
                                    • String ID:
                                    • API String ID: 3902887630-0
                                    • Opcode ID: ecbb6684e7e9b1b354889e622584db0ed42e892a576142af8a05d0c9d8c781b2
                                    • Instruction ID: 6ba0d5035523cbbc7e5efd354a5a689020c9b46c54dc09a0e33df1208e7ec17e
                                    • Opcode Fuzzy Hash: ecbb6684e7e9b1b354889e622584db0ed42e892a576142af8a05d0c9d8c781b2
                                    • Instruction Fuzzy Hash: 12212672204244BBEB255B3E9D49E7B7BFCEF49760F044069FD49CA195EF69C84093A0
                                    Function 0104B405 Relevance: 7.6, APIs: 5, Instructions: 85COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00FC2612: GetWindowLongW.USER32(?,000000EB), ref: 00FC2623
                                    • GetWindowLongW.USER32(?,000000F0), ref: 0104B44C
                                    • SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 0104B471
                                    • SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 0104B489
                                    • GetSystemMetrics.USER32(00000004), ref: 0104B4B2
                                    • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,01031184,00000000), ref: 0104B4D0
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: Window$Long$MetricsSystem
                                    • String ID:
                                    • API String ID: 2294984445-0
                                    • Opcode ID: db35d7d80c8eb441ebec5811e5755a30a878b386792104cf0bfdee1bc9db3705
                                    • Instruction ID: e5fb8a4b3932eecb04c1d6dd58f83a5ad5bb868172b7df00017058fba20510fc
                                    • Opcode Fuzzy Hash: db35d7d80c8eb441ebec5811e5755a30a878b386792104cf0bfdee1bc9db3705
                                    • Instruction Fuzzy Hash: FE2191B1914226AFDB609E3CCC84B6A3BA4FB45720F114778FAA6D21D0EB31D811CB90
                                    Function 010197E9 Relevance: 7.6, APIs: 5, Instructions: 84windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 01019802
                                      • Part of subcall function 00FC7D2C: _memmove.LIBCMT ref: 00FC7D66
                                    • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 01019834
                                    • __itow.LIBCMT ref: 0101984C
                                    • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 01019874
                                    • __itow.LIBCMT ref: 01019885
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: MessageSend$__itow$_memmove
                                    • String ID:
                                    • API String ID: 2983881199-0
                                    • Opcode ID: 8925aad39b58a5547b167b2afdbb38db72fd114280654bc16c6fcd381866a5b9
                                    • Instruction ID: 13b15512053ac1b3542e15c554a1d0200f842e123497d3286a06cd652d059443
                                    • Opcode Fuzzy Hash: 8925aad39b58a5547b167b2afdbb38db72fd114280654bc16c6fcd381866a5b9
                                    • Instruction Fuzzy Hash: 2D210A71B00305FBEB10BA798D8AEEE3BA9EF48714F040069FE45DB241D6788D419791
                                    Function 00FC12F3 Relevance: 7.6, APIs: 5, Instructions: 67COMMON
                                    Download Yara Rule
                                    APIs
                                    • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00FC134D
                                    • SelectObject.GDI32(?,00000000), ref: 00FC135C
                                    • BeginPath.GDI32(?), ref: 00FC1373
                                    • SelectObject.GDI32(?,00000000), ref: 00FC139C
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: ObjectSelect$BeginCreatePath
                                    • String ID:
                                    • API String ID: 3225163088-0
                                    • Opcode ID: 3bd501c344f92b074081890cf2de0605a17b1f5d74c1cbb326e99afa883fe277
                                    • Instruction ID: 285cf9a5721d85fc1a86354edc4ff8600707ef4d5e173e2947f373fae6d76dd6
                                    • Opcode Fuzzy Hash: 3bd501c344f92b074081890cf2de0605a17b1f5d74c1cbb326e99afa883fe277
                                    • Instruction Fuzzy Hash: 6E21D8B0C14346DFDB208F54DA09B6D3BB8FB11325F21431AF4C496195D37B8861EB50
                                    Function 0101C161 Relevance: 7.6, APIs: 5, Instructions: 61COMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: _memcmp
                                    • String ID:
                                    • API String ID: 2931989736-0
                                    • Opcode ID: 0a5f63327d2465eddcffd203a53d9a1c057f09a1cc79abbe4c196ca81c9e347d
                                    • Instruction ID: 105a7c774b4b7a498366bdbadfb5594413ad25c1b1692578232a98344219d1c3
                                    • Opcode Fuzzy Hash: 0a5f63327d2465eddcffd203a53d9a1c057f09a1cc79abbe4c196ca81c9e347d
                                    • Instruction Fuzzy Hash: 3601D8B26C4109BBF345A6275E42FAF77DCAF12294F444029FD449B247F768DE1182E2
                                    Function 01024D35 Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetCurrentThreadId.KERNEL32 ref: 01024D5C
                                    • __beginthreadex.LIBCMT ref: 01024D7A
                                    • MessageBoxW.USER32(?,?,?,?), ref: 01024D8F
                                    • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 01024DA5
                                    • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 01024DAC
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
                                    • String ID:
                                    • API String ID: 3824534824-0
                                    • Opcode ID: 4c70bc6909359a4a9e1a26499329bb76844ab268c4ec41b8bd577bfb380cf0b3
                                    • Instruction ID: cde8718004b4ec5dede15c02f3de5f29073e141c155bbe66d1b384108756a42c
                                    • Opcode Fuzzy Hash: 4c70bc6909359a4a9e1a26499329bb76844ab268c4ec41b8bd577bfb380cf0b3
                                    • Instruction Fuzzy Hash: AB1148B6908654BBC7219BACDC44ADE7FECEB45320F144299F994D7241C67A880087A0
                                    Function 0101874A Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 01018766
                                    • GetLastError.KERNEL32(?,0101822A,?,?,?), ref: 01018770
                                    • GetProcessHeap.KERNEL32(00000008,?,?,0101822A,?,?,?), ref: 0101877F
                                    • HeapAlloc.KERNEL32(00000000,?,0101822A,?,?,?), ref: 01018786
                                    • GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0101879D
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: HeapObjectSecurityUser$AllocErrorLastProcess
                                    • String ID:
                                    • API String ID: 842720411-0
                                    • Opcode ID: 836962771244ec751f94f338de551ddff6c401da8c17cdfb2fb97b08879c5ab7
                                    • Instruction ID: 2e54191a8609b46b0a57ac1ad7ae4110666099a3eaf325f6e1027d39f90f5911
                                    • Opcode Fuzzy Hash: 836962771244ec751f94f338de551ddff6c401da8c17cdfb2fb97b08879c5ab7
                                    • Instruction Fuzzy Hash: B4016DB5200205BFDB245FBADD88D6B7FACFF8A255710446AF989C3254DA36D910CB60
                                    Function 010254E6 Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON
                                    Download Yara Rule
                                    APIs
                                    • QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 01025502
                                    • QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 01025510
                                    • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 01025518
                                    • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 01025522
                                    • Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 0102555E
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: PerformanceQuery$CounterSleep$Frequency
                                    • String ID:
                                    • API String ID: 2833360925-0
                                    • Opcode ID: 152eaff66b44b3a3c7d4f9b83fed886350595421e1a9360dca2fa1e7d89e122b
                                    • Instruction ID: 5f7ffa095f2bf7c7ab9b9af4aa93416d932bd7c61ac326203c4f39d376ef389b
                                    • Opcode Fuzzy Hash: 152eaff66b44b3a3c7d4f9b83fed886350595421e1a9360dca2fa1e7d89e122b
                                    • Instruction Fuzzy Hash: 25015B75D0063ADBCF10EFE8ED986EDBBB8BB09711F440086E981F2144DB355550C7A5
                                    Function 01017652 Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0101758C,80070057,?,?,?,0101799D), ref: 0101766F
                                    • ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0101758C,80070057,?,?), ref: 0101768A
                                    • lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0101758C,80070057,?,?), ref: 01017698
                                    • CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0101758C,80070057,?), ref: 010176A8
                                    • CLSIDFromString.OLE32(?,?,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0101758C,80070057,?,?), ref: 010176B4
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: From$Prog$FreeStringTasklstrcmpi
                                    • String ID:
                                    • API String ID: 3897988419-0
                                    • Opcode ID: 839eb21d80e7c7c2e8108816e9ebdd5aac26e45f5ef53d926a20ae304b9c4ba5
                                    • Instruction ID: add02ab5f85eb72815dd00ab5230874340bc5fc4c57876d06de4861a8ff190d4
                                    • Opcode Fuzzy Hash: 839eb21d80e7c7c2e8108816e9ebdd5aac26e45f5ef53d926a20ae304b9c4ba5
                                    • Instruction Fuzzy Hash: 7401D4B6600215BBEB204F5CDD44BAA7FECEB48651F100458FE84D7209E73ADD4087A0
                                    Function 010185F1 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 01018608
                                    • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 01018612
                                    • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 01018621
                                    • HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 01018628
                                    • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 0101863E
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: HeapInformationToken$AllocErrorLastProcess
                                    • String ID:
                                    • API String ID: 44706859-0
                                    • Opcode ID: c3dfc44b8b9bcfe44fabf1363e2099b3dd22bd651c1f0b8eb44abfd9f231c494
                                    • Instruction ID: 2d902fd6c6d9e3c6065a5b5f360881ee9dd2d26e16cdf2ed2b2dab050d9e25f0
                                    • Opcode Fuzzy Hash: c3dfc44b8b9bcfe44fabf1363e2099b3dd22bd651c1f0b8eb44abfd9f231c494
                                    • Instruction Fuzzy Hash: 89F0C274200205AFEB211FACDDCDE6B3FECEF8A654B004416F985C2144CB7A9841DB60
                                    Function 01018652 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 01018669
                                    • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 01018673
                                    • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 01018682
                                    • HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 01018689
                                    • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0101869F
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: HeapInformationToken$AllocErrorLastProcess
                                    • String ID:
                                    • API String ID: 44706859-0
                                    • Opcode ID: 83c8a4195c52cbc4219a1437379f22a30da04584553153869cbb5558aef0cc81
                                    • Instruction ID: 37cafa33ecd0e9b2cf7e5929c6106e780d43075ec18cba96de8a2df1e087739a
                                    • Opcode Fuzzy Hash: 83c8a4195c52cbc4219a1437379f22a30da04584553153869cbb5558aef0cc81
                                    • Instruction Fuzzy Hash: 3DF0AFB8200205AFEB211FA8ECC8E673FECEF8A654B100416F985D3144CA6A9900DB60
                                    Function 0101C6A6 Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetDlgItem.USER32(?,000003E9), ref: 0101C6BA
                                    • GetWindowTextW.USER32(00000000,?,00000100), ref: 0101C6D1
                                    • MessageBeep.USER32(00000000), ref: 0101C6E9
                                    • KillTimer.USER32(?,0000040A), ref: 0101C705
                                    • EndDialog.USER32(?,00000001), ref: 0101C71F
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: BeepDialogItemKillMessageTextTimerWindow
                                    • String ID:
                                    • API String ID: 3741023627-0
                                    • Opcode ID: 2cd56716015c8835c56a4ac54069eb42b5872eb319d6c27efd2667ff021f458d
                                    • Instruction ID: a2a7017dde3e599d4010475c06071e0801866a0f917274196292a7f198dc57cf
                                    • Opcode Fuzzy Hash: 2cd56716015c8835c56a4ac54069eb42b5872eb319d6c27efd2667ff021f458d
                                    • Instruction Fuzzy Hash: CE0184744403059BFB315B28EE8EF967BB8BB04701F00055DB6C2A14D5DBE9A9548B40
                                    Function 00FC13B0 Relevance: 7.5, APIs: 5, Instructions: 29COMMON
                                    Download Yara Rule
                                    APIs
                                    • EndPath.GDI32(?), ref: 00FC13BF
                                    • StrokeAndFillPath.GDI32(?,?,00FFBAD8,00000000,?), ref: 00FC13DB
                                    • SelectObject.GDI32(?,00000000), ref: 00FC13EE
                                    • DeleteObject.GDI32 ref: 00FC1401
                                    • StrokePath.GDI32(?), ref: 00FC141C
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: Path$ObjectStroke$DeleteFillSelect
                                    • String ID:
                                    • API String ID: 2625713937-0
                                    • Opcode ID: 074c43ccbdacd7533ee2dd18179fbc750fad4789cd7adc404a931943a2365642
                                    • Instruction ID: 87fcf251aebb0c5b770dc831b0d7e01da6fda73d6f06ef1569dc3325bf897e8f
                                    • Opcode Fuzzy Hash: 074c43ccbdacd7533ee2dd18179fbc750fad4789cd7adc404a931943a2365642
                                    • Instruction Fuzzy Hash: B6F06DB001824ADBDB354F1AEA4DB583BA4BB12326F148318F4E9440E9C33B44A1DF10
                                    Function 00FD2E5B Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00FE0FF6: std::exception::exception.LIBCMT ref: 00FE102C
                                      • Part of subcall function 00FE0FF6: __CxxThrowException@8.LIBCMT ref: 00FE1041
                                      • Part of subcall function 00FC7F41: _memmove.LIBCMT ref: 00FC7F82
                                      • Part of subcall function 00FC7BB1: _memmove.LIBCMT ref: 00FC7C0B
                                    • __swprintf.LIBCMT ref: 00FD302D
                                    Strings
                                    • \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00FD2EC6
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
                                    • String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
                                    • API String ID: 1943609520-557222456
                                    • Opcode ID: a61fcb1d88fb83c846cec9a9d41b15f009eb1cff1f3ced1d0226523f55ed2f20
                                    • Instruction ID: 742775c3b814423c10435a5aa599de400b6bc14e6fb83201a3450bdb8db0915b
                                    • Opcode Fuzzy Hash: a61fcb1d88fb83c846cec9a9d41b15f009eb1cff1f3ced1d0226523f55ed2f20
                                    • Instruction Fuzzy Hash: 5F91AD311083029FD718EF24CD8AD6EB7E5EF85710F44091EF5829B2A1DA75EE44EB52
                                    Function 0102BBA6 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00FC48AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00FC48A1,?,?,00FC37C0,?), ref: 00FC48CE
                                    • CoInitialize.OLE32(00000000), ref: 0102BC26
                                    • CoCreateInstance.OLE32(01052D6C,00000000,00000001,01052BDC,?), ref: 0102BC3F
                                    • CoUninitialize.OLE32 ref: 0102BC5C
                                      • Part of subcall function 00FC9997: __itow.LIBCMT ref: 00FC99C2
                                      • Part of subcall function 00FC9997: __swprintf.LIBCMT ref: 00FC9A0C
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
                                    • String ID: .lnk
                                    • API String ID: 2126378814-24824748
                                    • Opcode ID: 4b6582adba93863810c992bc54d5a73efaec52e884e782c7e508e40779c2d6e1
                                    • Instruction ID: 0580efa5a4c143113801fba1d5ed9c7c212355da90d1b7f56c0e5bf1cba1d676
                                    • Opcode Fuzzy Hash: 4b6582adba93863810c992bc54d5a73efaec52e884e782c7e508e40779c2d6e1
                                    • Instruction Fuzzy Hash: FAA143752043129FCB00DF18C985E6ABBE5FF88714F14898CF8999B261CB35ED45CB92
                                    Function 00FE524D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON
                                    Download Yara Rule
                                    APIs
                                    • __startOneArgErrorHandling.LIBCMT ref: 00FE52DD
                                      • Part of subcall function 00FF0340: __87except.LIBCMT ref: 00FF037B
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: ErrorHandling__87except__start
                                    • String ID: pow
                                    • API String ID: 2905807303-2276729525
                                    • Opcode ID: 5b35b51a5797108f38b2e8186dfcf873787688cedeb0239a9027b829037d5f72
                                    • Instruction ID: 6fc721b7d2ecc9dbcc453789b9c9abc61962f2b30455635a6f7252886e7f4a25
                                    • Opcode Fuzzy Hash: 5b35b51a5797108f38b2e8186dfcf873787688cedeb0239a9027b829037d5f72
                                    • Instruction Fuzzy Hash: ED51AE71E0974987CB21B625C94137E3B91AF00B64F608D59E2D5812FBEF798CC4BB42
                                    Function 00FE023B Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: #$+
                                    • API String ID: 0-2552117581
                                    • Opcode ID: fcd4c48358ce4a0e0bbb252d026f8c62fd527b8ef22dcd5f9234f00a3305b191
                                    • Instruction ID: 326957e0d48567a1cefc2738dad0ceb5de05aa518c2f342b54327874a8e8c871
                                    • Opcode Fuzzy Hash: fcd4c48358ce4a0e0bbb252d026f8c62fd527b8ef22dcd5f9234f00a3305b191
                                    • Instruction Fuzzy Hash: D35135355042468FDF21AF2DCC89AF97BE4EF9A310F540095E8D19F2A4DB789883DB20
                                    Function 00FD62F2 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 143COMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: _memset$_memmove
                                    • String ID: ERCP
                                    • API String ID: 2532777613-1384759551
                                    • Opcode ID: 1d255c593922b31f3e7168a1ea724972d16fa2f30d6e17e416e8adb6aed9d786
                                    • Instruction ID: 4c2cc0963172324395f2bb7926a1ebb1a69df40541eeaed5ce68c4106723080d
                                    • Opcode Fuzzy Hash: 1d255c593922b31f3e7168a1ea724972d16fa2f30d6e17e416e8adb6aed9d786
                                    • Instruction Fuzzy Hash: ED51A171D003099BDB28DF65C8857AABBF5EF04324F14856FE98ACB341E7759684CB40
                                    Function 01047BB5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON
                                    Download Yara Rule
                                    APIs
                                    • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,0104F910,00000000,?,?,?,?), ref: 01047C4E
                                    • GetWindowLongW.USER32 ref: 01047C6B
                                    • SetWindowLongW.USER32(?,000000F0,00000000), ref: 01047C7B
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: Window$Long
                                    • String ID: SysTreeView32
                                    • API String ID: 847901565-1698111956
                                    • Opcode ID: 29ac4ec83214688fc33a79149d7f8a57d9d5afbddcbe2a262217007649a632a3
                                    • Instruction ID: 0a047407d9908d435803ed3b2a7cb92f554ba4356b5321c7ec5784269623e1c5
                                    • Opcode Fuzzy Hash: 29ac4ec83214688fc33a79149d7f8a57d9d5afbddcbe2a262217007649a632a3
                                    • Instruction Fuzzy Hash: 4031E37120020AAFDB619E38DC85BEA7BA9FF45324F204729F9B5931D1D735E8509B90
                                    Function 01047648 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SendMessageW.USER32(00000000,00001009,00000000,?), ref: 010476D0
                                    • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 010476E4
                                    • SendMessageW.USER32(?,00001002,00000000,?), ref: 01047708
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: MessageSend$Window
                                    • String ID: SysMonthCal32
                                    • API String ID: 2326795674-1439706946
                                    • Opcode ID: fbb3f1c1420c1d1203fb0f329ba79a2f958d658692e9447c2c007d7aaff0b3b5
                                    • Instruction ID: 6204c10f4b744c40664e4a39f011044d4da4074708cc3d60d42d802800cf51b6
                                    • Opcode Fuzzy Hash: fbb3f1c1420c1d1203fb0f329ba79a2f958d658692e9447c2c007d7aaff0b3b5
                                    • Instruction Fuzzy Hash: 0D21B472500219ABDF22CE54CC86FEA3BA5FB4C754F110254FE956B1D1D7B5A8508B90
                                    Function 01046F1F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 01046FAA
                                    • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 01046FBA
                                    • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 01046FDF
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: MessageSend$MoveWindow
                                    • String ID: Listbox
                                    • API String ID: 3315199576-2633736733
                                    • Opcode ID: b5305ac9391f502bc8c3e2bd6e813e83b44438bf4a114aa6d21ae8e433c54f8d
                                    • Instruction ID: 257dff18516ef531703a7922ae140b5d07be28320a0538b58dfb18be01008918
                                    • Opcode Fuzzy Hash: b5305ac9391f502bc8c3e2bd6e813e83b44438bf4a114aa6d21ae8e433c54f8d
                                    • Instruction Fuzzy Hash: 9B21C572610118BFEF128F58CCC5FAB37AAFF8A750F418164F9859B191DA729C51C7A0
                                    Function 0104797D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 010479E1
                                    • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 010479F6
                                    • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 01047A03
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: MessageSend
                                    • String ID: msctls_trackbar32
                                    • API String ID: 3850602802-1010561917
                                    • Opcode ID: e833233b23bc6e531705403babfbcc486eb81e4c9a51defaba68b415f3747271
                                    • Instruction ID: 0466ae7f34f71638ab6eec639d0599b8e46dbd776d1419b05bdc1d220e14d43b
                                    • Opcode Fuzzy Hash: e833233b23bc6e531705403babfbcc486eb81e4c9a51defaba68b415f3747271
                                    • Instruction Fuzzy Hash: ED11E772250249BBEF219E74CC45FEB77A9EFC9764F02052DF681A6091D272D811CB60
                                    Function 00FC4C95 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                    Download Yara Rule
                                    APIs
                                    • LoadLibraryA.KERNEL32(kernel32.dll,?,00FC4C2E), ref: 00FC4CA3
                                    • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00FC4CB5
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: AddressLibraryLoadProc
                                    • String ID: GetNativeSystemInfo$kernel32.dll
                                    • API String ID: 2574300362-192647395
                                    • Opcode ID: f0d661256bcae0dfa440629162172e32702a917cbf22bf093d790775248fd42a
                                    • Instruction ID: 6fb35f3f32efa3f76585b464e19413891f8b6107471eac1f5694cd58b257668e
                                    • Opcode Fuzzy Hash: f0d661256bcae0dfa440629162172e32702a917cbf22bf093d790775248fd42a
                                    • Instruction Fuzzy Hash: 2FD012B4911723CFD7209F39DBA9A0676D5AF06691B11883D98C5D6520D674D880C750
                                    Function 00FC4D94 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                    Download Yara Rule
                                    APIs
                                    • LoadLibraryA.KERNEL32(kernel32.dll,?,00FC4CE1,?), ref: 00FC4DA2
                                    • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00FC4DB4
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: AddressLibraryLoadProc
                                    • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
                                    • API String ID: 2574300362-1355242751
                                    • Opcode ID: 8698d0fd7577dcac371597c01b0be65b7570fb992fd62ba789d8c92c6e9ea9ae
                                    • Instruction ID: feee7a2729a405c6e7d75dff812333459acbf2cd9d0865439c09094a755aa006
                                    • Opcode Fuzzy Hash: 8698d0fd7577dcac371597c01b0be65b7570fb992fd62ba789d8c92c6e9ea9ae
                                    • Instruction Fuzzy Hash: 8FD0C2B4900313CFC7305F35C659B4672D4AF06290B00883DD8C2C6510D774D880C750
                                    Function 00FC4D61 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                    Download Yara Rule
                                    APIs
                                    • LoadLibraryA.KERNEL32(kernel32.dll,?,00FC4D2E,?,00FC4F4F,?,010862F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00FC4D6F
                                    • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00FC4D81
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: AddressLibraryLoadProc
                                    • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
                                    • API String ID: 2574300362-3689287502
                                    • Opcode ID: c078213387769f5beb3b86b7a13b858620e5cb5b34c8772ecfe7bcf1ebc570fb
                                    • Instruction ID: 65b76d246f68a22d3ef8d8678c861e0cb359a0bd9c6fae5bb5b4b2fed352f2d4
                                    • Opcode Fuzzy Hash: c078213387769f5beb3b86b7a13b858620e5cb5b34c8772ecfe7bcf1ebc570fb
                                    • Instruction Fuzzy Hash: 69D012B4910713CFD7305F35DA59B1676D8BF162A1B11887D98C7D6210D675D880CB90
                                    Function 01041072 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                    Download Yara Rule
                                    APIs
                                    • LoadLibraryA.KERNEL32(advapi32.dll,?,010412C1), ref: 01041080
                                    • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 01041092
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: AddressLibraryLoadProc
                                    • String ID: RegDeleteKeyExW$advapi32.dll
                                    • API String ID: 2574300362-4033151799
                                    • Opcode ID: 32fed3d519d14a058d7725263e5af03ed2e2fb1c4efd2ec83b215aae1e0dc788
                                    • Instruction ID: 46f7fcf38d131e309cbfbcfb99c65da4bade0050e1048d88295eef37b68e84b7
                                    • Opcode Fuzzy Hash: 32fed3d519d14a058d7725263e5af03ed2e2fb1c4efd2ec83b215aae1e0dc788
                                    • Instruction Fuzzy Hash: 19D012F49117138FD7305F39D59895676E4AF05251F118C7DA4C5DA110DAB4D4C0C754
                                    Function 010393F5 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                    Download Yara Rule
                                    APIs
                                    • LoadLibraryA.KERNEL32(kernel32.dll,00000001,01039009,?,0104F910), ref: 01039403
                                    • GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 01039415
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: AddressLibraryLoadProc
                                    • String ID: GetModuleHandleExW$kernel32.dll
                                    • API String ID: 2574300362-199464113
                                    • Opcode ID: f596ecb23cbd8a9f6a1f7dd6660403c8665e487f8ae949925e8c4fcc38ad6ded
                                    • Instruction ID: 11bd44c6b307e17edae3b950c7110997fe3762dbd17d89ab0ed3139333788bf4
                                    • Opcode Fuzzy Hash: f596ecb23cbd8a9f6a1f7dd6660403c8665e487f8ae949925e8c4fcc38ad6ded
                                    • Instruction Fuzzy Hash: 39D0C2B4900313CFD7204F39C64890776D8AF02241B10C83D94C1C6510DAB4C4C0C750
                                    Function 01001B3E Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: LocalTime__swprintf
                                    • String ID: %.3d$WIN_XPe
                                    • API String ID: 2070861257-2409531811
                                    • Opcode ID: 34844ab1f7fc08c28c37b250e49a640718e191bad41cde71d2c0aceff98b4629
                                    • Instruction ID: e1ab5b19105051a4878c21270e96686bd06c71d2419302602a2a271f0a6e911b
                                    • Opcode Fuzzy Hash: 34844ab1f7fc08c28c37b250e49a640718e191bad41cde71d2c0aceff98b4629
                                    • Instruction Fuzzy Hash: 36D012B6C04519EBDB159A918D89DFD777CAB04301F440592F58692040F379DB849B25
                                    Function 010176C5 Relevance: 6.3, APIs: 4, Instructions: 333COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 2b4756d82395062060e7004c1325a9e840668f110db1ec1a84a6a24a208bae8b
                                    • Instruction ID: ab3d8b574025ae573560cc5137b8c1cb11098e5a83a213d6e2cf1445f8b1bf36
                                    • Opcode Fuzzy Hash: 2b4756d82395062060e7004c1325a9e840668f110db1ec1a84a6a24a208bae8b
                                    • Instruction Fuzzy Hash: EBC19075A00216EFDB14CF98C884EAEBBF5FF48310B148598E985EB255D734EE81CB90
                                    Function 0103E33E Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CharLowerBuffW.USER32(?,?), ref: 0103E3D2
                                    • CharLowerBuffW.USER32(?,?), ref: 0103E415
                                      • Part of subcall function 0103DAB9: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 0103DAD9
                                    • VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 0103E615
                                    • _memmove.LIBCMT ref: 0103E628
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: BuffCharLower$AllocVirtual_memmove
                                    • String ID:
                                    • API String ID: 3659485706-0
                                    • Opcode ID: 4899ab1fab368b09aba8b2f43051c39a9c33a7fb2d2883821fa2543e8f8f2c17
                                    • Instruction ID: 10b031150b8e685a1e9a44a37d27d3b048b7a38ab2c18dcebefefeb248c2c51d
                                    • Opcode Fuzzy Hash: 4899ab1fab368b09aba8b2f43051c39a9c33a7fb2d2883821fa2543e8f8f2c17
                                    • Instruction Fuzzy Hash: C8C16B716083428FC754DF28C480A5ABBE4FF88714F048A6DF8999B351DB75E946CF82
                                    Function 010383A8 Relevance: 6.3, APIs: 4, Instructions: 267COMMON
                                    Download Yara Rule
                                    APIs
                                    • CoInitialize.OLE32(00000000), ref: 010383D8
                                    • CoUninitialize.OLE32 ref: 010383E3
                                      • Part of subcall function 0101DA5D: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 0101DAC5
                                    • VariantInit.OLEAUT32(?), ref: 010383EE
                                    • VariantClear.OLEAUT32(?), ref: 010386BF
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
                                    • String ID:
                                    • API String ID: 780911581-0
                                    • Opcode ID: c69eff4f477f7b4aefacdd2614f30bdd03ecef4f03f496797128f649bb2ab5d9
                                    • Instruction ID: 93680846187b5d6f475b9540ee4173385e3fdbfc44cad2029073b6b1c59ddb1d
                                    • Opcode Fuzzy Hash: c69eff4f477f7b4aefacdd2614f30bdd03ecef4f03f496797128f649bb2ab5d9
                                    • Instruction Fuzzy Hash: BFA127752047029FDB10DF19C985F1ABBE8BF88714F05858DFA9A9B3A1CB74E904DB41
                                    Function 01016DF3 Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: Variant$AllocClearCopyInitString
                                    • String ID:
                                    • API String ID: 2808897238-0
                                    • Opcode ID: 81cb51c4203a78e6623ff9c131dd8087192312c2365e545a501be620202496c1
                                    • Instruction ID: 6889224c4cf0f9fd2176a465e536700bb5f7baa0800ede167c9235b020c5caa9
                                    • Opcode Fuzzy Hash: 81cb51c4203a78e6623ff9c131dd8087192312c2365e545a501be620202496c1
                                    • Instruction Fuzzy Hash: 8C51B134604303DADB60AF69D895B6EB7E5AF48310F50881FF6D6CB295DFB9D8808B11
                                    Function 01036CBD Relevance: 6.1, APIs: 4, Instructions: 127networkCOMMON
                                    Download Yara Rule
                                    APIs
                                    • socket.WSOCK32(00000002,00000002,00000011), ref: 01036CE4
                                    • WSAGetLastError.WSOCK32(00000000), ref: 01036CF4
                                      • Part of subcall function 00FC9997: __itow.LIBCMT ref: 00FC99C2
                                      • Part of subcall function 00FC9997: __swprintf.LIBCMT ref: 00FC9A0C
                                    • #21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 01036D58
                                    • WSAGetLastError.WSOCK32(00000000), ref: 01036D64
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: ErrorLast$__itow__swprintfsocket
                                    • String ID:
                                    • API String ID: 2214342067-0
                                    • Opcode ID: 05e5714e24a240ab1e0b166f3b3205aa4122b7858d2c75b2a4e95ff3b2437f32
                                    • Instruction ID: a6f320c4353b3f2ccc1c3df6dabf32d8c08c7545c258500df031fd3d3b7e9b4f
                                    • Opcode Fuzzy Hash: 05e5714e24a240ab1e0b166f3b3205aa4122b7858d2c75b2a4e95ff3b2437f32
                                    • Instruction Fuzzy Hash: B041D774740201AFEB20AF28DD8BF7A77E99F44B10F44805CFA599F2C2DAB99D019751
                                    Function 0103672D Relevance: 6.1, APIs: 4, Instructions: 116COMMON
                                    Download Yara Rule
                                    APIs
                                    • #16.WSOCK32(?,?,00000000,00000000,00000000,00000000,?,?,00000000,0104F910), ref: 010367BA
                                    • _strlen.LIBCMT ref: 010367EC
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: _strlen
                                    • String ID:
                                    • API String ID: 4218353326-0
                                    • Opcode ID: 9694b9cf61f8035238691f468d33c2cc2dc14cfbd8f9bdd6a7bc30733e7c9d94
                                    • Instruction ID: dc7f5cd165432c3ddc25d1df999d20baf6666e0f76eafa5fb64519618fc33618
                                    • Opcode Fuzzy Hash: 9694b9cf61f8035238691f468d33c2cc2dc14cfbd8f9bdd6a7bc30733e7c9d94
                                    • Instruction Fuzzy Hash: BE41F575A00106BFCB14EB69CDC5FAEB3ADAF88310F048259F9559B292DF75AE40C750
                                    Function 0102BA5F Relevance: 6.1, APIs: 4, Instructions: 111fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 0102BB09
                                    • GetLastError.KERNEL32(?,00000000), ref: 0102BB2F
                                    • DeleteFileW.KERNEL32(00000002,?,00000000), ref: 0102BB54
                                    • CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 0102BB80
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: CreateHardLink$DeleteErrorFileLast
                                    • String ID:
                                    • API String ID: 3321077145-0
                                    • Opcode ID: ce016cb6b8042d43590f06e2bb33911600066714f917efbbe22262e54051c879
                                    • Instruction ID: afd9652f320171d933728f28fd46b59fe72a64cd03834cf282d123965fe78b7f
                                    • Opcode Fuzzy Hash: ce016cb6b8042d43590f06e2bb33911600066714f917efbbe22262e54051c879
                                    • Instruction Fuzzy Hash: BB415139200512DFCB21DF19C689E5DBBE1EF49710B058488ED8A9B762CB78FD01DB91
                                    Function 01048AC0 Relevance: 6.1, APIs: 4, Instructions: 109COMMON
                                    Download Yara Rule
                                    APIs
                                    • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 01048B4D
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: InvalidateRect
                                    • String ID:
                                    • API String ID: 634782764-0
                                    • Opcode ID: 261b271e898dbf09b28aa8ccb98e8fcb67afd164636a68053f98342f80e506fc
                                    • Instruction ID: 608d71346bbbf1fe6cec0a6d0f9813e27151ca43d0826d4c6095228009aafbb3
                                    • Opcode Fuzzy Hash: 261b271e898dbf09b28aa8ccb98e8fcb67afd164636a68053f98342f80e506fc
                                    • Instruction Fuzzy Hash: E131ADF4644204BFEB619AACCCC5FAD3BA4EB09320F14CE67FBD1D6291C635A5508B81
                                    Function 0104ADF1 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • ClientToScreen.USER32(?,?), ref: 0104AE1A
                                    • GetWindowRect.USER32(?,?), ref: 0104AE90
                                    • PtInRect.USER32(?,?,0104C304), ref: 0104AEA0
                                    • MessageBeep.USER32(00000000), ref: 0104AF11
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: Rect$BeepClientMessageScreenWindow
                                    • String ID:
                                    • API String ID: 1352109105-0
                                    • Opcode ID: 37850da33febc5705a94ef436f28bcf04d8703b137bd9dc29b9cc02beb331964
                                    • Instruction ID: 5826e397cb91ded9249cb000bb3de181fa81306bcb7e796822418bc5b6faa7da
                                    • Opcode Fuzzy Hash: 37850da33febc5705a94ef436f28bcf04d8703b137bd9dc29b9cc02beb331964
                                    • Instruction Fuzzy Hash: AB418FB4744106DFDB21CF59C4C4A9D7BF5FB49340F1581B9E9AA8B245D732A842CB50
                                    Function 01020FE6 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetKeyboardState.USER32(?,00000000,?,00000001), ref: 01021037
                                    • SetKeyboardState.USER32(00000080,?,00000001), ref: 01021053
                                    • PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 010210B9
                                    • SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 0102110B
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: KeyboardState$InputMessagePostSend
                                    • String ID:
                                    • API String ID: 432972143-0
                                    • Opcode ID: 5ba0c45b57ec68edc783a07b3784a9fa5d12b00dfa8ee093e75ac9168666320f
                                    • Instruction ID: 073ae2490bf451b3f6e038e2d8b4efc3aa535aa49a140c459befc02a0e3f04a4
                                    • Opcode Fuzzy Hash: 5ba0c45b57ec68edc783a07b3784a9fa5d12b00dfa8ee093e75ac9168666320f
                                    • Instruction Fuzzy Hash: 8F313970F446A8AEFB318A6D8C44BFEBBE9AF44310F04435AF6C0521D1C3BD45818791
                                    Function 01021121 Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetKeyboardState.USER32(?,75A8C0D0,?,00008000), ref: 01021176
                                    • SetKeyboardState.USER32(00000080,?,00008000), ref: 01021192
                                    • PostMessageW.USER32(00000000,00000101,00000000), ref: 010211F1
                                    • SendInput.USER32(00000001,?,0000001C,75A8C0D0,?,00008000), ref: 01021243
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: KeyboardState$InputMessagePostSend
                                    • String ID:
                                    • API String ID: 432972143-0
                                    • Opcode ID: 22fab8fef5f0e295ad8afca6c4e5293056e9668456d87f9ed63eb8d51e7a137d
                                    • Instruction ID: 7b011da4478fe7d153566581b19c9936cbfbd359de9a8da92ad761e2da187a06
                                    • Opcode Fuzzy Hash: 22fab8fef5f0e295ad8afca6c4e5293056e9668456d87f9ed63eb8d51e7a137d
                                    • Instruction Fuzzy Hash: 68312670A407286EFF318A6D8804BFEBBFAAB49310F14439AF5C4925D5C37986558791
                                    Function 00FF6415 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00FF644B
                                    • __isleadbyte_l.LIBCMT ref: 00FF6479
                                    • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00FF64A7
                                    • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00FF64DD
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                    • String ID:
                                    • API String ID: 3058430110-0
                                    • Opcode ID: e2d1a65f2962f47ce78d923b4c90d7bc1312d3052951433d5002214cb312a7ca
                                    • Instruction ID: c25730ce1d82335b599cbe260d34b45ee38a28258385dcfa58cd8d91da05767e
                                    • Opcode Fuzzy Hash: e2d1a65f2962f47ce78d923b4c90d7bc1312d3052951433d5002214cb312a7ca
                                    • Instruction Fuzzy Hash: 6331AD31A0024AAFDB21EF65CC85BBA7BB5FF41320F154029EA64D71B1EB35D850EB90
                                    Function 01045175 Relevance: 6.1, APIs: 4, Instructions: 95COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetForegroundWindow.USER32 ref: 01045189
                                      • Part of subcall function 0102387D: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 01023897
                                      • Part of subcall function 0102387D: GetCurrentThreadId.KERNEL32 ref: 0102389E
                                      • Part of subcall function 0102387D: AttachThreadInput.USER32(00000000,?,010252A7), ref: 010238A5
                                    • GetCaretPos.USER32(?), ref: 0104519A
                                    • ClientToScreen.USER32(00000000,?), ref: 010451D5
                                    • GetForegroundWindow.USER32 ref: 010451DB
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                                    • String ID:
                                    • API String ID: 2759813231-0
                                    • Opcode ID: ed7c5a08652e758b17cfbf6efc0105cc5c5cdf42e2d0d11401e8e04fca04d3b9
                                    • Instruction ID: 388eb24d1dda0960efb08a3536c6704ec2e2032c199ef26a8cb53f794e993a72
                                    • Opcode Fuzzy Hash: ed7c5a08652e758b17cfbf6efc0105cc5c5cdf42e2d0d11401e8e04fca04d3b9
                                    • Instruction Fuzzy Hash: 50312175900109AFDB10EFA5CD85EEFB7F9EF98300F10406AE455E7241EA799E05CBA0
                                    Function 0104C788 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00FC2612: GetWindowLongW.USER32(?,000000EB), ref: 00FC2623
                                    • GetCursorPos.USER32(?), ref: 0104C7C2
                                    • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00FFBBFB,?,?,?,?,?), ref: 0104C7D7
                                    • GetCursorPos.USER32(?), ref: 0104C824
                                    • DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00FFBBFB,?,?,?), ref: 0104C85E
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: Cursor$LongMenuPopupProcTrackWindow
                                    • String ID:
                                    • API String ID: 2864067406-0
                                    • Opcode ID: e6e38cce01862684d0e1ac798396437306e505b19b51f8bc48297efb4ec53190
                                    • Instruction ID: 52eb2e5787fd595b92950a9bb0db79877fcc0192100a7e32ffa773da0c161f82
                                    • Opcode Fuzzy Hash: e6e38cce01862684d0e1ac798396437306e505b19b51f8bc48297efb4ec53190
                                    • Instruction Fuzzy Hash: F131E175601018AFEB25CF4CC9D8EEA7BF6FB09320F0440A9FA858B251D7369950DFA0
                                    Function 01018B9E Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 01018652: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 01018669
                                      • Part of subcall function 01018652: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 01018673
                                      • Part of subcall function 01018652: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 01018682
                                      • Part of subcall function 01018652: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 01018689
                                      • Part of subcall function 01018652: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0101869F
                                    • LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 01018BEB
                                    • _memcmp.LIBCMT ref: 01018C0E
                                    • GetProcessHeap.KERNEL32(00000000,00000000), ref: 01018C44
                                    • HeapFree.KERNEL32(00000000), ref: 01018C4B
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
                                    • String ID:
                                    • API String ID: 1592001646-0
                                    • Opcode ID: 9868f059cd2ac16d81ebd75eee3a00df33288d257773df7604f192be39ddf26f
                                    • Instruction ID: d9fe4dd7ac8745e640e42eb74634aab3547613f7a86533fc30c5f4f3914e4c69
                                    • Opcode Fuzzy Hash: 9868f059cd2ac16d81ebd75eee3a00df33288d257773df7604f192be39ddf26f
                                    • Instruction Fuzzy Hash: A7216D71E01209ABDB10DF98C944BEEB7F8FF44354F14809AE994A7244D739AA05CB50
                                    Function 00FE0BD0 Relevance: 6.1, APIs: 4, Instructions: 79COMMON
                                    Download Yara Rule
                                    APIs
                                    • __setmode.LIBCMT ref: 00FE0BF2
                                      • Part of subcall function 00FC5B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,01027B20,?,?,00000000), ref: 00FC5B8C
                                      • Part of subcall function 00FC5B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,01027B20,?,?,00000000,?,?), ref: 00FC5BB0
                                    • _fprintf.LIBCMT ref: 00FE0C29
                                    • OutputDebugStringW.KERNEL32(?), ref: 01016331
                                      • Part of subcall function 00FE4CDA: _flsall.LIBCMT ref: 00FE4CF3
                                    • __setmode.LIBCMT ref: 00FE0C5E
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
                                    • String ID:
                                    • API String ID: 521402451-0
                                    • Opcode ID: e3e04d34ee98587396b7a7b67ba73fca88b1803d896e45cb133ff481e3697c81
                                    • Instruction ID: 60fcb7a68b789ed8b623ac34c8ad16572f399129426d0b107ed910473caea12a
                                    • Opcode Fuzzy Hash: e3e04d34ee98587396b7a7b67ba73fca88b1803d896e45cb133ff481e3697c81
                                    • Instruction Fuzzy Hash: B3113A32A042457BCB04B7BAAC47EBE7B699F41320F24415EF104971C2DE792D816791
                                    Function 01031A5B Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON
                                    Download Yara Rule
                                    APIs
                                    • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 01031A97
                                      • Part of subcall function 01031B21: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 01031B40
                                      • Part of subcall function 01031B21: InternetCloseHandle.WININET(00000000), ref: 01031BDD
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: Internet$CloseConnectHandleOpen
                                    • String ID:
                                    • API String ID: 1463438336-0
                                    • Opcode ID: 33de4ac9abaaa790e5e809277d00dc19ff3377cf2f4bed717f221cf1c20a98f3
                                    • Instruction ID: 70454c2e1f6e08ff9f71416db47bbafacabd9e5612869b75e91d46e00d3ab835
                                    • Opcode Fuzzy Hash: 33de4ac9abaaa790e5e809277d00dc19ff3377cf2f4bed717f221cf1c20a98f3
                                    • Instruction Fuzzy Hash: E521A475200601BFEB169F648C00FBBBBEDFF8C601F00401AFA91D6550E775D41197A0
                                    Function 0101E1AF Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0101F5AD: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,0101E1C4,?,?,?,0101EFB7,00000000,000000EF,00000119,?,?), ref: 0101F5BC
                                      • Part of subcall function 0101F5AD: lstrcpyW.KERNEL32(00000000,?,?,0101E1C4,?,?,?,0101EFB7,00000000,000000EF,00000119,?,?,00000000), ref: 0101F5E2
                                      • Part of subcall function 0101F5AD: lstrcmpiW.KERNEL32(00000000,?,0101E1C4,?,?,?,0101EFB7,00000000,000000EF,00000119,?,?), ref: 0101F613
                                    • lstrlenW.KERNEL32(?,00000002,?,?,?,?,0101EFB7,00000000,000000EF,00000119,?,?,00000000), ref: 0101E1DD
                                    • lstrcpyW.KERNEL32(00000000,?,?,0101EFB7,00000000,000000EF,00000119,?,?,00000000), ref: 0101E203
                                    • lstrcmpiW.KERNEL32(00000002,cdecl,?,0101EFB7,00000000,000000EF,00000119,?,?,00000000), ref: 0101E237
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: lstrcmpilstrcpylstrlen
                                    • String ID: cdecl
                                    • API String ID: 4031866154-3896280584
                                    • Opcode ID: bb414eceaca41ab5ac933f9c9a54aa01fb01e6c11d589afac0af57325559ce03
                                    • Instruction ID: a077e7d043f3473b0d79dadbc821d8a15dfe41fae2aadc9314d3547cb39894b9
                                    • Opcode Fuzzy Hash: bb414eceaca41ab5ac933f9c9a54aa01fb01e6c11d589afac0af57325559ce03
                                    • Instruction Fuzzy Hash: 3511D33A200342EFCB26AF68D844DBE77E8FF45310B40802AED46CB258EB75D850D790
                                    Function 00FF5332 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • _free.LIBCMT ref: 00FF5351
                                      • Part of subcall function 00FE594C: __FF_MSGBANNER.LIBCMT ref: 00FE5963
                                      • Part of subcall function 00FE594C: __NMSG_WRITE.LIBCMT ref: 00FE596A
                                      • Part of subcall function 00FE594C: RtlAllocateHeap.NTDLL(01530000,00000000,00000001,00000000,?,?,?,00FE1013,?), ref: 00FE598F
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: AllocateHeap_free
                                    • String ID:
                                    • API String ID: 614378929-0
                                    • Opcode ID: 938e1635e9c9faaa18cb7c40eb0ecd8da8aa74371de984fe2c4a3add4ff78a99
                                    • Instruction ID: 11288a9f0f2a6785d9141f3e5dedafc3be6d8d1ed4ab73f6fb76670d70f2d888
                                    • Opcode Fuzzy Hash: 938e1635e9c9faaa18cb7c40eb0ecd8da8aa74371de984fe2c4a3add4ff78a99
                                    • Instruction Fuzzy Hash: 8A11E732904A1AAFCB313FB9EC4477D37995F10BF1F144429FB889A1A1DE7A8941B750
                                    Function 00FC4531 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • _memset.LIBCMT ref: 00FC4560
                                      • Part of subcall function 00FC410D: _memset.LIBCMT ref: 00FC418D
                                      • Part of subcall function 00FC410D: _wcscpy.LIBCMT ref: 00FC41E1
                                      • Part of subcall function 00FC410D: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00FC41F1
                                    • KillTimer.USER32(?,00000001,?,?), ref: 00FC45B5
                                    • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00FC45C4
                                    • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00FFD6CE
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
                                    • String ID:
                                    • API String ID: 1378193009-0
                                    • Opcode ID: f9cd1f62cf06ab2d109e3c7c9a1e90c37fd64b62d9e849f9012db05bed7714b2
                                    • Instruction ID: 49d2b9c5e4b41842d745df90dbed757199921130c054f50acae55f16ea55c0ce
                                    • Opcode Fuzzy Hash: f9cd1f62cf06ab2d109e3c7c9a1e90c37fd64b62d9e849f9012db05bed7714b2
                                    • Instruction Fuzzy Hash: 05212571904788AFEB328B248956FF6BBEC9F01318F04009DE3DE96245C7792A84AB41
                                    Function 010240B1 Relevance: 6.1, APIs: 4, Instructions: 65fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 010240D1
                                    • _memset.LIBCMT ref: 010240F2
                                    • DeviceIoControl.KERNEL32(00000000,0004D02C,?,00000200,?,00000200,?,00000000), ref: 01024144
                                    • CloseHandle.KERNEL32(00000000), ref: 0102414D
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: CloseControlCreateDeviceFileHandle_memset
                                    • String ID:
                                    • API String ID: 1157408455-0
                                    • Opcode ID: a0caaa9b8d05030f6772e57598152ba597d63e8252a22674c810613c76ac8adf
                                    • Instruction ID: 164a0fec89ab1b781bf9813710f423aba1b5515f3a6b69abf6855a707c4d03f8
                                    • Opcode Fuzzy Hash: a0caaa9b8d05030f6772e57598152ba597d63e8252a22674c810613c76ac8adf
                                    • Instruction Fuzzy Hash: D111AB75D012387AD7305AA99C8DFABBBBCEF45760F1045D6F908D7180D6744E808BA4
                                    Function 0103667C Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00FC5B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,01027B20,?,?,00000000), ref: 00FC5B8C
                                      • Part of subcall function 00FC5B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,01027B20,?,?,00000000,?,?), ref: 00FC5BB0
                                    • gethostbyname.WSOCK32(?,?,?), ref: 010366AC
                                    • WSAGetLastError.WSOCK32(00000000), ref: 010366B7
                                    • _memmove.LIBCMT ref: 010366E4
                                    • inet_ntoa.WSOCK32(?), ref: 010366EF
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
                                    • String ID:
                                    • API String ID: 1504782959-0
                                    • Opcode ID: 443526cf5721a66ad90c8c569a1f4580e1a3e261ec68cc8dbb301385c741eb1f
                                    • Instruction ID: 1b770fec8a4cc0543ecc33aca47efaea4f534c30a683a22577b8195c12fa5221
                                    • Opcode Fuzzy Hash: 443526cf5721a66ad90c8c569a1f4580e1a3e261ec68cc8dbb301385c741eb1f
                                    • Instruction Fuzzy Hash: 2D11907650010AAFCB00EBA5DE86DEEB7B8AF44710B044069F502A7161DF79AF04DB61
                                    Function 01019023 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SendMessageW.USER32(?,000000B0,?,?), ref: 01019043
                                    • SendMessageW.USER32(?,000000C9,?,00000000), ref: 01019055
                                    • SendMessageW.USER32(?,000000C9,?,00000000), ref: 0101906B
                                    • SendMessageW.USER32(?,000000C9,?,00000000), ref: 01019086
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: MessageSend
                                    • String ID:
                                    • API String ID: 3850602802-0
                                    • Opcode ID: 4a4bdc6a944f99576a471ddac9556cc2b6a7db6d8117d4f2d3feb1c2c76f9937
                                    • Instruction ID: 1149ce3657dc50bf536deb09d092cd5f8081c2f79720f2de91d6d8287237e655
                                    • Opcode Fuzzy Hash: 4a4bdc6a944f99576a471ddac9556cc2b6a7db6d8117d4f2d3feb1c2c76f9937
                                    • Instruction Fuzzy Hash: 36115A79901219FFEB11DFA9C984EADBBB8FB48350F204095FA44B7294D6726E10DB90
                                    Function 00FC1290 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00FC2612: GetWindowLongW.USER32(?,000000EB), ref: 00FC2623
                                    • DefDlgProcW.USER32(?,00000020,?), ref: 00FC12D8
                                    • GetClientRect.USER32(?,?), ref: 00FFB84B
                                    • GetCursorPos.USER32(?), ref: 00FFB855
                                    • ScreenToClient.USER32(?,?), ref: 00FFB860
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: Client$CursorLongProcRectScreenWindow
                                    • String ID:
                                    • API String ID: 4127811313-0
                                    • Opcode ID: a03937b596406e8711b760f167f3da64c8c13cbff6b2563b8aef45b3ec094925
                                    • Instruction ID: 41749e912415047e02fe89875a48f2afddcc1c74df54e00a469d040f32282bab
                                    • Opcode Fuzzy Hash: a03937b596406e8711b760f167f3da64c8c13cbff6b2563b8aef45b3ec094925
                                    • Instruction Fuzzy Hash: 72112B7990001AEBDB10EFA8DA86EEE77B8FB06301F000459E951E7141C735BA61ABA5
                                    Function 01021652 Relevance: 6.1, APIs: 4, Instructions: 51sleepCOMMON
                                    Download Yara Rule
                                    APIs
                                    • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,010201FD,?,01021250,?,00008000), ref: 0102166F
                                    • Sleep.KERNEL32(00000000,?,?,?,?,?,?,010201FD,?,01021250,?,00008000), ref: 01021694
                                    • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,010201FD,?,01021250,?,00008000), ref: 0102169E
                                    • Sleep.KERNEL32(?,?,?,?,?,?,?,010201FD,?,01021250,?,00008000), ref: 010216D1
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: CounterPerformanceQuerySleep
                                    • String ID:
                                    • API String ID: 2875609808-0
                                    • Opcode ID: 16f6e6f700a6475e6212cf7a7852d82660385fcc52f066216be97e8e57135f93
                                    • Instruction ID: 3e966406413472210e6c2029d07f8dcb3f461abdf2cf824afa296b508c014f1e
                                    • Opcode Fuzzy Hash: 16f6e6f700a6475e6212cf7a7852d82660385fcc52f066216be97e8e57135f93
                                    • Instruction Fuzzy Hash: 25113C71D0052DE7CF20AFA9E988AEEBF78FF0D751F054095E980B6244CB355560CB96
                                    Function 00FF7207 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                    • String ID:
                                    • API String ID: 3016257755-0
                                    • Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                    • Instruction ID: 6cd2e390a946091f402a1197efef3675b6d33d83954d3cdd7525b065202c31b5
                                    • Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                    • Instruction Fuzzy Hash: AD014C3644824EBBCF126E84DC018EEBF62BF69351B588615FB1858031D237C9B1BF81
                                    Function 0104B57F Relevance: 6.0, APIs: 4, Instructions: 47COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetWindowRect.USER32(?,?), ref: 0104B59E
                                    • ScreenToClient.USER32(?,?), ref: 0104B5B6
                                    • ScreenToClient.USER32(?,?), ref: 0104B5DA
                                    • InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 0104B5F5
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: ClientRectScreen$InvalidateWindow
                                    • String ID:
                                    • API String ID: 357397906-0
                                    • Opcode ID: 6931e7cb0faca919299a236abe004a37ab2673082c46ab7a544707c1253d0c9e
                                    • Instruction ID: ed483cf32da9dd4faa6edc280e54afb22fcf3f00aa183ea4f7a5ae4a88e7782c
                                    • Opcode Fuzzy Hash: 6931e7cb0faca919299a236abe004a37ab2673082c46ab7a544707c1253d0c9e
                                    • Instruction Fuzzy Hash: 861163B9D0020AEFDB51DFA9C584AEEFBF9FB08310F108166E954E3210D735AA518F90
                                    Function 0104B8EF Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON
                                    Download Yara Rule
                                    APIs
                                    • _memset.LIBCMT ref: 0104B8FE
                                    • _memset.LIBCMT ref: 0104B90D
                                    • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,01087F20,01087F64), ref: 0104B93C
                                    • CloseHandle.KERNEL32 ref: 0104B94E
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: _memset$CloseCreateHandleProcess
                                    • String ID:
                                    • API String ID: 3277943733-0
                                    • Opcode ID: 89d6c6a9f415ead19b6cb2d6b41cfcdfba7bf831202ad2e048cd23c138b63cfb
                                    • Instruction ID: fb0459335d5f1f24e8e031d1257a6954f7106f3176d041ae98ad0f87dd48eb07
                                    • Opcode Fuzzy Hash: 89d6c6a9f415ead19b6cb2d6b41cfcdfba7bf831202ad2e048cd23c138b63cfb
                                    • Instruction Fuzzy Hash: 49F082F2544310BBF2202666AC49FBF3A9CEB08758F104060BBC8D618FD77A4D0087A8
                                    Function 01026E7C Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                    Download Yara Rule
                                    APIs
                                    • EnterCriticalSection.KERNEL32(?), ref: 01026E88
                                      • Part of subcall function 0102794E: _memset.LIBCMT ref: 01027983
                                    • _memmove.LIBCMT ref: 01026EAB
                                    • _memset.LIBCMT ref: 01026EB8
                                    • LeaveCriticalSection.KERNEL32(?), ref: 01026EC8
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: CriticalSection_memset$EnterLeave_memmove
                                    • String ID:
                                    • API String ID: 48991266-0
                                    • Opcode ID: 7b6b3c89a90bc4ab35b990e09b0d22ad45ccaa0deda3cca9aae26ca04482692a
                                    • Instruction ID: b7c40778f4fd2e9de135908e063e7c029bf89759cb4d2638e8aab281056aa324
                                    • Opcode Fuzzy Hash: 7b6b3c89a90bc4ab35b990e09b0d22ad45ccaa0deda3cca9aae26ca04482692a
                                    • Instruction Fuzzy Hash: 28F05E7A200210ABCF116F55DD84A8ABB2AEF45320B08C055FE089F21AC736A911DBB4
                                    Function 0104C00C Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00FC12F3: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00FC134D
                                      • Part of subcall function 00FC12F3: SelectObject.GDI32(?,00000000), ref: 00FC135C
                                      • Part of subcall function 00FC12F3: BeginPath.GDI32(?), ref: 00FC1373
                                      • Part of subcall function 00FC12F3: SelectObject.GDI32(?,00000000), ref: 00FC139C
                                    • MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 0104C030
                                    • LineTo.GDI32(00000000,?,?), ref: 0104C03D
                                    • EndPath.GDI32(00000000), ref: 0104C04D
                                    • StrokePath.GDI32(00000000), ref: 0104C05B
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
                                    • String ID:
                                    • API String ID: 1539411459-0
                                    • Opcode ID: 1dc72ed73465ca6d8ae1e50339241e28fbe74030c6d551a26753d9913e35dafd
                                    • Instruction ID: 5eebb8efa46d697dd1032382ebb2bd9618206b430c3e33be1a3d0998ba81c9a7
                                    • Opcode Fuzzy Hash: 1dc72ed73465ca6d8ae1e50339241e28fbe74030c6d551a26753d9913e35dafd
                                    • Instruction Fuzzy Hash: 11F0BE7500525ABBEB326F58ED0EFCE3F98AF06310F044100FA91210D587BA0160CFA5
                                    Function 0101A37C Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 0101A399
                                    • GetWindowThreadProcessId.USER32(?,00000000), ref: 0101A3AC
                                    • GetCurrentThreadId.KERNEL32 ref: 0101A3B3
                                    • AttachThreadInput.USER32(00000000), ref: 0101A3BA
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
                                    • String ID:
                                    • API String ID: 2710830443-0
                                    • Opcode ID: 387c45cc7dede41937c90e6d111b74ef644bc95ab8a4c18127ce200512de7584
                                    • Instruction ID: f78bf9f569e0fdfa3cb041f493c087578452f4627ac6d1eb440e2c2825b4a91d
                                    • Opcode Fuzzy Hash: 387c45cc7dede41937c90e6d111b74ef644bc95ab8a4c18127ce200512de7584
                                    • Instruction Fuzzy Hash: 7CE03071241268BBEB211A65DD4CFD77F5CEF167A1F008015F989D6054C6BA8540C7A0
                                    Function 00FC2218 Relevance: 6.0, APIs: 4, Instructions: 23COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetSysColor.USER32(00000008), ref: 00FC2231
                                    • SetTextColor.GDI32(?,000000FF), ref: 00FC223B
                                    • SetBkMode.GDI32(?,00000001), ref: 00FC2250
                                    • GetStockObject.GDI32(00000005), ref: 00FC2258
                                    • GetWindowDC.USER32(?,00000000), ref: 00FFC0D3
                                    • GetPixel.GDI32(00000000,00000000,00000000), ref: 00FFC0E0
                                    • GetPixel.GDI32(00000000,?,00000000), ref: 00FFC0F9
                                    • GetPixel.GDI32(00000000,00000000,?), ref: 00FFC112
                                    • GetPixel.GDI32(00000000,?,?), ref: 00FFC132
                                    • ReleaseDC.USER32(?,00000000), ref: 00FFC13D
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
                                    • String ID:
                                    • API String ID: 1946975507-0
                                    • Opcode ID: 57c3bef8b355d5287d89fa26ea333ca56b78e01e75d55ab35126aa2c1a6a263d
                                    • Instruction ID: 8aebf47b0d08c6cf6d876fc6331a285e4c115a99f2b109036f339f6ec24618c1
                                    • Opcode Fuzzy Hash: 57c3bef8b355d5287d89fa26ea333ca56b78e01e75d55ab35126aa2c1a6a263d
                                    • Instruction Fuzzy Hash: A0E06576500149ABEB315F68FA4D7D83B10EB06332F008356FBA9580F587764590DB51
                                    Function 01018C5A Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetCurrentThread.KERNEL32 ref: 01018C63
                                    • OpenThreadToken.ADVAPI32(00000000,?,?,?,0101882E), ref: 01018C6A
                                    • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,0101882E), ref: 01018C77
                                    • OpenProcessToken.ADVAPI32(00000000,?,?,?,0101882E), ref: 01018C7E
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: CurrentOpenProcessThreadToken
                                    • String ID:
                                    • API String ID: 3974789173-0
                                    • Opcode ID: e89a513c7b51361a5fc1446841431d077ca715323376bb57773a7aeabb394687
                                    • Instruction ID: 093c894f67dcd02a0faa94ef46e66411d479e25370ad56531d0775d769795f2a
                                    • Opcode Fuzzy Hash: e89a513c7b51361a5fc1446841431d077ca715323376bb57773a7aeabb394687
                                    • Instruction Fuzzy Hash: 58E086BA642212EBD7705FBC6F4CB573BACEF41792F048858B6C5C9048D63D8041CB51
                                    Function 01002187 Relevance: 6.0, APIs: 4, Instructions: 20COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetDesktopWindow.USER32 ref: 01002187
                                    • GetDC.USER32(00000000), ref: 01002191
                                    • GetDeviceCaps.GDI32(00000000,0000000C), ref: 010021B1
                                    • ReleaseDC.USER32(?), ref: 010021D2
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: CapsDesktopDeviceReleaseWindow
                                    • String ID:
                                    • API String ID: 2889604237-0
                                    • Opcode ID: 870479243c7edc7ead0b63df9bbf9d35ab516f3aba21b51e9fdcc0bd1341b689
                                    • Instruction ID: e1cbb5758ecb8fe7dcb63e556d0967538e9fd365f42fb3d51486e4fc7bb8c4b4
                                    • Opcode Fuzzy Hash: 870479243c7edc7ead0b63df9bbf9d35ab516f3aba21b51e9fdcc0bd1341b689
                                    • Instruction Fuzzy Hash: 95E0E5B9800606EFDB11AFB5DA49B9E7BB1EB5C350F118409FD9A97250CB7D8141AF40
                                    Function 0100219B Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetDesktopWindow.USER32 ref: 0100219B
                                    • GetDC.USER32(00000000), ref: 010021A5
                                    • GetDeviceCaps.GDI32(00000000,0000000C), ref: 010021B1
                                    • ReleaseDC.USER32(?), ref: 010021D2
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: CapsDesktopDeviceReleaseWindow
                                    • String ID:
                                    • API String ID: 2889604237-0
                                    • Opcode ID: da4991181ce18a1e0af6708020f2d2a8314b1833b7bb415e6c47579684798a89
                                    • Instruction ID: 05d1e39e82520574ed549af86d5e3e6ff4da8854e8bee4b383c9a6ecf19d76b1
                                    • Opcode Fuzzy Hash: da4991181ce18a1e0af6708020f2d2a8314b1833b7bb415e6c47579684798a89
                                    • Instruction Fuzzy Hash: A5E0E5B9800206AFCB21AFB5CA49A9E7BA1EB4C310F118009FD9A97210CB7D9141AF40
                                    Function 0101B7B6 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 241comCOMMON
                                    Download Yara Rule
                                    APIs
                                    • OleSetContainedObject.OLE32(?,00000001), ref: 0101B981
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: ContainedObject
                                    • String ID: AutoIt3GUI$Container
                                    • API String ID: 3565006973-3941886329
                                    • Opcode ID: 1c1edba85bb4601013eb47351bb14347411671c3593604a5531add2dd4c5b5b2
                                    • Instruction ID: 0efb4f893902c2360365288366f55c66b1dddbcb74642a4ee59cbdca43b258dc
                                    • Opcode Fuzzy Hash: 1c1edba85bb4601013eb47351bb14347411671c3593604a5531add2dd4c5b5b2
                                    • Instruction Fuzzy Hash: F8915B716002029FDB64DF68C884A6ABBF5FF48710F1485ADF98ACB295DB75E841CB50
                                    Function 0102B217 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00FDFEC6: _wcscpy.LIBCMT ref: 00FDFEE9
                                      • Part of subcall function 00FC9997: __itow.LIBCMT ref: 00FC99C2
                                      • Part of subcall function 00FC9997: __swprintf.LIBCMT ref: 00FC9A0C
                                    • __wcsnicmp.LIBCMT ref: 0102B298
                                    • WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 0102B361
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
                                    • String ID: LPT
                                    • API String ID: 3222508074-1350329615
                                    • Opcode ID: 4ab93e4ec7945befb6cac728eda0ef60ddb2e55fdc6e029c1bb40413bfdc17ae
                                    • Instruction ID: 4ab6d482dcca87941766afd58e1aca988fad6065a4ceaeeda45c771a2e5c75a7
                                    • Opcode Fuzzy Hash: 4ab93e4ec7945befb6cac728eda0ef60ddb2e55fdc6e029c1bb40413bfdc17ae
                                    • Instruction Fuzzy Hash: E7618375A04225EFCB14DF98C985EAEB7F4EF08710F05809AF986AB351DB74AE44CB50
                                    Function 00FD2AB7 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON
                                    Download Yara Rule
                                    APIs
                                    • Sleep.KERNEL32(00000000), ref: 00FD2AC8
                                    • GlobalMemoryStatusEx.KERNEL32(?), ref: 00FD2AE1
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: GlobalMemorySleepStatus
                                    • String ID: @
                                    • API String ID: 2783356886-2766056989
                                    • Opcode ID: c8fa42e3e10dba1ce9780456913fadec896166a600ef4fdcb688168f22c36739
                                    • Instruction ID: aef8466030424f97bab3f4a23bc005cdd4d352d234bb11aa9d1e0d7876479262
                                    • Opcode Fuzzy Hash: c8fa42e3e10dba1ce9780456913fadec896166a600ef4fdcb688168f22c36739
                                    • Instruction Fuzzy Hash: 565168714187459BD320AF11DD8AFABBBE8FF84310F42884DF1D981095DB798428DB26
                                    Function 010299BE Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00FC506B: __fread_nolock.LIBCMT ref: 00FC5089
                                    • _wcscmp.LIBCMT ref: 01029AAE
                                    • _wcscmp.LIBCMT ref: 01029AC1
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: _wcscmp$__fread_nolock
                                    • String ID: FILE
                                    • API String ID: 4029003684-3121273764
                                    • Opcode ID: a4e0b19dddf2a0f0fce71e5712d99bea1c2f89d8410a4ac3eb545d475a4b7c85
                                    • Instruction ID: d17354d32d4b9aea3edbbe57eb9de891f2888ae2cffc9a8ba7061fbaf12e11ce
                                    • Opcode Fuzzy Hash: a4e0b19dddf2a0f0fce71e5712d99bea1c2f89d8410a4ac3eb545d475a4b7c85
                                    • Instruction Fuzzy Hash: 8D410671A4062ABADF219BA4CC46FEFBBFDDF45B14F000079F940E7181DA75AA4487A1
                                    Function 01032882 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON
                                    Download Yara Rule
                                    APIs
                                    • _memset.LIBCMT ref: 01032892
                                    • InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 010328C8
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: CrackInternet_memset
                                    • String ID: |
                                    • API String ID: 1413715105-2343686810
                                    • Opcode ID: 91371256fef38153db6bf90e527e1eadf6df0b28c7f6daee8553bbe906c2c86f
                                    • Instruction ID: 9edc70752d8bdab3d3501bd9d49c3e154c9d34cd5fae6605b1ae920351c3b79b
                                    • Opcode Fuzzy Hash: 91371256fef38153db6bf90e527e1eadf6df0b28c7f6daee8553bbe906c2c86f
                                    • Instruction Fuzzy Hash: 4631507180121AAFCF01EFA5CC86EEEBFB9FF08350F10406AF914A6165DB355A56DB60
                                    Function 01046CD2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON
                                    Download Yara Rule
                                    APIs
                                    • DestroyWindow.USER32(?,?,?,?), ref: 01046D86
                                    • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 01046DC2
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: Window$DestroyMove
                                    • String ID: static
                                    • API String ID: 2139405536-2160076837
                                    • Opcode ID: e20cc9b6d9df66c141c016b13c909e80efdf025b367cb2954b897dd17c844a8c
                                    • Instruction ID: ada0f5a9cc694d3b58f3b8ee9effe493a3969a21ebd7b8886d4111241d756754
                                    • Opcode Fuzzy Hash: e20cc9b6d9df66c141c016b13c909e80efdf025b367cb2954b897dd17c844a8c
                                    • Instruction Fuzzy Hash: DB318FB1500605AFEB11AF28CC80BFB77A8FF49724F108529F9E597191DA36A891DB60
                                    Function 01022D91 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • _memset.LIBCMT ref: 01022E00
                                    • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 01022E3B
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: InfoItemMenu_memset
                                    • String ID: 0
                                    • API String ID: 2223754486-4108050209
                                    • Opcode ID: da3c0101a150e9fd1a05bbbc8783d9068dbf2cef6053a27c946755f7de72d901
                                    • Instruction ID: 3b84f1fe6832dc27c4ac97a2b9bc69427d11812dcff083570b64d6da2b083f71
                                    • Opcode Fuzzy Hash: da3c0101a150e9fd1a05bbbc8783d9068dbf2cef6053a27c946755f7de72d901
                                    • Instruction Fuzzy Hash: CD31E371600325ABEF649E8DC884BAEBFF9FF05300F1400A9EAC5971A0D7709580EB50
                                    Function 01046943 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 010469D0
                                    • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 010469DB
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: MessageSend
                                    • String ID: Combobox
                                    • API String ID: 3850602802-2096851135
                                    • Opcode ID: b73fd399eb641f5b48fe0a15c22031a095aa03600ad9a964ba39e230d95e241b
                                    • Instruction ID: 8d9e93543d0ff13aaafa4de6422c69d9c4a73a71afcaf418d5c318a728a20c55
                                    • Opcode Fuzzy Hash: b73fd399eb641f5b48fe0a15c22031a095aa03600ad9a964ba39e230d95e241b
                                    • Instruction Fuzzy Hash: DE11E9B56101096FEF129E18CCC0EFB37AEEB8A3A4F110135F99897291E6769C5087A0
                                    Function 01046E76 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00FC1D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00FC1D73
                                      • Part of subcall function 00FC1D35: GetStockObject.GDI32(00000011), ref: 00FC1D87
                                      • Part of subcall function 00FC1D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00FC1D91
                                    • GetWindowRect.USER32(00000000,?), ref: 01046EE0
                                    • GetSysColor.USER32(00000012), ref: 01046EFA
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: Window$ColorCreateMessageObjectRectSendStock
                                    • String ID: static
                                    • API String ID: 1983116058-2160076837
                                    • Opcode ID: e05a7fe7108e9851aa2e841d106ab3edd28a72b60f7b845282191de9bfcc83d6
                                    • Instruction ID: 53474c312a18da687908e3e15cb99596b38c42a1e8b17d61f4e27fb57f7ff63f
                                    • Opcode Fuzzy Hash: e05a7fe7108e9851aa2e841d106ab3edd28a72b60f7b845282191de9bfcc83d6
                                    • Instruction Fuzzy Hash: 5D2117B261020AAFDB14DFA8C985AEA7BF8FB09314F014669F995D2240E635E8619B50
                                    Function 01046B8F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetWindowTextLengthW.USER32(00000000), ref: 01046C11
                                    • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 01046C20
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: LengthMessageSendTextWindow
                                    • String ID: edit
                                    • API String ID: 2978978980-2167791130
                                    • Opcode ID: fc617fbdb6b6c751f55a2feb22eb991981f2bd43ac36ea686e893baf3777efec
                                    • Instruction ID: e0a02b5ff545e2fb2656b44e720a71f9bfb13baca6e2c7e1bd9703f22558e89e
                                    • Opcode Fuzzy Hash: fc617fbdb6b6c751f55a2feb22eb991981f2bd43ac36ea686e893baf3777efec
                                    • Instruction Fuzzy Hash: 3611BFB1500209ABEB515E68DC81AFB37A9EB06374F104728F9A1971D0D676DC909BA0
                                    Function 01022E9E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • _memset.LIBCMT ref: 01022F11
                                    • GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 01022F30
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: InfoItemMenu_memset
                                    • String ID: 0
                                    • API String ID: 2223754486-4108050209
                                    • Opcode ID: 9b2e9d3b1e80b5523b9d801414427bca43b900a18f8f1e0f8f7ac8d323bdeac0
                                    • Instruction ID: c73b9e136482d78a8793880d156fd39b2536241fe88e021cda674c27f450a745
                                    • Opcode Fuzzy Hash: 9b2e9d3b1e80b5523b9d801414427bca43b900a18f8f1e0f8f7ac8d323bdeac0
                                    • Instruction Fuzzy Hash: 6811E671905134ABEBA0EADCDC44FAE7BE9EB01310F0500F1EAC4A72A0DBB1A904C795
                                    Function 010324CA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON
                                    Download Yara Rule
                                    APIs
                                    • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 01032520
                                    • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 01032549
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: Internet$OpenOption
                                    • String ID: <local>
                                    • API String ID: 942729171-4266983199
                                    • Opcode ID: 87f39f98dbdeddc2433ce7b592e8e8726fefc1f030d9dcf7d4c0a7b1f9163ae6
                                    • Instruction ID: 9b7fce2afd564ce8ef6d162985f964ebeb40074fbef4e9251a980877d5146c99
                                    • Opcode Fuzzy Hash: 87f39f98dbdeddc2433ce7b592e8e8726fefc1f030d9dcf7d4c0a7b1f9163ae6
                                    • Instruction Fuzzy Hash: 481106B0500225BADB259F558C99FBBFFACFF46651F00816AF58686081D7706650C7F0
                                    Function 010380A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55networkCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0103830B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,010380C8,?,00000000,?,?), ref: 01038322
                                    • inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 010380CB
                                    • htons.WSOCK32(00000000,?,00000000), ref: 01038108
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: ByteCharMultiWidehtonsinet_addr
                                    • String ID: 255.255.255.255
                                    • API String ID: 2496851823-2422070025
                                    • Opcode ID: 756a16bcb0deabc14e59fcd5982cf6aa872f61e112707971983acd219734cc87
                                    • Instruction ID: c6fd15d08da3e4c2a67fdb8eb97b024148909a6e19c3368fcb3a6d08dd868949
                                    • Opcode Fuzzy Hash: 756a16bcb0deabc14e59fcd5982cf6aa872f61e112707971983acd219734cc87
                                    • Instruction Fuzzy Hash: F811E574600206ABDB20DF68CC86FEEB368FF44310F10C69BFA5197281DA76A810C755
                                    Function 010192E7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00FC7F41: _memmove.LIBCMT ref: 00FC7F82
                                      • Part of subcall function 0101B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 0101B0E7
                                    • SendMessageW.USER32(?,000001A2,000000FF,?), ref: 01019355
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: ClassMessageNameSend_memmove
                                    • String ID: ComboBox$ListBox
                                    • API String ID: 372448540-1403004172
                                    • Opcode ID: b872cd776cac2c5eb9612a6a3449c159c65935fd5ee49394380120e16ecda896
                                    • Instruction ID: c8a3d157c7781cac4ceac45fb7016b5dc8c734b73def42c0d13cf97f343eaef6
                                    • Opcode Fuzzy Hash: b872cd776cac2c5eb9612a6a3449c159c65935fd5ee49394380120e16ecda896
                                    • Instruction Fuzzy Hash: 8301F171A01216ABCB04FBA5CCA2DFE77A9BF06760B00065DF9B2572C5DF396908D750
                                    Function 010191DF Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00FC7F41: _memmove.LIBCMT ref: 00FC7F82
                                      • Part of subcall function 0101B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 0101B0E7
                                    • SendMessageW.USER32(?,00000180,00000000,?), ref: 0101924D
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: ClassMessageNameSend_memmove
                                    • String ID: ComboBox$ListBox
                                    • API String ID: 372448540-1403004172
                                    • Opcode ID: f4dbc1c8cbac7d4ce7d4d757df864eca30185fb925d4a69f02ba3610781f2b78
                                    • Instruction ID: a2b44ff2af167cad63b3ef36c4ee732737c27836937290ad13c94ee0c9eeb758
                                    • Opcode Fuzzy Hash: f4dbc1c8cbac7d4ce7d4d757df864eca30185fb925d4a69f02ba3610781f2b78
                                    • Instruction Fuzzy Hash: FD014271E4120A6BCB04FBA0CEA2EFE77AC9F05740F10015DB98267281EE1D6F0C96B1
                                    Function 01019264 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00FC7F41: _memmove.LIBCMT ref: 00FC7F82
                                      • Part of subcall function 0101B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 0101B0E7
                                    • SendMessageW.USER32(?,00000182,?,00000000), ref: 010192D0
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: ClassMessageNameSend_memmove
                                    • String ID: ComboBox$ListBox
                                    • API String ID: 372448540-1403004172
                                    • Opcode ID: 884048ef9f8a95c9f0ebceb32c8d967eced34947cfd0bf21758d01d6b7a976d2
                                    • Instruction ID: 509372767e9a1d7ca992a9fc30ca0313f45ac33d086158b6dcf30736106392a8
                                    • Opcode Fuzzy Hash: 884048ef9f8a95c9f0ebceb32c8d967eced34947cfd0bf21758d01d6b7a976d2
                                    • Instruction Fuzzy Hash: F0012671E4120A6BCB00FAA5CE92EFE77AC9F10750F14015DB98263285DA2D5F0C96B1
                                    Function 010251CA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: ClassName_wcscmp
                                    • String ID: #32770
                                    • API String ID: 2292705959-463685578
                                    • Opcode ID: fb14bacbf205e0a03e08bb012dd4fc811093037cad311212581d17d8e8627115
                                    • Instruction ID: 07644d08d8fd743db838f3bc4844b9361f2b9f0c1f8c90819145ddcc01c676eb
                                    • Opcode Fuzzy Hash: fb14bacbf205e0a03e08bb012dd4fc811093037cad311212581d17d8e8627115
                                    • Instruction Fuzzy Hash: 4CE02B72A0423957D32095999C49B97F7ACEB41721F00005AF950D3040D565950587E0
                                    Function 010181BC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 010181CA
                                      • Part of subcall function 00FE3598: _doexit.LIBCMT ref: 00FE35A2
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: Message_doexit
                                    • String ID: AutoIt$Error allocating memory.
                                    • API String ID: 1993061046-4017498283
                                    • Opcode ID: 91a74ec1ab47c0f1ec85b077a383f3cb166267f034df4d833a1c37151404a055
                                    • Instruction ID: e0f2163a70135eb313dc36180f37ea71db9fa40599a673360a65bf46723f50b6
                                    • Opcode Fuzzy Hash: 91a74ec1ab47c0f1ec85b077a383f3cb166267f034df4d833a1c37151404a055
                                    • Instruction Fuzzy Hash: 64D05B323C535932D26432BA6D0BFC67D884B05B55F04441ABB48995D38EEA558152DD
                                    Function 00FFB511 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00FFB564: _memset.LIBCMT ref: 00FFB571
                                      • Part of subcall function 00FE0B84: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00FFB540,?,?,?,00FC100A), ref: 00FE0B89
                                    • IsDebuggerPresent.KERNEL32(?,?,?,00FC100A), ref: 00FFB544
                                    • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00FC100A), ref: 00FFB553
                                    Strings
                                    • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00FFB54E
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
                                    • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
                                    • API String ID: 3158253471-631824599
                                    • Opcode ID: 29048dfa1d57ced926229ff448fe3d3fb708e6ec01d70d2451d3755d1d371841
                                    • Instruction ID: 40664510df01fee249e211ab69aa17f3e328725f7333b51b427221ac02521f66
                                    • Opcode Fuzzy Hash: 29048dfa1d57ced926229ff448fe3d3fb708e6ec01d70d2451d3755d1d371841
                                    • Instruction Fuzzy Hash: 4CE06DB46007158BD330DF29DA047527BE4AF00758F08892DE5C6C6255DBBDD444DB61
                                    Function 01045BEB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 01045BF5
                                    • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 01045C08
                                      • Part of subcall function 010254E6: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 0102555E
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2043266621.0000000000FC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FC0000, based on PE: true
                                    • Associated: 00000000.00000002.2043251492.0000000000FC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.000000000104F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043313846.0000000001075000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043358068.000000000107F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2043374901.0000000001088000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fc0000_Bonifico 2692024pdf.jbxd
                                    Similarity
                                    • API ID: FindMessagePostSleepWindow
                                    • String ID: Shell_TrayWnd
                                    • API String ID: 529655941-2988720461
                                    • Opcode ID: dbb2f83a5bf12dcf1b8bc18204d28a6505cc8dfe6c07242f7a031db678b537e5
                                    • Instruction ID: 9aa54ff305ee12a4fc1501182b7dc3894b5676d13adabe0d4eed12fab843cb4c
                                    • Opcode Fuzzy Hash: dbb2f83a5bf12dcf1b8bc18204d28a6505cc8dfe6c07242f7a031db678b537e5
                                    • Instruction Fuzzy Hash: BCD0A975388312B7E334AA30AC4BFD76A10AB00B40F000828B385AA0C0C8E86800C344