Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Bonifico 9252024pdf.exe

Overview

General Information

Sample name:Bonifico 9252024pdf.exe
Analysis ID:1519632
MD5:561e2701898470b157ac37bd29be6a88
SHA1:402b39b4581207298c2696afb4ebe224da9b597f
SHA256:79e31e087939f413301f214a422c46f9d32ed435fc34822611cb08a74266ba44
Tags:exeSPAM-ITAuser-JAMESWT_MHT
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected FormBook
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
C2 URLs / IPs found in malware configuration
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Switches to a custom stack to bypass stack traces
Tries to detect virtualization through RDTSC time measurements
Tries to resolve many domain names, but no domain seems valid
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found decision node followed by non-executed suspicious APIs
Found evasive API chain (date check)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Uncommon Svchost Parent Process
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • Bonifico 9252024pdf.exe (PID: 6556 cmdline: "C:\Users\user\Desktop\Bonifico 9252024pdf.exe" MD5: 561E2701898470B157AC37BD29BE6A88)
    • svchost.exe (PID: 5712 cmdline: "C:\Users\user\Desktop\Bonifico 9252024pdf.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
      • explorer.exe (PID: 4004 cmdline: C:\Windows\Explorer.EXE MD5: 662F4F92FDE3557E86D110526BB578D5)
        • autofmt.exe (PID: 6536 cmdline: "C:\Windows\SysWOW64\autofmt.exe" MD5: C72D80A976B7EB40534E8464957A979F)
        • wscript.exe (PID: 5128 cmdline: "C:\Windows\SysWOW64\wscript.exe" MD5: FF00E0480075B095948000BDC66E81F0)
          • cmd.exe (PID: 3532 cmdline: /c del "C:\Windows\SysWOW64\svchost.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
            • conhost.exe (PID: 5708 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.reakinggroundtherapy.pro/e23y/"], "decoy": ["stiloeconforto.shop", "79nn470gl.autos", "ffg.autos", "elix-saaac.buzz", "tlasbet88win.sbs", "inoliga.app", "777.fun", "avada-ga-3.press", "avandakitchen.online", "61ep864tr.autos", "igitalonlineseva.online", "ar-deals-15908.bond", "sqqpkv.pro", "368i8rnoy.xyz", "lxspinsenin.lol", "9y204r7eo.sbs", "toptalkingaboutit.net", "eeplab.xyz", "filmyhit.vip", "athroom-remodeling-59089.bond", "hwqcoiu.xyz", "ome-care-76206.bond", "tudioalberto.online", "anfocusedviews.shop", "ibrarygym.online", "emosjumpers.net", "mg-marketing.online", "19bet.xyz", "7556r.club", "sed-cars-35796.bond", "liveiraeletro.online", "iangshen56.cloud", "aeempreendora.online", "bets.net", "sychology-degree-69585.bond", "est-arthritis-therapy-9711.buzz", "zkirv.top", "8015.xyz", "uwueriudsjkdjnfjkdjnkxzk.vip", "etausaha.online", "crubber-brush-64789.bond", "iversitiendaplus.shop", "wrzlak.buzz", "b-999.top", "ower-bank-za-4886348.world", "2361.asia", "believehim.net", "leeconcerned.info", "oland-flight-deal.today", "c-marketing.net", "wgxb.top", "pboardresult.net", "nitednationsofindia.net", "oupondhakel.shop", "elationship-coach-72450.bond", "ounjaronaturaloferta.online", "wpgs2448.vip", "8080734.xyz", "mvqimnpwkxcixccaeafmibpiq.top", "arpediemwireless.net", "eth-paaad.buzz", "renvillemarianne.net", "tephsmith.info", "opinformation.net"]}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000002.4617950830.0000000002B50000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000005.00000002.4617950830.0000000002B50000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000005.00000002.4617950830.0000000002B50000.00000040.80000000.00040000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
      • 0x6251:$a1: 3C 30 50 4F 53 54 74 09 40
      • 0x1cb90:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
      • 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
      • 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
      00000005.00000002.4617950830.0000000002B50000.00000040.80000000.00040000.00000000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b8f7:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c8fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      00000005.00000002.4617950830.0000000002B50000.00000040.80000000.00040000.00000000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
      • 0x18819:$sqlite3step: 68 34 1C 7B E1
      • 0x1892c:$sqlite3step: 68 34 1C 7B E1
      • 0x18848:$sqlite3text: 68 38 2A 90 C5
      • 0x1896d:$sqlite3text: 68 38 2A 90 C5
      • 0x1885b:$sqlite3blob: 68 53 D8 7F 8C
      • 0x18983:$sqlite3blob: 68 53 D8 7F 8C
      Click to see the 35 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      0.2.Bonifico 9252024pdf.exe.3f60000.1.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        0.2.Bonifico 9252024pdf.exe.3f60000.1.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          0.2.Bonifico 9252024pdf.exe.3f60000.1.raw.unpackWindows_Trojan_Formbook_1112e116unknownunknown
          • 0x6251:$a1: 3C 30 50 4F 53 54 74 09 40
          • 0x1cb90:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
          • 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
          • 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
          0.2.Bonifico 9252024pdf.exe.3f60000.1.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1b8f7:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1c8fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          0.2.Bonifico 9252024pdf.exe.3f60000.1.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
          • 0x18819:$sqlite3step: 68 34 1C 7B E1
          • 0x1892c:$sqlite3step: 68 34 1C 7B E1
          • 0x18848:$sqlite3text: 68 38 2A 90 C5
          • 0x1896d:$sqlite3text: 68 38 2A 90 C5
          • 0x1885b:$sqlite3blob: 68 53 D8 7F 8C
          • 0x18983:$sqlite3blob: 68 53 D8 7F 8C
          Click to see the 15 entries

          Sigma Signatures

          System Summary

          barindex
          Sigma detected: Uncommon Svchost Parent Process
          Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\Bonifico 9252024pdf.exe", CommandLine: "C:\Users\user\Desktop\Bonifico 9252024pdf.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\Bonifico 9252024pdf.exe", ParentImage: C:\Users\user\Desktop\Bonifico 9252024pdf.exe, ParentProcessId: 6556, ParentProcessName: Bonifico 9252024pdf.exe, ProcessCommandLine: "C:\Users\user\Desktop\Bonifico 9252024pdf.exe", ProcessId: 5712, ProcessName: svchost.exe
          Sigma detected: Windows Processes Suspicious Parent Directory
          Source: Process startedAuthor: vburov: Data: Command: "C:\Users\user\Desktop\Bonifico 9252024pdf.exe", CommandLine: "C:\Users\user\Desktop\Bonifico 9252024pdf.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\Bonifico 9252024pdf.exe", ParentImage: C:\Users\user\Desktop\Bonifico 9252024pdf.exe, ParentProcessId: 6556, ParentProcessName: Bonifico 9252024pdf.exe, ProcessCommandLine: "C:\Users\user\Desktop\Bonifico 9252024pdf.exe", ProcessId: 5712, ProcessName: svchost.exe

          Suricata Signatures

          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2024-09-26T18:59:27.678642+020020314531Malware Command and Control Activity Detected192.168.2.64972346.175.150.24780TCP

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Antivirus detection for URL or domain
          Source: http://www.777.fun/e23y/www.uwueriudsjkdjnfjkdjnkxzk.vipAvira URL Cloud: Label: malware
          Source: http://www.777.funAvira URL Cloud: Label: malware
          Found malware configuration
          Source: 00000005.00000002.4617950830.0000000002B50000.00000040.80000000.00040000.00000000.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.reakinggroundtherapy.pro/e23y/"], "decoy": ["stiloeconforto.shop", "79nn470gl.autos", "ffg.autos", "elix-saaac.buzz", "tlasbet88win.sbs", "inoliga.app", "777.fun", "avada-ga-3.press", "avandakitchen.online", "61ep864tr.autos", "igitalonlineseva.online", "ar-deals-15908.bond", "sqqpkv.pro", "368i8rnoy.xyz", "lxspinsenin.lol", "9y204r7eo.sbs", "toptalkingaboutit.net", "eeplab.xyz", "filmyhit.vip", "athroom-remodeling-59089.bond", "hwqcoiu.xyz", "ome-care-76206.bond", "tudioalberto.online", "anfocusedviews.shop", "ibrarygym.online", "emosjumpers.net", "mg-marketing.online", "19bet.xyz", "7556r.club", "sed-cars-35796.bond", "liveiraeletro.online", "iangshen56.cloud", "aeempreendora.online", "bets.net", "sychology-degree-69585.bond", "est-arthritis-therapy-9711.buzz", "zkirv.top", "8015.xyz", "uwueriudsjkdjnfjkdjnkxzk.vip", "etausaha.online", "crubber-brush-64789.bond", "iversitiendaplus.shop", "wrzlak.buzz", "b-999.top", "ower-bank-za-4886348.world", "2361.asia", "believehim.net", "leeconcerned.info", "oland-flight-deal.today", "c-marketing.net", "wgxb.top", "pboardresult.net", "nitednationsofindia.net", "oupondhakel.shop", "elationship-coach-72450.bond", "ounjaronaturaloferta.online", "wpgs2448.vip", "8080734.xyz", "mvqimnpwkxcixccaeafmibpiq.top", "arpediemwireless.net", "eth-paaad.buzz", "renvillemarianne.net", "tephsmith.info", "opinformation.net"]}
          Multi AV Scanner detection for submitted file
          Source: Bonifico 9252024pdf.exeReversingLabs: Detection: 44%
          Yara detected FormBook
          Source: Yara matchFile source: 0.2.Bonifico 9252024pdf.exe.3f60000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Bonifico 9252024pdf.exe.3f60000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000005.00000002.4617950830.0000000002B50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.4618265496.0000000003180000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.2184510833.0000000003F60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.2229552843.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.2230318671.0000000003680000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.2229820455.0000000002FD0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.4618161057.0000000003040000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          AI detected suspicious sample
          Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
          Machine Learning detection for sample
          Source: Bonifico 9252024pdf.exeJoe Sandbox ML: detected
          Source: Bonifico 9252024pdf.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
          Source: Binary string: wscript.pdbGCTL source: svchost.exe, 00000002.00000003.2229304433.0000000003240000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2229416827.0000000003240000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2229304433.000000000321B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2232341274.0000000003B50000.00000040.10000000.00040000.00000000.sdmp, wscript.exe, 00000005.00000002.4617858240.0000000000950000.00000040.80000000.00040000.00000000.sdmp
          Source: Binary string: wntdll.pdbUGP source: Bonifico 9252024pdf.exe, 00000000.00000003.2174061658.0000000003F90000.00000004.00001000.00020000.00000000.sdmp, Bonifico 9252024pdf.exe, 00000000.00000003.2176491163.0000000004130000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2183160928.0000000003600000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2230556233.0000000003800000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2230556233.000000000399E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2181058271.0000000003400000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000002.4618910428.0000000004F30000.00000040.00001000.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2230002857.0000000004BC5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000002.4618910428.00000000050CE000.00000040.00001000.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2231989312.0000000004D7D000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: Bonifico 9252024pdf.exe, 00000000.00000003.2174061658.0000000003F90000.00000004.00001000.00020000.00000000.sdmp, Bonifico 9252024pdf.exe, 00000000.00000003.2176491163.0000000004130000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000003.2183160928.0000000003600000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2230556233.0000000003800000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2230556233.000000000399E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2181058271.0000000003400000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, wscript.exe, 00000005.00000002.4618910428.0000000004F30000.00000040.00001000.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2230002857.0000000004BC5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000002.4618910428.00000000050CE000.00000040.00001000.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2231989312.0000000004D7D000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: wscript.pdb source: svchost.exe, 00000002.00000003.2229304433.0000000003240000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2229416827.0000000003240000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2229304433.000000000321B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2232341274.0000000003B50000.00000040.10000000.00040000.00000000.sdmp, wscript.exe, wscript.exe, 00000005.00000002.4617858240.0000000000950000.00000040.80000000.00040000.00000000.sdmp
          Source: Binary string: svchost.pdb source: explorer.exe, 00000003.00000002.4634096994.00000000109CF000.00000004.80000000.00040000.00000000.sdmp, wscript.exe, 00000005.00000002.4619749468.000000000547F000.00000004.10000000.00040000.00000000.sdmp, wscript.exe, 00000005.00000002.4618326549.00000000031C9000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: svchost.pdbUGP source: explorer.exe, 00000003.00000002.4634096994.00000000109CF000.00000004.80000000.00040000.00000000.sdmp, wscript.exe, 00000005.00000002.4619749468.000000000547F000.00000004.10000000.00040000.00000000.sdmp, wscript.exe, 00000005.00000002.4618326549.00000000031C9000.00000004.00000020.00020000.00000000.sdmp
          Source: C:\Users\user\Desktop\Bonifico 9252024pdf.exeCode function: 0_2_006B4696 GetFileAttributesW,FindFirstFileW,FindClose,0_2_006B4696
          Source: C:\Users\user\Desktop\Bonifico 9252024pdf.exeCode function: 0_2_006BC93C FindFirstFileW,FindClose,0_2_006BC93C
          Source: C:\Users\user\Desktop\Bonifico 9252024pdf.exeCode function: 0_2_006BC9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_006BC9C7
          Source: C:\Users\user\Desktop\Bonifico 9252024pdf.exeCode function: 0_2_006BF200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_006BF200
          Source: C:\Users\user\Desktop\Bonifico 9252024pdf.exeCode function: 0_2_006BF35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_006BF35D
          Source: C:\Users\user\Desktop\Bonifico 9252024pdf.exeCode function: 0_2_006BF65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_006BF65E
          Source: C:\Users\user\Desktop\Bonifico 9252024pdf.exeCode function: 0_2_006B3A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_006B3A2B
          Source: C:\Users\user\Desktop\Bonifico 9252024pdf.exeCode function: 0_2_006B3D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_006B3D4E
          Source: C:\Users\user\Desktop\Bonifico 9252024pdf.exeCode function: 0_2_006BBF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_006BBF27
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_009623CE GetFileAttributesW,GetLastError,FindFirstFileW,WideCharToMultiByte,GetLastError,__alloca_probe_16,WideCharToMultiByte,GetFileAttributesA,GetLastError,FindFirstFileA,FindClose,5_2_009623CE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4x nop then pop esi2_2_004172F0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 4x nop then pop esi5_2_02B672F0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 4x nop then pop ebx5_2_02B57B1B

          Networking

          barindex
          Suricata IDS alerts for network traffic
          Source: Network trafficSuricata IDS: 2031412 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.6:49723 -> 46.175.150.247:80
          Source: Network trafficSuricata IDS: 2031449 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.6:49723 -> 46.175.150.247:80
          Source: Network trafficSuricata IDS: 2031453 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.6:49723 -> 46.175.150.247:80
          C2 URLs / IPs found in malware configuration
          Source: Malware configuration extractorURLs: www.reakinggroundtherapy.pro/e23y/
          Tries to resolve many domain names, but no domain seems valid
          Source: unknownDNS traffic detected: query: www.uwueriudsjkdjnfjkdjnkxzk.vip replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.eth-paaad.buzz replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.mg-marketing.online replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.leeconcerned.info replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.reakinggroundtherapy.pro replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.ffg.autos replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.mvqimnpwkxcixccaeafmibpiq.top replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.igitalonlineseva.online replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.wgxb.top replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.nitednationsofindia.net replaycode: Name error (3)
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: C:\Users\user\Desktop\Bonifico 9252024pdf.exeCode function: 0_2_006C25E2 InternetReadFile,InternetQueryDataAvailable,InternetReadFile,0_2_006C25E2
          Source: global trafficDNS traffic detected: DNS query: www.igitalonlineseva.online
          Source: global trafficDNS traffic detected: DNS query: www.nitednationsofindia.net
          Source: global trafficDNS traffic detected: DNS query: www.mvqimnpwkxcixccaeafmibpiq.top
          Source: global trafficDNS traffic detected: DNS query: www.eth-paaad.buzz
          Source: global trafficDNS traffic detected: DNS query: www.mg-marketing.online
          Source: global trafficDNS traffic detected: DNS query: www.wgxb.top
          Source: global trafficDNS traffic detected: DNS query: www.ffg.autos
          Source: global trafficDNS traffic detected: DNS query: www.reakinggroundtherapy.pro
          Source: global trafficDNS traffic detected: DNS query: www.filmyhit.vip
          Source: global trafficDNS traffic detected: DNS query: www.777.fun
          Source: global trafficDNS traffic detected: DNS query: www.uwueriudsjkdjnfjkdjnkxzk.vip
          Source: global trafficDNS traffic detected: DNS query: www.leeconcerned.info
          Source: explorer.exe, 00000003.00000002.4625438025.000000000978C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4625438025.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2189317003.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2189317003.000000000978C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
          Source: explorer.exe, 00000003.00000002.4625438025.000000000978C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4625438025.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2189317003.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2189317003.000000000978C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
          Source: explorer.exe, 00000003.00000002.4625438025.000000000978C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4625438025.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2189317003.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2189317003.000000000978C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
          Source: explorer.exe, 00000003.00000002.4625438025.000000000978C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4625438025.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2189317003.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2189317003.000000000978C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
          Source: explorer.exe, 00000003.00000002.4625438025.000000000962B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2189317003.000000000962B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
          Source: explorer.exe, 00000003.00000000.2188229620.0000000007B60000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000002.4624097867.0000000007B50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000002.4619117591.00000000028A0000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://schemas.micro
          Source: explorer.exe, 00000003.00000002.4632974796.000000000C474000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.19bet.xyz
          Source: explorer.exe, 00000003.00000002.4632974796.000000000C474000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.19bet.xyz/e23y/
          Source: explorer.exe, 00000003.00000002.4632974796.000000000C474000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.19bet.xyz/e23y/www.wrzlak.buzz
          Source: explorer.exe, 00000003.00000002.4632974796.000000000C474000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.19bet.xyzReferer:
          Source: explorer.exe, 00000003.00000002.4632974796.000000000C474000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.777.fun
          Source: explorer.exe, 00000003.00000002.4632974796.000000000C474000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.777.fun/e23y/
          Source: explorer.exe, 00000003.00000002.4632974796.000000000C474000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.777.fun/e23y/www.uwueriudsjkdjnfjkdjnkxzk.vip
          Source: explorer.exe, 00000003.00000002.4632974796.000000000C474000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.777.funReferer:
          Source: explorer.exe, 00000003.00000003.2982185797.000000000C3E8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2982825062.000000000C40E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2982910337.000000000C3E8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4632774975.000000000C402000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2983540185.000000000C401000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2979375399.000000000C3E8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2192032380.000000000C3E8000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
          Source: explorer.exe, 00000003.00000002.4632974796.000000000C474000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.eth-paaad.buzz
          Source: explorer.exe, 00000003.00000002.4632974796.000000000C474000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.eth-paaad.buzz/e23y/
          Source: explorer.exe, 00000003.00000002.4632974796.000000000C474000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.eth-paaad.buzz/e23y/www.mg-marketing.online
          Source: explorer.exe, 00000003.00000002.4632974796.000000000C474000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.eth-paaad.buzzReferer:
          Source: explorer.exe, 00000003.00000002.4632974796.000000000C474000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ffg.autos
          Source: explorer.exe, 00000003.00000002.4632974796.000000000C474000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ffg.autos/e23y/
          Source: explorer.exe, 00000003.00000002.4632974796.000000000C474000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ffg.autos/e23y/www.reakinggroundtherapy.pro
          Source: explorer.exe, 00000003.00000002.4632974796.000000000C474000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ffg.autosReferer:
          Source: explorer.exe, 00000003.00000002.4632974796.000000000C474000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.filmyhit.vip
          Source: explorer.exe, 00000003.00000002.4632974796.000000000C474000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.filmyhit.vip/e23y/
          Source: explorer.exe, 00000003.00000002.4632974796.000000000C474000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.filmyhit.vip/e23y/www.777.fun
          Source: explorer.exe, 00000003.00000002.4632974796.000000000C474000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.filmyhit.vipReferer:
          Source: explorer.exe, 00000003.00000002.4632974796.000000000C474000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.hwqcoiu.xyz
          Source: explorer.exe, 00000003.00000002.4632974796.000000000C474000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.hwqcoiu.xyz/e23y/
          Source: explorer.exe, 00000003.00000002.4632974796.000000000C474000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.hwqcoiu.xyz/e23y/www.pboardresult.net
          Source: explorer.exe, 00000003.00000002.4632974796.000000000C474000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.hwqcoiu.xyzReferer:
          Source: explorer.exe, 00000003.00000002.4632974796.000000000C474000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.igitalonlineseva.online
          Source: explorer.exe, 00000003.00000002.4632974796.000000000C474000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.igitalonlineseva.online/e23y/
          Source: explorer.exe, 00000003.00000002.4632974796.000000000C474000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.igitalonlineseva.online/e23y/www.nitednationsofindia.net
          Source: explorer.exe, 00000003.00000002.4632974796.000000000C474000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.igitalonlineseva.onlineReferer:
          Source: explorer.exe, 00000003.00000002.4632974796.000000000C474000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.leeconcerned.info
          Source: explorer.exe, 00000003.00000002.4632974796.000000000C474000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.leeconcerned.info/e23y/
          Source: explorer.exe, 00000003.00000002.4632974796.000000000C474000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.leeconcerned.info/e23y/www.hwqcoiu.xyz
          Source: explorer.exe, 00000003.00000002.4632974796.000000000C474000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.leeconcerned.infoReferer:
          Source: explorer.exe, 00000003.00000002.4632974796.000000000C474000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.mg-marketing.online
          Source: explorer.exe, 00000003.00000002.4632974796.000000000C474000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.mg-marketing.online/e23y/
          Source: explorer.exe, 00000003.00000002.4632974796.000000000C474000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.mg-marketing.online/e23y/www.wgxb.top
          Source: explorer.exe, 00000003.00000002.4632974796.000000000C474000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.mg-marketing.onlineReferer:
          Source: explorer.exe, 00000003.00000002.4632974796.000000000C474000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.mvqimnpwkxcixccaeafmibpiq.top
          Source: explorer.exe, 00000003.00000002.4632974796.000000000C474000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.mvqimnpwkxcixccaeafmibpiq.top/e23y/
          Source: explorer.exe, 00000003.00000002.4632974796.000000000C474000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.mvqimnpwkxcixccaeafmibpiq.top/e23y/www.eth-paaad.buzz
          Source: explorer.exe, 00000003.00000002.4632974796.000000000C474000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.mvqimnpwkxcixccaeafmibpiq.topReferer:
          Source: explorer.exe, 00000003.00000002.4632974796.000000000C474000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.nitednationsofindia.net
          Source: explorer.exe, 00000003.00000002.4632974796.000000000C474000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.nitednationsofindia.net/e23y/
          Source: explorer.exe, 00000003.00000002.4632974796.000000000C474000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.nitednationsofindia.net/e23y/www.mvqimnpwkxcixccaeafmibpiq.top
          Source: explorer.exe, 00000003.00000002.4632974796.000000000C474000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.nitednationsofindia.netReferer:
          Source: explorer.exe, 00000003.00000002.4632974796.000000000C474000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.pboardresult.net
          Source: explorer.exe, 00000003.00000002.4632974796.000000000C474000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.pboardresult.net/e23y/
          Source: explorer.exe, 00000003.00000002.4632974796.000000000C474000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.pboardresult.net/e23y/www.19bet.xyz
          Source: explorer.exe, 00000003.00000002.4632974796.000000000C474000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.pboardresult.netReferer:
          Source: explorer.exe, 00000003.00000002.4632974796.000000000C474000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.reakinggroundtherapy.pro
          Source: explorer.exe, 00000003.00000002.4632974796.000000000C474000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.reakinggroundtherapy.pro/e23y/
          Source: explorer.exe, 00000003.00000002.4632974796.000000000C474000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.reakinggroundtherapy.pro/e23y/www.filmyhit.vip
          Source: explorer.exe, 00000003.00000002.4632974796.000000000C474000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.reakinggroundtherapy.proReferer:
          Source: explorer.exe, 00000003.00000002.4632974796.000000000C474000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.uwueriudsjkdjnfjkdjnkxzk.vip
          Source: explorer.exe, 00000003.00000002.4632974796.000000000C474000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.uwueriudsjkdjnfjkdjnkxzk.vip/e23y/
          Source: explorer.exe, 00000003.00000002.4632974796.000000000C474000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.uwueriudsjkdjnfjkdjnkxzk.vip/e23y/www.leeconcerned.info
          Source: explorer.exe, 00000003.00000002.4632974796.000000000C474000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.uwueriudsjkdjnfjkdjnkxzk.vipReferer:
          Source: explorer.exe, 00000003.00000002.4632974796.000000000C474000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.wgxb.top
          Source: explorer.exe, 00000003.00000002.4632974796.000000000C474000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.wgxb.top/e23y/
          Source: explorer.exe, 00000003.00000002.4632974796.000000000C474000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.wgxb.top/e23y/www.ffg.autos
          Source: explorer.exe, 00000003.00000002.4632974796.000000000C474000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.wgxb.topReferer:
          Source: explorer.exe, 00000003.00000002.4632974796.000000000C474000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.wrzlak.buzz
          Source: explorer.exe, 00000003.00000002.4632974796.000000000C474000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.wrzlak.buzz/e23y/
          Source: explorer.exe, 00000003.00000002.4632974796.000000000C474000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.wrzlak.buzzReferer:
          Source: explorer.exe, 00000003.00000000.2189744197.00000000099AB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByApp
          Source: explorer.exe, 00000003.00000000.2192032380.000000000BFDF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4631558622.000000000BFDF000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://android.notify.windows.com/iOS
          Source: explorer.exe, 00000003.00000002.4625438025.000000000962B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2189317003.000000000962B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/
          Source: explorer.exe, 00000003.00000002.4625438025.000000000962B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2189317003.000000000962B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/I
          Source: explorer.exe, 00000003.00000002.4625438025.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2189317003.000000000973C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
          Source: explorer.exe, 00000003.00000002.4625438025.000000000962B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2189317003.000000000962B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?
          Source: explorer.exe, 00000003.00000000.2187354340.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4623011941.00000000073E5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=435B7A89D7D74BDF801F2DA188906BAF&timeOut=5000&oc
          Source: explorer.exe, 00000003.00000000.2187354340.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4623011941.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4625438025.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2189317003.000000000973C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
          Source: explorer.exe, 00000003.00000002.4625438025.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2189317003.000000000973C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://arc.msn.com
          Source: explorer.exe, 00000003.00000002.4623011941.00000000073E5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings
          Source: explorer.exe, 00000003.00000002.4623011941.00000000073E5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehwh2.svg
          Source: explorer.exe, 00000003.00000002.4623011941.00000000073E5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV
          Source: explorer.exe, 00000003.00000002.4623011941.00000000073E5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark
          Source: explorer.exe, 00000003.00000000.2187354340.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4623011941.00000000073E5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMhz
          Source: explorer.exe, 00000003.00000000.2187354340.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4623011941.00000000073E5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMhz-dark
          Source: explorer.exe, 00000003.00000000.2192032380.000000000C048000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4631558622.000000000C048000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://excel.office.com-
          Source: explorer.exe, 00000003.00000002.4623011941.00000000073E5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA15Yat4.img
          Source: explorer.exe, 00000003.00000000.2187354340.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4623011941.00000000073E5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAzME7S.img
          Source: explorer.exe, 00000003.00000000.2192032380.000000000C048000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4631558622.000000000C048000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://outlook.come
          Source: explorer.exe, 00000003.00000000.2192032380.000000000BFEF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4631558622.000000000BFEF000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://powerpoint.office.comEMd
          Source: explorer.exe, 00000003.00000000.2187354340.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4623011941.00000000073E5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew
          Source: explorer.exe, 00000003.00000000.2187354340.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4623011941.00000000073E5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew
          Source: explorer.exe, 00000003.00000002.4626448543.00000000099AB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2189744197.00000000099AB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://wns.windows.com/e
          Source: explorer.exe, 00000003.00000000.2192032380.000000000C048000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4631558622.000000000C048000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://word.office.comM
          Source: explorer.exe, 00000003.00000000.2187354340.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4623011941.00000000073E5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/personalfinance/10-things-rich-people-never-buy-and-you-shouldn-t-ei
          Source: explorer.exe, 00000003.00000000.2187354340.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4623011941.00000000073E5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/personalfinance/money-matters-changing-institution-of-marriage/ar-AA
          Source: explorer.exe, 00000003.00000000.2187354340.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4623011941.00000000073E5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/realestate/why-this-florida-city-is-a-safe-haven-from-hurricanes/ar-
          Source: explorer.exe, 00000003.00000000.2187354340.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4623011941.00000000073E5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/savingandinvesting/americans-average-net-worth-by-age/ar-AA1h4ngF
          Source: explorer.exe, 00000003.00000000.2187354340.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4623011941.00000000073E5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/politics/how-donald-trump-helped-kari-lake-become-arizona-s-and-ameri
          Source: explorer.exe, 00000003.00000000.2187354340.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4623011941.00000000073E5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/politics/kevin-mccarthy-s-ouster-as-house-speaker-could-cost-gop-its-
          Source: explorer.exe, 00000003.00000000.2187354340.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4623011941.00000000073E5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/politics/republicans-already-barred-trump-from-being-speaker-of-the-h
          Source: explorer.exe, 00000003.00000000.2187354340.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4623011941.00000000073E5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/politics/trump-campaign-says-he-raised-more-than-45-million-in-3rd-qu
          Source: explorer.exe, 00000003.00000000.2187354340.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4623011941.00000000073E5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/technology/a-federal-emergency-alert-will-be-sent-to-us-phones-nation
          Source: explorer.exe, 00000003.00000000.2187354340.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4623011941.00000000073E5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/us/biden-administration-waives-26-federal-laws-to-allow-border-wall-c
          Source: explorer.exe, 00000003.00000000.2187354340.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4623011941.00000000073E5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/us/dumb-and-dumber-12-states-with-the-absolute-worst-education-in-the
          Source: explorer.exe, 00000003.00000000.2187354340.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4623011941.00000000073E5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/world/us-supplies-ukraine-with-a-million-rounds-of-ammunition-seized-
          Source: explorer.exe, 00000003.00000000.2187354340.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4623011941.00000000073E5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/travel/news/you-can-t-beat-bobby-flay-s-phoenix-airport-restaurant-one-of-
          Source: explorer.exe, 00000003.00000000.2187354340.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4623011941.00000000073E5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/weather/topstories/california-s-reservoirs-runneth-over-in-astounding-reve
          Source: explorer.exe, 00000003.00000000.2187354340.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4623011941.00000000073E5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com:443/en-us/feed
          Source: C:\Users\user\Desktop\Bonifico 9252024pdf.exeCode function: 0_2_006C425A OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_006C425A
          Source: C:\Users\user\Desktop\Bonifico 9252024pdf.exeCode function: 0_2_006C4458 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_006C4458
          Source: C:\Users\user\Desktop\Bonifico 9252024pdf.exeCode function: 0_2_006C425A OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_006C425A
          Source: C:\Users\user\Desktop\Bonifico 9252024pdf.exeCode function: 0_2_006B0219 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,0_2_006B0219
          Source: C:\Users\user\Desktop\Bonifico 9252024pdf.exeCode function: 0_2_006DCDAC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_006DCDAC

          E-Banking Fraud

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 0.2.Bonifico 9252024pdf.exe.3f60000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Bonifico 9252024pdf.exe.3f60000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000005.00000002.4617950830.0000000002B50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.4618265496.0000000003180000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.2184510833.0000000003F60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.2229552843.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.2230318671.0000000003680000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.2229820455.0000000002FD0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.4618161057.0000000003040000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

          System Summary

          barindex
          Malicious sample detected (through community Yara rule)
          Source: 0.2.Bonifico 9252024pdf.exe.3f60000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 0.2.Bonifico 9252024pdf.exe.3f60000.1.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.Bonifico 9252024pdf.exe.3f60000.1.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.Bonifico 9252024pdf.exe.3f60000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 0.2.Bonifico 9252024pdf.exe.3f60000.1.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.Bonifico 9252024pdf.exe.3f60000.1.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000002.4617950830.0000000002B50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000005.00000002.4617950830.0000000002B50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000002.4617950830.0000000002B50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000002.4618265496.0000000003180000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000005.00000002.4618265496.0000000003180000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000002.4618265496.0000000003180000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.2184510833.0000000003F60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000000.00000002.2184510833.0000000003F60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.2184510833.0000000003F60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000002.4633750023.0000000010266000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_772cc62d Author: unknown
          Source: 00000002.00000002.2229552843.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000002.00000002.2229552843.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.2229552843.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.2230318671.0000000003680000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000002.00000002.2230318671.0000000003680000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.2230318671.0000000003680000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.2229820455.0000000002FD0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000002.00000002.2229820455.0000000002FD0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.2229820455.0000000002FD0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000002.4618161057.0000000003040000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000005.00000002.4618161057.0000000003040000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000002.4618161057.0000000003040000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: Process Memory Space: Bonifico 9252024pdf.exe PID: 6556, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: Process Memory Space: svchost.exe PID: 5712, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: Process Memory Space: explorer.exe PID: 4004, type: MEMORYSTRMatched rule: Semi-Auto-generated - file ironshell.php.txt Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls
          Source: Process Memory Space: wscript.exe PID: 5128, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Binary is likely a compiled AutoIt script file
          Source: C:\Users\user\Desktop\Bonifico 9252024pdf.exeCode function: This is a third-party compiled AutoIt script.0_2_00653B4C
          Source: Bonifico 9252024pdf.exeString found in binary or memory: This is a third-party compiled AutoIt script.
          Source: Bonifico 9252024pdf.exe, 00000000.00000000.2163573226.0000000000705000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_140f7fe5-2
          Source: Bonifico 9252024pdf.exe, 00000000.00000000.2163573226.0000000000705000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_dcd5e279-7
          Source: Bonifico 9252024pdf.exeString found in binary or memory: This is a third-party compiled AutoIt script.memstr_48a08446-d
          Source: Bonifico 9252024pdf.exeString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_a9bd1a36-2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041A330 NtCreateFile,2_2_0041A330
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041A3E0 NtReadFile,2_2_0041A3E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041A460 NtClose,2_2_0041A460
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041A510 NtAllocateVirtualMemory,2_2_0041A510
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041A3DA NtReadFile,2_2_0041A3DA
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041A385 NtCreateFile,2_2_0041A385
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041A45B NtClose,2_2_0041A45B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041A50B NtAllocateVirtualMemory,2_2_0041A50B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03872BF0 NtAllocateVirtualMemory,LdrInitializeThunk,2_2_03872BF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03872B60 NtClose,LdrInitializeThunk,2_2_03872B60
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03872AD0 NtReadFile,LdrInitializeThunk,2_2_03872AD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03872F90 NtProtectVirtualMemory,LdrInitializeThunk,2_2_03872F90
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03872FB0 NtResumeThread,LdrInitializeThunk,2_2_03872FB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03872FE0 NtCreateFile,LdrInitializeThunk,2_2_03872FE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03872F30 NtCreateSection,LdrInitializeThunk,2_2_03872F30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03872E80 NtReadVirtualMemory,LdrInitializeThunk,2_2_03872E80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03872EA0 NtAdjustPrivilegesToken,LdrInitializeThunk,2_2_03872EA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03872DD0 NtDelayExecution,LdrInitializeThunk,2_2_03872DD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03872DF0 NtQuerySystemInformation,LdrInitializeThunk,2_2_03872DF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03872D10 NtMapViewOfSection,LdrInitializeThunk,2_2_03872D10
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03872D30 NtUnmapViewOfSection,LdrInitializeThunk,2_2_03872D30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03872CA0 NtQueryInformationToken,LdrInitializeThunk,2_2_03872CA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03874340 NtSetContextThread,2_2_03874340
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03874650 NtSuspendThread,2_2_03874650
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03872B80 NtQueryInformationFile,2_2_03872B80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03872BA0 NtEnumerateValueKey,2_2_03872BA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03872BE0 NtQueryValueKey,2_2_03872BE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03872AB0 NtWaitForSingleObject,2_2_03872AB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03872AF0 NtWriteFile,2_2_03872AF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03872FA0 NtQuerySection,2_2_03872FA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03872F60 NtCreateProcessEx,2_2_03872F60
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03872EE0 NtQueueApcThread,2_2_03872EE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03872E30 NtWriteVirtualMemory,2_2_03872E30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03872DB0 NtEnumerateKey,2_2_03872DB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03872D00 NtSetInformationFile,2_2_03872D00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03872CC0 NtQueryVirtualMemory,2_2_03872CC0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03872CF0 NtOpenProcess,2_2_03872CF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03872C00 NtQueryInformationProcess,2_2_03872C00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03872C60 NtCreateKey,2_2_03872C60
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03872C70 NtFreeVirtualMemory,2_2_03872C70
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03873090 NtSetValueKey,2_2_03873090
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03873010 NtOpenDirectoryObject,2_2_03873010
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038735C0 NtCreateMutant,2_2_038735C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038739B0 NtGetContextThread,2_2_038739B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03873D10 NtOpenProcessToken,2_2_03873D10
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03873D70 NtOpenThread,2_2_03873D70
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037BA036 NtQueryInformationProcess,NtSuspendThread,NtSetContextThread,NtQueueApcThread,NtResumeThread,NtClose,2_2_037BA036
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037BA042 NtQueryInformationProcess,2_2_037BA042
          Source: C:\Windows\explorer.exeCode function: 3_2_1024E232 NtCreateFile,3_2_1024E232
          Source: C:\Windows\explorer.exeCode function: 3_2_1024FE12 NtProtectVirtualMemory,3_2_1024FE12
          Source: C:\Windows\explorer.exeCode function: 3_2_1024FE0A NtProtectVirtualMemory,3_2_1024FE0A
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_04FA2CA0 NtQueryInformationToken,LdrInitializeThunk,5_2_04FA2CA0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_04FA2C70 NtFreeVirtualMemory,LdrInitializeThunk,5_2_04FA2C70
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_04FA2C60 NtCreateKey,LdrInitializeThunk,5_2_04FA2C60
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_04FA2DF0 NtQuerySystemInformation,LdrInitializeThunk,5_2_04FA2DF0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_04FA2DD0 NtDelayExecution,LdrInitializeThunk,5_2_04FA2DD0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_04FA2D10 NtMapViewOfSection,LdrInitializeThunk,5_2_04FA2D10
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_04FA2EA0 NtAdjustPrivilegesToken,LdrInitializeThunk,5_2_04FA2EA0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_04FA2FE0 NtCreateFile,LdrInitializeThunk,5_2_04FA2FE0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_04FA2F30 NtCreateSection,LdrInitializeThunk,5_2_04FA2F30
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_04FA2AD0 NtReadFile,LdrInitializeThunk,5_2_04FA2AD0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_04FA2BF0 NtAllocateVirtualMemory,LdrInitializeThunk,5_2_04FA2BF0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_04FA2BE0 NtQueryValueKey,LdrInitializeThunk,5_2_04FA2BE0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_04FA2B60 NtClose,LdrInitializeThunk,5_2_04FA2B60
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_04FA35C0 NtCreateMutant,LdrInitializeThunk,5_2_04FA35C0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_04FA4650 NtSuspendThread,5_2_04FA4650
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_04FA4340 NtSetContextThread,5_2_04FA4340
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_04FA2CF0 NtOpenProcess,5_2_04FA2CF0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_04FA2CC0 NtQueryVirtualMemory,5_2_04FA2CC0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_04FA2C00 NtQueryInformationProcess,5_2_04FA2C00
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_04FA2DB0 NtEnumerateKey,5_2_04FA2DB0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_04FA2D30 NtUnmapViewOfSection,5_2_04FA2D30
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_04FA2D00 NtSetInformationFile,5_2_04FA2D00
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_04FA2EE0 NtQueueApcThread,5_2_04FA2EE0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_04FA2E80 NtReadVirtualMemory,5_2_04FA2E80
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_04FA2E30 NtWriteVirtualMemory,5_2_04FA2E30
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_04FA2FB0 NtResumeThread,5_2_04FA2FB0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_04FA2FA0 NtQuerySection,5_2_04FA2FA0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_04FA2F90 NtProtectVirtualMemory,5_2_04FA2F90
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_04FA2F60 NtCreateProcessEx,5_2_04FA2F60
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_04FA2AF0 NtWriteFile,5_2_04FA2AF0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_04FA2AB0 NtWaitForSingleObject,5_2_04FA2AB0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_04FA2BA0 NtEnumerateValueKey,5_2_04FA2BA0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_04FA2B80 NtQueryInformationFile,5_2_04FA2B80
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_04FA3090 NtSetValueKey,5_2_04FA3090
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_04FA3010 NtOpenDirectoryObject,5_2_04FA3010
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_04FA3D70 NtOpenThread,5_2_04FA3D70
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_04FA3D10 NtOpenProcessToken,5_2_04FA3D10
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_04FA39B0 NtGetContextThread,5_2_04FA39B0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_02B6A3E0 NtReadFile,5_2_02B6A3E0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_02B6A330 NtCreateFile,5_2_02B6A330
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_02B6A460 NtClose,5_2_02B6A460
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_02B6A510 NtAllocateVirtualMemory,5_2_02B6A510
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_02B6A385 NtCreateFile,5_2_02B6A385
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_02B6A3DA NtReadFile,5_2_02B6A3DA
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_02B6A45B NtClose,5_2_02B6A45B
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_02B6A50B NtAllocateVirtualMemory,5_2_02B6A50B
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_04D6A036 NtQueryInformationProcess,NtSuspendThread,NtSetContextThread,NtQueueApcThread,NtResumeThread,5_2_04D6A036
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_04D69BAF NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtUnmapViewOfSection,NtClose,5_2_04D69BAF
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_04D6A042 NtQueryInformationProcess,5_2_04D6A042
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_04D69BB2 NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,5_2_04D69BB2
          Source: C:\Users\user\Desktop\Bonifico 9252024pdf.exeCode function: 0_2_006B4021: CreateFileW,DeviceIoControl,CloseHandle,0_2_006B4021
          Source: C:\Users\user\Desktop\Bonifico 9252024pdf.exeCode function: 0_2_006A8858 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_006A8858
          Source: C:\Users\user\Desktop\Bonifico 9252024pdf.exeCode function: 0_2_006B545F ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,0_2_006B545F
          Source: C:\Users\user\Desktop\Bonifico 9252024pdf.exeCode function: 0_2_0065E8000_2_0065E800
          Source: C:\Users\user\Desktop\Bonifico 9252024pdf.exeCode function: 0_2_0067DBB50_2_0067DBB5
          Source: C:\Users\user\Desktop\Bonifico 9252024pdf.exeCode function: 0_2_0065E0600_2_0065E060
          Source: C:\Users\user\Desktop\Bonifico 9252024pdf.exeCode function: 0_2_006D804A0_2_006D804A
          Source: C:\Users\user\Desktop\Bonifico 9252024pdf.exeCode function: 0_2_006641400_2_00664140
          Source: C:\Users\user\Desktop\Bonifico 9252024pdf.exeCode function: 0_2_006724050_2_00672405
          Source: C:\Users\user\Desktop\Bonifico 9252024pdf.exeCode function: 0_2_006865220_2_00686522
          Source: C:\Users\user\Desktop\Bonifico 9252024pdf.exeCode function: 0_2_006D06650_2_006D0665
          Source: C:\Users\user\Desktop\Bonifico 9252024pdf.exeCode function: 0_2_0068267E0_2_0068267E
          Source: C:\Users\user\Desktop\Bonifico 9252024pdf.exeCode function: 0_2_006668430_2_00666843
          Source: C:\Users\user\Desktop\Bonifico 9252024pdf.exeCode function: 0_2_0067283A0_2_0067283A
          Source: C:\Users\user\Desktop\Bonifico 9252024pdf.exeCode function: 0_2_006889DF0_2_006889DF
          Source: C:\Users\user\Desktop\Bonifico 9252024pdf.exeCode function: 0_2_00668A0E0_2_00668A0E
          Source: C:\Users\user\Desktop\Bonifico 9252024pdf.exeCode function: 0_2_006D0AE20_2_006D0AE2
          Source: C:\Users\user\Desktop\Bonifico 9252024pdf.exeCode function: 0_2_00686A940_2_00686A94
          Source: C:\Users\user\Desktop\Bonifico 9252024pdf.exeCode function: 0_2_006AEB070_2_006AEB07
          Source: C:\Users\user\Desktop\Bonifico 9252024pdf.exeCode function: 0_2_006B8B130_2_006B8B13
          Source: C:\Users\user\Desktop\Bonifico 9252024pdf.exeCode function: 0_2_0067CD610_2_0067CD61
          Source: C:\Users\user\Desktop\Bonifico 9252024pdf.exeCode function: 0_2_006870060_2_00687006
          Source: C:\Users\user\Desktop\Bonifico 9252024pdf.exeCode function: 0_2_0066710E0_2_0066710E
          Source: C:\Users\user\Desktop\Bonifico 9252024pdf.exeCode function: 0_2_006631900_2_00663190
          Source: C:\Users\user\Desktop\Bonifico 9252024pdf.exeCode function: 0_2_006512870_2_00651287
          Source: C:\Users\user\Desktop\Bonifico 9252024pdf.exeCode function: 0_2_006733C70_2_006733C7
          Source: C:\Users\user\Desktop\Bonifico 9252024pdf.exeCode function: 0_2_0067F4190_2_0067F419
          Source: C:\Users\user\Desktop\Bonifico 9252024pdf.exeCode function: 0_2_006716C40_2_006716C4
          Source: C:\Users\user\Desktop\Bonifico 9252024pdf.exeCode function: 0_2_006656800_2_00665680
          Source: C:\Users\user\Desktop\Bonifico 9252024pdf.exeCode function: 0_2_006658C00_2_006658C0
          Source: C:\Users\user\Desktop\Bonifico 9252024pdf.exeCode function: 0_2_006778D30_2_006778D3
          Source: C:\Users\user\Desktop\Bonifico 9252024pdf.exeCode function: 0_2_00671BB80_2_00671BB8
          Source: C:\Users\user\Desktop\Bonifico 9252024pdf.exeCode function: 0_2_00689D050_2_00689D05
          Source: C:\Users\user\Desktop\Bonifico 9252024pdf.exeCode function: 0_2_0065FE400_2_0065FE40
          Source: C:\Users\user\Desktop\Bonifico 9252024pdf.exeCode function: 0_2_0067BFE60_2_0067BFE6
          Source: C:\Users\user\Desktop\Bonifico 9252024pdf.exeCode function: 0_2_00671FD00_2_00671FD0
          Source: C:\Users\user\Desktop\Bonifico 9252024pdf.exeCode function: 0_2_03F535F00_2_03F535F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004010272_2_00401027
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004010302_2_00401030
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041E3262_2_0041E326
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041D5732_2_0041D573
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00402D902_2_00402D90
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041E5B72_2_0041E5B7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041DDBE2_2_0041DDBE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00409E5B2_2_00409E5B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00409E602_2_00409E60
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00402FB02_2_00402FB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0384E3F02_2_0384E3F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039003E62_2_039003E6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038FA3522_2_038FA352
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038C02C02_2_038C02C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038E02742_2_038E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039001AA2_2_039001AA
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038F81CC2_2_038F81CC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038301002_2_03830100
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038DA1182_2_038DA118
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038C81582_2_038C8158
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0383C7C02_2_0383C7C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038647502_2_03864750
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038407702_2_03840770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0385C6E02_2_0385C6E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039005912_2_03900591
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038405352_2_03840535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038EE4F62_2_038EE4F6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038F24462_2_038F2446
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038F6BD72_2_038F6BD7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038FAB402_2_038FAB40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0383EA802_2_0383EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038429A02_2_038429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0390A9A62_2_0390A9A6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038569622_2_03856962
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038268B82_2_038268B8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386E8F02_2_0386E8F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0384A8402_2_0384A840
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038428402_2_03842840
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038BEFA02_2_038BEFA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03832FC82_2_03832FC8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0384CFE02_2_0384CFE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03882F282_2_03882F28
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03860F302_2_03860F30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B4F402_2_038B4F40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03852E902_2_03852E90
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038FCE932_2_038FCE93
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038FEEDB2_2_038FEEDB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038FEE262_2_038FEE26
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03840E592_2_03840E59
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03858DBF2_2_03858DBF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0383ADE02_2_0383ADE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0384AD002_2_0384AD00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038E0CB52_2_038E0CB5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03830CF22_2_03830CF2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03840C002_2_03840C00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0388739A2_2_0388739A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038F132D2_2_038F132D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382D34C2_2_0382D34C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038452A02_2_038452A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0385B2C02_2_0385B2C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038E12ED2_2_038E12ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0384B1B02_2_0384B1B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0387516C2_2_0387516C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382F1722_2_0382F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0390B16B2_2_0390B16B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038EF0CC2_2_038EF0CC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038470C02_2_038470C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038F70E92_2_038F70E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038FF0E02_2_038FF0E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038FF7B02_2_038FF7B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038F16CC2_2_038F16CC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038DD5B02_2_038DD5B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038F75712_2_038F7571
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038FF43F2_2_038FF43F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038314602_2_03831460
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0385FB802_2_0385FB80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B5BF02_2_038B5BF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0387DBF92_2_0387DBF9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038FFB762_2_038FFB76
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038DDAAC2_2_038DDAAC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03885AA02_2_03885AA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038EDAC62_2_038EDAC6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038FFA492_2_038FFA49
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038F7A462_2_038F7A46
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B3A6C2_2_038B3A6C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038499502_2_03849950
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0385B9502_2_0385B950
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038438E02_2_038438E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038AD8002_2_038AD800
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03841F922_2_03841F92
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038FFFB12_2_038FFFB1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038FFF092_2_038FFF09
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03849EB02_2_03849EB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0385FDC02_2_0385FDC0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03843D402_2_03843D40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038F1D5A2_2_038F1D5A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038F7D732_2_038F7D73
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038FFCF22_2_038FFCF2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B9C322_2_038B9C32
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037BA0362_2_037BA036
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037BB2322_2_037BB232
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B10822_2_037B1082
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037BE5CD2_2_037BE5CD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B5B322_2_037B5B32
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B5B302_2_037B5B30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B89122_2_037B8912
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B2D022_2_037B2D02
          Source: C:\Windows\explorer.exeCode function: 3_2_1024E2323_2_1024E232
          Source: C:\Windows\explorer.exeCode function: 3_2_1024D0363_2_1024D036
          Source: C:\Windows\explorer.exeCode function: 3_2_102440823_2_10244082
          Source: C:\Windows\explorer.exeCode function: 3_2_10248B303_2_10248B30
          Source: C:\Windows\explorer.exeCode function: 3_2_10248B323_2_10248B32
          Source: C:\Windows\explorer.exeCode function: 3_2_10245D023_2_10245D02
          Source: C:\Windows\explorer.exeCode function: 3_2_1024B9123_2_1024B912
          Source: C:\Windows\explorer.exeCode function: 3_2_102515CD3_2_102515CD
          Source: C:\Windows\explorer.exeCode function: 3_2_106A10363_2_106A1036
          Source: C:\Windows\explorer.exeCode function: 3_2_106980823_2_10698082
          Source: C:\Windows\explorer.exeCode function: 3_2_10699D023_2_10699D02
          Source: C:\Windows\explorer.exeCode function: 3_2_1069F9123_2_1069F912
          Source: C:\Windows\explorer.exeCode function: 3_2_106A55CD3_2_106A55CD
          Source: C:\Windows\explorer.exeCode function: 3_2_106A22323_2_106A2232
          Source: C:\Windows\explorer.exeCode function: 3_2_1069CB303_2_1069CB30
          Source: C:\Windows\explorer.exeCode function: 3_2_1069CB323_2_1069CB32
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_050305915_2_05030591
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_050144205_2_05014420
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_050224465_2_05022446
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_04F705355_2_04F70535
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_0501E4F65_2_0501E4F6
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_04F8C6E05_2_04F8C6E0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_04F6C7C05_2_04F6C7C0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_04F707705_2_04F70770
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_04F947505_2_04F94750
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_0500A1185_2_0500A118
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_050301AA5_2_050301AA
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_050281CC5_2_050281CC
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_050020005_2_05002000
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_04FF81585_2_04FF8158
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_04F601005_2_04F60100
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_04FF02C05_2_04FF02C0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_0502A3525_2_0502A352
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_050303E65_2_050303E6
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_04F7E3F05_2_04F7E3F0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_050102745_2_05010274
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_04F60CF25_2_04F60CF2
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_0500CD1F5_2_0500CD1F
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_04F70C005_2_04F70C00
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_04F6ADE05_2_04F6ADE0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_04F88DBF5_2_04F88DBF
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_05010CB55_2_05010CB5
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_04F7AD005_2_04F7AD00
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_05012F305_2_05012F30
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_04F82E905_2_04F82E90
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_04F70E595_2_04F70E59
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_04F7CFE05_2_04F7CFE0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_0502EE265_2_0502EE26
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_04F62FC85_2_04F62FC8
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_04FEEFA05_2_04FEEFA0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_0502CE935_2_0502CE93
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_04FE4F405_2_04FE4F40
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_04F90F305_2_04F90F30
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_04FB2F285_2_04FB2F28
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_0502EEDB5_2_0502EEDB
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_04F9E8F05_2_04F9E8F0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_04F568B85_2_04F568B8
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_0503A9A65_2_0503A9A6
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_04F728405_2_04F72840
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_04F7A8405_2_04F7A840
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_04F729A05_2_04F729A0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_04F869625_2_04F86962
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_0502AB405_2_0502AB40
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_04F6EA805_2_04F6EA80
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_05026BD75_2_05026BD7
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_050275715_2_05027571
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_04F614605_2_04F61460
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_0500D5B05_2_0500D5B0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_0502F43F5_2_0502F43F
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_0502F7B05_2_0502F7B0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_050216CC5_2_050216CC
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_04F770C05_2_04F770C0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_0503B16B5_2_0503B16B
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_04F7B1B05_2_04F7B1B0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_04F5F1725_2_04F5F172
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_04FA516C5_2_04FA516C
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_0501F0CC5_2_0501F0CC
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_0502F0E05_2_0502F0E0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_050270E95_2_050270E9
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_0502132D5_2_0502132D
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_04F8B2C05_2_04F8B2C0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_04F752A05_2_04F752A0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_04FB739A5_2_04FB739A
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_04F5D34C5_2_04F5D34C
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_050112ED5_2_050112ED
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_05021D5A5_2_05021D5A
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_05027D735_2_05027D73
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_04FE9C325_2_04FE9C32
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_04F8FDC05_2_04F8FDC0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_04F73D405_2_04F73D40
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_0502FCF25_2_0502FCF2
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_0502FF095_2_0502FF09
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_04F79EB05_2_04F79EB0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_0502FFB15_2_0502FFB1
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_04F71F925_2_04F71F92
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_050059105_2_05005910
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_04F738E05_2_04F738E0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_04FDD8005_2_04FDD800
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_04F799505_2_04F79950
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_04F8B9505_2_04F8B950
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_04FB5AA05_2_04FB5AA0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_0502FB765_2_0502FB76
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_04FE3A6C5_2_04FE3A6C
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_04FADBF95_2_04FADBF9
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_04FE5BF05_2_04FE5BF0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_05027A465_2_05027A46
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_0502FA495_2_0502FA49
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_04F8FB805_2_04F8FB80
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_05011AA35_2_05011AA3
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_0500DAAC5_2_0500DAAC
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_0501DAC65_2_0501DAC6
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_02B6E3265_2_02B6E326
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_02B6E5B75_2_02B6E5B7
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_02B6D5735_2_02B6D573
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_02B59E605_2_02B59E60
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_02B59E5B5_2_02B59E5B
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_02B52FB05_2_02B52FB0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_02B6DDBE5_2_02B6DDBE
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_02B52D905_2_02B52D90
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_04D6A0365_2_04D6A036
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_04D6E5CD5_2_04D6E5CD
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_04D62D025_2_04D62D02
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_04D610825_2_04D61082
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_04D689125_2_04D68912
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_04D6B2325_2_04D6B232
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_04D65B325_2_04D65B32
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_04D65B305_2_04D65B30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03887E54 appears 98 times
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 038AEA12 appears 86 times
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 0382B970 appears 272 times
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 038BF290 appears 105 times
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03875130 appears 37 times
          Source: C:\Users\user\Desktop\Bonifico 9252024pdf.exeCode function: String function: 00670D27 appears 70 times
          Source: C:\Users\user\Desktop\Bonifico 9252024pdf.exeCode function: String function: 00657F41 appears 36 times
          Source: C:\Users\user\Desktop\Bonifico 9252024pdf.exeCode function: String function: 00678B40 appears 42 times
          Source: C:\Windows\SysWOW64\wscript.exeCode function: String function: 04FA5130 appears 58 times
          Source: C:\Windows\SysWOW64\wscript.exeCode function: String function: 04FDEA12 appears 86 times
          Source: C:\Windows\SysWOW64\wscript.exeCode function: String function: 04FEF290 appears 105 times
          Source: C:\Windows\SysWOW64\wscript.exeCode function: String function: 04FB7E54 appears 102 times
          Source: C:\Windows\SysWOW64\wscript.exeCode function: String function: 04F5B970 appears 278 times
          Source: Bonifico 9252024pdf.exe, 00000000.00000003.2176059507.000000000425D000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Bonifico 9252024pdf.exe
          Source: Bonifico 9252024pdf.exe, 00000000.00000003.2181220239.00000000040E3000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Bonifico 9252024pdf.exe
          Source: Bonifico 9252024pdf.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
          Source: 0.2.Bonifico 9252024pdf.exe.3f60000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 0.2.Bonifico 9252024pdf.exe.3f60000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.Bonifico 9252024pdf.exe.3f60000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.Bonifico 9252024pdf.exe.3f60000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 0.2.Bonifico 9252024pdf.exe.3f60000.1.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.Bonifico 9252024pdf.exe.3f60000.1.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000002.4617950830.0000000002B50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000005.00000002.4617950830.0000000002B50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000002.4617950830.0000000002B50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000002.4618265496.0000000003180000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000005.00000002.4618265496.0000000003180000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000002.4618265496.0000000003180000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.2184510833.0000000003F60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000000.00000002.2184510833.0000000003F60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.2184510833.0000000003F60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000002.4633750023.0000000010266000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_772cc62d os = windows, severity = x86, creation_date = 2022-05-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8343b5d02d74791ba2d5d52d19a759f761de2b5470d935000bc27ea6c0633f5, id = 772cc62d-345c-42d8-97ab-f67e447ddca4, last_modified = 2022-07-18
          Source: 00000002.00000002.2229552843.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000002.00000002.2229552843.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.2229552843.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.2230318671.0000000003680000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000002.00000002.2230318671.0000000003680000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.2230318671.0000000003680000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.2229820455.0000000002FD0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000002.00000002.2229820455.0000000002FD0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.2229820455.0000000002FD0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000002.4618161057.0000000003040000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000005.00000002.4618161057.0000000003040000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000002.4618161057.0000000003040000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: Process Memory Space: Bonifico 9252024pdf.exe PID: 6556, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: Process Memory Space: svchost.exe PID: 5712, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: Process Memory Space: explorer.exe PID: 4004, type: MEMORYSTRMatched rule: ironshell_php author = Neo23x0 Yara BRG + customization by Stefan -dfate- Molls, description = Semi-Auto-generated - file ironshell.php.txt, hash = 8bfa2eeb8a3ff6afc619258e39fded56
          Source: Process Memory Space: wscript.exe PID: 5128, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: classification engineClassification label: mal100.troj.evad.winEXE@10/4@12/0
          Source: C:\Users\user\Desktop\Bonifico 9252024pdf.exeCode function: 0_2_006BA2D5 GetLastError,FormatMessageW,0_2_006BA2D5
          Source: C:\Users\user\Desktop\Bonifico 9252024pdf.exeCode function: 0_2_006A8713 AdjustTokenPrivileges,CloseHandle,0_2_006A8713
          Source: C:\Users\user\Desktop\Bonifico 9252024pdf.exeCode function: 0_2_006A8CC3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,0_2_006A8CC3
          Source: C:\Users\user\Desktop\Bonifico 9252024pdf.exeCode function: 0_2_006BB59E SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,0_2_006BB59E
          Source: C:\Users\user\Desktop\Bonifico 9252024pdf.exeCode function: 0_2_006CF121 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_006CF121
          Source: C:\Users\user\Desktop\Bonifico 9252024pdf.exeCode function: 0_2_006BC602 CoInitialize,CoCreateInstance,CoUninitialize,0_2_006BC602
          Source: C:\Users\user\Desktop\Bonifico 9252024pdf.exeCode function: 0_2_00654FE9 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_00654FE9
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5708:120:WilError_03
          Source: C:\Users\user\Desktop\Bonifico 9252024pdf.exeFile created: C:\Users\user\AppData\Local\Temp\autD714.tmpJump to behavior
          Source: Bonifico 9252024pdf.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\Bonifico 9252024pdf.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: Bonifico 9252024pdf.exeReversingLabs: Detection: 44%
          Source: unknownProcess created: C:\Users\user\Desktop\Bonifico 9252024pdf.exe "C:\Users\user\Desktop\Bonifico 9252024pdf.exe"
          Source: C:\Users\user\Desktop\Bonifico 9252024pdf.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Bonifico 9252024pdf.exe"
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\autofmt.exe "C:\Windows\SysWOW64\autofmt.exe"
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\SysWOW64\wscript.exe"
          Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\SysWOW64\svchost.exe"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\Bonifico 9252024pdf.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Bonifico 9252024pdf.exe"Jump to behavior
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\autofmt.exe "C:\Windows\SysWOW64\autofmt.exe"Jump to behavior
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\SysWOW64\wscript.exe"Jump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\SysWOW64\svchost.exe"Jump to behavior
          Source: C:\Users\user\Desktop\Bonifico 9252024pdf.exeSection loaded: wsock32.dllJump to behavior
          Source: C:\Users\user\Desktop\Bonifico 9252024pdf.exeSection loaded: version.dllJump to behavior
          Source: C:\Users\user\Desktop\Bonifico 9252024pdf.exeSection loaded: winmm.dllJump to behavior
          Source: C:\Users\user\Desktop\Bonifico 9252024pdf.exeSection loaded: mpr.dllJump to behavior
          Source: C:\Users\user\Desktop\Bonifico 9252024pdf.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Users\user\Desktop\Bonifico 9252024pdf.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Users\user\Desktop\Bonifico 9252024pdf.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Users\user\Desktop\Bonifico 9252024pdf.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Users\user\Desktop\Bonifico 9252024pdf.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Users\user\Desktop\Bonifico 9252024pdf.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Users\user\Desktop\Bonifico 9252024pdf.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: mfsrcsnk.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: version.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{50CE75BC-766C-4136-BF5E-9197AA23569E}\InProcServer32Jump to behavior
          Source: Bonifico 9252024pdf.exeStatic file information: File size 1120256 > 1048576
          Source: Bonifico 9252024pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
          Source: Bonifico 9252024pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
          Source: Bonifico 9252024pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
          Source: Bonifico 9252024pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
          Source: Bonifico 9252024pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
          Source: Bonifico 9252024pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
          Source: Bonifico 9252024pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
          Source: Binary string: wscript.pdbGCTL source: svchost.exe, 00000002.00000003.2229304433.0000000003240000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2229416827.0000000003240000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2229304433.000000000321B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2232341274.0000000003B50000.00000040.10000000.00040000.00000000.sdmp, wscript.exe, 00000005.00000002.4617858240.0000000000950000.00000040.80000000.00040000.00000000.sdmp
          Source: Binary string: wntdll.pdbUGP source: Bonifico 9252024pdf.exe, 00000000.00000003.2174061658.0000000003F90000.00000004.00001000.00020000.00000000.sdmp, Bonifico 9252024pdf.exe, 00000000.00000003.2176491163.0000000004130000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2183160928.0000000003600000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2230556233.0000000003800000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2230556233.000000000399E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2181058271.0000000003400000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000002.4618910428.0000000004F30000.00000040.00001000.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2230002857.0000000004BC5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000002.4618910428.00000000050CE000.00000040.00001000.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2231989312.0000000004D7D000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: Bonifico 9252024pdf.exe, 00000000.00000003.2174061658.0000000003F90000.00000004.00001000.00020000.00000000.sdmp, Bonifico 9252024pdf.exe, 00000000.00000003.2176491163.0000000004130000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000003.2183160928.0000000003600000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2230556233.0000000003800000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2230556233.000000000399E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2181058271.0000000003400000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, wscript.exe, 00000005.00000002.4618910428.0000000004F30000.00000040.00001000.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2230002857.0000000004BC5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000002.4618910428.00000000050CE000.00000040.00001000.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.2231989312.0000000004D7D000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: wscript.pdb source: svchost.exe, 00000002.00000003.2229304433.0000000003240000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2229416827.0000000003240000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2229304433.000000000321B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2232341274.0000000003B50000.00000040.10000000.00040000.00000000.sdmp, wscript.exe, wscript.exe, 00000005.00000002.4617858240.0000000000950000.00000040.80000000.00040000.00000000.sdmp
          Source: Binary string: svchost.pdb source: explorer.exe, 00000003.00000002.4634096994.00000000109CF000.00000004.80000000.00040000.00000000.sdmp, wscript.exe, 00000005.00000002.4619749468.000000000547F000.00000004.10000000.00040000.00000000.sdmp, wscript.exe, 00000005.00000002.4618326549.00000000031C9000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: svchost.pdbUGP source: explorer.exe, 00000003.00000002.4634096994.00000000109CF000.00000004.80000000.00040000.00000000.sdmp, wscript.exe, 00000005.00000002.4619749468.000000000547F000.00000004.10000000.00040000.00000000.sdmp, wscript.exe, 00000005.00000002.4618326549.00000000031C9000.00000004.00000020.00020000.00000000.sdmp
          Source: Bonifico 9252024pdf.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
          Source: Bonifico 9252024pdf.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
          Source: Bonifico 9252024pdf.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
          Source: Bonifico 9252024pdf.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
          Source: Bonifico 9252024pdf.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
          Source: C:\Users\user\Desktop\Bonifico 9252024pdf.exeCode function: 0_2_006CC304 LoadLibraryA,GetProcAddress,0_2_006CC304
          Source: C:\Users\user\Desktop\Bonifico 9252024pdf.exeCode function: 0_2_00678B85 push ecx; ret 0_2_00678B98
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041702C pushad ; retf 2_2_0041702D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041726A push esp; iretd 2_2_0041726D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00417AA2 push ds; retf 2_2_00417AA3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040AB37 push FFFFFFF3h; iretd 2_2_0040AB3A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041D4D2 push eax; ret 2_2_0041D4D8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041D4DB push eax; ret 2_2_0041D542
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041D485 push eax; ret 2_2_0041D4D8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041E571 push es; retf 2_2_0041E57A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041D53C push eax; ret 2_2_0041D542
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038309AD push ecx; mov dword ptr [esp], ecx2_2_038309B6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037BEB1E push esp; retn 0000h2_2_037BEB1F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037BEB02 push esp; retn 0000h2_2_037BEB03
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037BE9B5 push esp; retn 0000h2_2_037BEAE7
          Source: C:\Windows\explorer.exeCode function: 3_2_10251B02 push esp; retn 0000h3_2_10251B03
          Source: C:\Windows\explorer.exeCode function: 3_2_10251B1E push esp; retn 0000h3_2_10251B1F
          Source: C:\Windows\explorer.exeCode function: 3_2_102519B5 push esp; retn 0000h3_2_10251AE7
          Source: C:\Windows\explorer.exeCode function: 3_2_106A59B5 push esp; retn 0000h3_2_106A5AE7
          Source: C:\Windows\explorer.exeCode function: 3_2_106A5B02 push esp; retn 0000h3_2_106A5B03
          Source: C:\Windows\explorer.exeCode function: 3_2_106A5B1E push esp; retn 0000h3_2_106A5B1F
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_00967C89 push ecx; ret 5_2_00967C9C
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_04F609AD push ecx; mov dword ptr [esp], ecx5_2_04F609B6
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_02B6726A push esp; iretd 5_2_02B6726D
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_02B6702C pushad ; retf 5_2_02B6702D
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_02B6D485 push eax; ret 5_2_02B6D4D8
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_02B6D4D2 push eax; ret 5_2_02B6D4D8
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_02B6D4DB push eax; ret 5_2_02B6D542
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_02B6D53C push eax; ret 5_2_02B6D542
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_02B6E571 push es; retf 5_2_02B6E57A
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_02B67AA2 push ds; retf 5_2_02B67AA3
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_02B5AB37 push FFFFFFF3h; iretd 5_2_02B5AB3A
          Source: C:\Users\user\Desktop\Bonifico 9252024pdf.exeCode function: 0_2_00654A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_00654A35
          Source: C:\Users\user\Desktop\Bonifico 9252024pdf.exeCode function: 0_2_006D55FD IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_006D55FD
          Source: C:\Users\user\Desktop\Bonifico 9252024pdf.exeCode function: 0_2_006733C7 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_006733C7
          Source: C:\Users\user\Desktop\Bonifico 9252024pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Bonifico 9252024pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion

          barindex
          Switches to a custom stack to bypass stack traces
          Source: C:\Users\user\Desktop\Bonifico 9252024pdf.exeAPI/Special instruction interceptor: Address: 3F53214
          Source: C:\Windows\SysWOW64\svchost.exeAPI/Special instruction interceptor: Address: 7FFDB442D324
          Source: C:\Windows\SysWOW64\svchost.exeAPI/Special instruction interceptor: Address: 7FFDB4430774
          Source: C:\Windows\SysWOW64\svchost.exeAPI/Special instruction interceptor: Address: 7FFDB4430154
          Source: C:\Windows\SysWOW64\svchost.exeAPI/Special instruction interceptor: Address: 7FFDB442D8A4
          Source: C:\Windows\SysWOW64\svchost.exeAPI/Special instruction interceptor: Address: 7FFDB442DA44
          Source: C:\Windows\SysWOW64\svchost.exeAPI/Special instruction interceptor: Address: 7FFDB442D1E4
          Source: C:\Windows\SysWOW64\wscript.exeAPI/Special instruction interceptor: Address: 7FFDB442D324
          Source: C:\Windows\SysWOW64\wscript.exeAPI/Special instruction interceptor: Address: 7FFDB4430774
          Source: C:\Windows\SysWOW64\wscript.exeAPI/Special instruction interceptor: Address: 7FFDB442D944
          Source: C:\Windows\SysWOW64\wscript.exeAPI/Special instruction interceptor: Address: 7FFDB442D504
          Source: C:\Windows\SysWOW64\wscript.exeAPI/Special instruction interceptor: Address: 7FFDB442D544
          Source: C:\Windows\SysWOW64\wscript.exeAPI/Special instruction interceptor: Address: 7FFDB442D1E4
          Source: C:\Windows\SysWOW64\wscript.exeAPI/Special instruction interceptor: Address: 7FFDB4430154
          Source: C:\Windows\SysWOW64\wscript.exeAPI/Special instruction interceptor: Address: 7FFDB442D8A4
          Source: C:\Windows\SysWOW64\wscript.exeAPI/Special instruction interceptor: Address: 7FFDB442DA44
          Tries to detect virtualization through RDTSC time measurements
          Source: C:\Windows\SysWOW64\svchost.exeRDTSC instruction interceptor: First address: 409904 second address: 40990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\svchost.exeRDTSC instruction interceptor: First address: 409B7E second address: 409B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\wscript.exeRDTSC instruction interceptor: First address: 2B59904 second address: 2B5990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\wscript.exeRDTSC instruction interceptor: First address: 2B59B7E second address: 2B59B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00409AB0 rdtsc 2_2_00409AB0
          Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 9300Jump to behavior
          Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 632Jump to behavior
          Source: C:\Windows\explorer.exeWindow / User API: foregroundWindowGot 870Jump to behavior
          Source: C:\Windows\explorer.exeWindow / User API: foregroundWindowGot 886Jump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeWindow / User API: threadDelayed 1934Jump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeWindow / User API: threadDelayed 8038Jump to behavior
          Source: C:\Windows\explorer.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)
          Source: C:\Users\user\Desktop\Bonifico 9252024pdf.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_0-99230
          Source: C:\Users\user\Desktop\Bonifico 9252024pdf.exeAPI coverage: 4.6 %
          Source: C:\Windows\SysWOW64\svchost.exeAPI coverage: 2.1 %
          Source: C:\Windows\SysWOW64\wscript.exeAPI coverage: 1.6 %
          Source: C:\Windows\explorer.exe TID: 6812Thread sleep count: 9300 > 30Jump to behavior
          Source: C:\Windows\explorer.exe TID: 6812Thread sleep time: -18600000s >= -30000sJump to behavior
          Source: C:\Windows\explorer.exe TID: 6812Thread sleep count: 632 > 30Jump to behavior
          Source: C:\Windows\explorer.exe TID: 6812Thread sleep time: -1264000s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exe TID: 1812Thread sleep count: 1934 > 30Jump to behavior
          Source: C:\Windows\SysWOW64\wscript.exe TID: 1812Thread sleep time: -3868000s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exe TID: 1812Thread sleep count: 8038 > 30Jump to behavior
          Source: C:\Windows\SysWOW64\wscript.exe TID: 1812Thread sleep time: -16076000s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\wscript.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\Bonifico 9252024pdf.exeCode function: 0_2_006B4696 GetFileAttributesW,FindFirstFileW,FindClose,0_2_006B4696
          Source: C:\Users\user\Desktop\Bonifico 9252024pdf.exeCode function: 0_2_006BC93C FindFirstFileW,FindClose,0_2_006BC93C
          Source: C:\Users\user\Desktop\Bonifico 9252024pdf.exeCode function: 0_2_006BC9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_006BC9C7
          Source: C:\Users\user\Desktop\Bonifico 9252024pdf.exeCode function: 0_2_006BF200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_006BF200
          Source: C:\Users\user\Desktop\Bonifico 9252024pdf.exeCode function: 0_2_006BF35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_006BF35D
          Source: C:\Users\user\Desktop\Bonifico 9252024pdf.exeCode function: 0_2_006BF65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_006BF65E
          Source: C:\Users\user\Desktop\Bonifico 9252024pdf.exeCode function: 0_2_006B3A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_006B3A2B
          Source: C:\Users\user\Desktop\Bonifico 9252024pdf.exeCode function: 0_2_006B3D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_006B3D4E
          Source: C:\Users\user\Desktop\Bonifico 9252024pdf.exeCode function: 0_2_006BBF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_006BBF27
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_009623CE GetFileAttributesW,GetLastError,FindFirstFileW,WideCharToMultiByte,GetLastError,__alloca_probe_16,WideCharToMultiByte,GetFileAttributesA,GetLastError,FindFirstFileA,FindClose,5_2_009623CE
          Source: C:\Users\user\Desktop\Bonifico 9252024pdf.exeCode function: 0_2_00654AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00654AFE
          Source: explorer.exe, 00000003.00000002.4625438025.000000000962B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2189317003.000000000962B000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWystem32\DriverStore\en-US\msmouse.inf_locv
          Source: explorer.exe, 00000003.00000000.2189744197.00000000097F3000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
          Source: explorer.exe, 00000003.00000002.4625438025.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2189317003.000000000973C000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWws
          Source: explorer.exe, 00000003.00000000.2189744197.00000000098AD000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}RoamingCom
          Source: explorer.exe, 00000003.00000000.2189317003.0000000009605000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: NXTVMWare
          Source: explorer.exe, 00000003.00000002.4618096481.0000000000D99000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: #CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000003.00000002.4618096481.0000000000D99000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000W
          Source: explorer.exe, 00000003.00000002.4625438025.000000000978C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2189317003.000000000978C000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
          Source: explorer.exe, 00000003.00000002.4623011941.00000000073E5000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
          Source: explorer.exe, 00000003.00000000.2189744197.00000000098AD000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}lnkramW6
          Source: explorer.exe, 00000003.00000002.4618096481.0000000000D99000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
          Source: explorer.exe, 00000003.00000002.4618096481.0000000000D99000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000003.00000000.2189744197.00000000098AD000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000
          Source: C:\Users\user\Desktop\Bonifico 9252024pdf.exeAPI call chain: ExitProcess graph end nodegraph_0-97963
          Source: C:\Users\user\Desktop\Bonifico 9252024pdf.exeAPI call chain: ExitProcess graph end nodegraph_0-97891
          Source: C:\Windows\SysWOW64\svchost.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00409AB0 rdtsc 2_2_00409AB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040ACF0 LdrLoadDll,2_2_0040ACF0
          Source: C:\Users\user\Desktop\Bonifico 9252024pdf.exeCode function: 0_2_006C41FD BlockInput,0_2_006C41FD
          Source: C:\Users\user\Desktop\Bonifico 9252024pdf.exeCode function: 0_2_00653B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00653B4C
          Source: C:\Users\user\Desktop\Bonifico 9252024pdf.exeCode function: 0_2_00685CCC EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,0_2_00685CCC
          Source: C:\Users\user\Desktop\Bonifico 9252024pdf.exeCode function: 0_2_006CC304 LoadLibraryA,GetProcAddress,0_2_006CC304
          Source: C:\Users\user\Desktop\Bonifico 9252024pdf.exeCode function: 0_2_03F534E0 mov eax, dword ptr fs:[00000030h]0_2_03F534E0
          Source: C:\Users\user\Desktop\Bonifico 9252024pdf.exeCode function: 0_2_03F53480 mov eax, dword ptr fs:[00000030h]0_2_03F53480
          Source: C:\Users\user\Desktop\Bonifico 9252024pdf.exeCode function: 0_2_03F51E70 mov eax, dword ptr fs:[00000030h]0_2_03F51E70
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382E388 mov eax, dword ptr fs:[00000030h]2_2_0382E388
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382E388 mov eax, dword ptr fs:[00000030h]2_2_0382E388
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382E388 mov eax, dword ptr fs:[00000030h]2_2_0382E388
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0385438F mov eax, dword ptr fs:[00000030h]2_2_0385438F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0385438F mov eax, dword ptr fs:[00000030h]2_2_0385438F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03828397 mov eax, dword ptr fs:[00000030h]2_2_03828397
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03828397 mov eax, dword ptr fs:[00000030h]2_2_03828397
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03828397 mov eax, dword ptr fs:[00000030h]2_2_03828397
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038EC3CD mov eax, dword ptr fs:[00000030h]2_2_038EC3CD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0383A3C0 mov eax, dword ptr fs:[00000030h]2_2_0383A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0383A3C0 mov eax, dword ptr fs:[00000030h]2_2_0383A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0383A3C0 mov eax, dword ptr fs:[00000030h]2_2_0383A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0383A3C0 mov eax, dword ptr fs:[00000030h]2_2_0383A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0383A3C0 mov eax, dword ptr fs:[00000030h]2_2_0383A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0383A3C0 mov eax, dword ptr fs:[00000030h]2_2_0383A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038383C0 mov eax, dword ptr fs:[00000030h]2_2_038383C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038383C0 mov eax, dword ptr fs:[00000030h]2_2_038383C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038383C0 mov eax, dword ptr fs:[00000030h]2_2_038383C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038383C0 mov eax, dword ptr fs:[00000030h]2_2_038383C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B63C0 mov eax, dword ptr fs:[00000030h]2_2_038B63C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038403E9 mov eax, dword ptr fs:[00000030h]2_2_038403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038403E9 mov eax, dword ptr fs:[00000030h]2_2_038403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038403E9 mov eax, dword ptr fs:[00000030h]2_2_038403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038403E9 mov eax, dword ptr fs:[00000030h]2_2_038403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038403E9 mov eax, dword ptr fs:[00000030h]2_2_038403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038403E9 mov eax, dword ptr fs:[00000030h]2_2_038403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038403E9 mov eax, dword ptr fs:[00000030h]2_2_038403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038403E9 mov eax, dword ptr fs:[00000030h]2_2_038403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0384E3F0 mov eax, dword ptr fs:[00000030h]2_2_0384E3F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0384E3F0 mov eax, dword ptr fs:[00000030h]2_2_0384E3F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0384E3F0 mov eax, dword ptr fs:[00000030h]2_2_0384E3F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038663FF mov eax, dword ptr fs:[00000030h]2_2_038663FF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386A30B mov eax, dword ptr fs:[00000030h]2_2_0386A30B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386A30B mov eax, dword ptr fs:[00000030h]2_2_0386A30B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386A30B mov eax, dword ptr fs:[00000030h]2_2_0386A30B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382C310 mov ecx, dword ptr fs:[00000030h]2_2_0382C310
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03850310 mov ecx, dword ptr fs:[00000030h]2_2_03850310
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B2349 mov eax, dword ptr fs:[00000030h]2_2_038B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B2349 mov eax, dword ptr fs:[00000030h]2_2_038B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B2349 mov eax, dword ptr fs:[00000030h]2_2_038B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B2349 mov eax, dword ptr fs:[00000030h]2_2_038B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B2349 mov eax, dword ptr fs:[00000030h]2_2_038B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B2349 mov eax, dword ptr fs:[00000030h]2_2_038B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B2349 mov eax, dword ptr fs:[00000030h]2_2_038B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B2349 mov eax, dword ptr fs:[00000030h]2_2_038B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B2349 mov eax, dword ptr fs:[00000030h]2_2_038B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B2349 mov eax, dword ptr fs:[00000030h]2_2_038B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B2349 mov eax, dword ptr fs:[00000030h]2_2_038B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B2349 mov eax, dword ptr fs:[00000030h]2_2_038B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B2349 mov eax, dword ptr fs:[00000030h]2_2_038B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B2349 mov eax, dword ptr fs:[00000030h]2_2_038B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B2349 mov eax, dword ptr fs:[00000030h]2_2_038B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B035C mov eax, dword ptr fs:[00000030h]2_2_038B035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B035C mov eax, dword ptr fs:[00000030h]2_2_038B035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B035C mov eax, dword ptr fs:[00000030h]2_2_038B035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B035C mov ecx, dword ptr fs:[00000030h]2_2_038B035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B035C mov eax, dword ptr fs:[00000030h]2_2_038B035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B035C mov eax, dword ptr fs:[00000030h]2_2_038B035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038FA352 mov eax, dword ptr fs:[00000030h]2_2_038FA352
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038D437C mov eax, dword ptr fs:[00000030h]2_2_038D437C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386E284 mov eax, dword ptr fs:[00000030h]2_2_0386E284
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386E284 mov eax, dword ptr fs:[00000030h]2_2_0386E284
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B0283 mov eax, dword ptr fs:[00000030h]2_2_038B0283
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B0283 mov eax, dword ptr fs:[00000030h]2_2_038B0283
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B0283 mov eax, dword ptr fs:[00000030h]2_2_038B0283
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038C62A0 mov eax, dword ptr fs:[00000030h]2_2_038C62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038C62A0 mov ecx, dword ptr fs:[00000030h]2_2_038C62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038C62A0 mov eax, dword ptr fs:[00000030h]2_2_038C62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038C62A0 mov eax, dword ptr fs:[00000030h]2_2_038C62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038C62A0 mov eax, dword ptr fs:[00000030h]2_2_038C62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038C62A0 mov eax, dword ptr fs:[00000030h]2_2_038C62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0383A2C3 mov eax, dword ptr fs:[00000030h]2_2_0383A2C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0383A2C3 mov eax, dword ptr fs:[00000030h]2_2_0383A2C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0383A2C3 mov eax, dword ptr fs:[00000030h]2_2_0383A2C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0383A2C3 mov eax, dword ptr fs:[00000030h]2_2_0383A2C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0383A2C3 mov eax, dword ptr fs:[00000030h]2_2_0383A2C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038402E1 mov eax, dword ptr fs:[00000030h]2_2_038402E1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038402E1 mov eax, dword ptr fs:[00000030h]2_2_038402E1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038402E1 mov eax, dword ptr fs:[00000030h]2_2_038402E1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382823B mov eax, dword ptr fs:[00000030h]2_2_0382823B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B8243 mov eax, dword ptr fs:[00000030h]2_2_038B8243
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B8243 mov ecx, dword ptr fs:[00000030h]2_2_038B8243
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382A250 mov eax, dword ptr fs:[00000030h]2_2_0382A250
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03836259 mov eax, dword ptr fs:[00000030h]2_2_03836259
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03834260 mov eax, dword ptr fs:[00000030h]2_2_03834260
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03834260 mov eax, dword ptr fs:[00000030h]2_2_03834260
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03834260 mov eax, dword ptr fs:[00000030h]2_2_03834260
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382826B mov eax, dword ptr fs:[00000030h]2_2_0382826B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038E0274 mov eax, dword ptr fs:[00000030h]2_2_038E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038E0274 mov eax, dword ptr fs:[00000030h]2_2_038E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038E0274 mov eax, dword ptr fs:[00000030h]2_2_038E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038E0274 mov eax, dword ptr fs:[00000030h]2_2_038E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038E0274 mov eax, dword ptr fs:[00000030h]2_2_038E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038E0274 mov eax, dword ptr fs:[00000030h]2_2_038E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038E0274 mov eax, dword ptr fs:[00000030h]2_2_038E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038E0274 mov eax, dword ptr fs:[00000030h]2_2_038E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038E0274 mov eax, dword ptr fs:[00000030h]2_2_038E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038E0274 mov eax, dword ptr fs:[00000030h]2_2_038E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038E0274 mov eax, dword ptr fs:[00000030h]2_2_038E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038E0274 mov eax, dword ptr fs:[00000030h]2_2_038E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03870185 mov eax, dword ptr fs:[00000030h]2_2_03870185
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038EC188 mov eax, dword ptr fs:[00000030h]2_2_038EC188
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038EC188 mov eax, dword ptr fs:[00000030h]2_2_038EC188
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B019F mov eax, dword ptr fs:[00000030h]2_2_038B019F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B019F mov eax, dword ptr fs:[00000030h]2_2_038B019F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B019F mov eax, dword ptr fs:[00000030h]2_2_038B019F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B019F mov eax, dword ptr fs:[00000030h]2_2_038B019F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382A197 mov eax, dword ptr fs:[00000030h]2_2_0382A197
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382A197 mov eax, dword ptr fs:[00000030h]2_2_0382A197
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382A197 mov eax, dword ptr fs:[00000030h]2_2_0382A197
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038F61C3 mov eax, dword ptr fs:[00000030h]2_2_038F61C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038F61C3 mov eax, dword ptr fs:[00000030h]2_2_038F61C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038AE1D0 mov eax, dword ptr fs:[00000030h]2_2_038AE1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038AE1D0 mov eax, dword ptr fs:[00000030h]2_2_038AE1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038AE1D0 mov ecx, dword ptr fs:[00000030h]2_2_038AE1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038AE1D0 mov eax, dword ptr fs:[00000030h]2_2_038AE1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038AE1D0 mov eax, dword ptr fs:[00000030h]2_2_038AE1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039061E5 mov eax, dword ptr fs:[00000030h]2_2_039061E5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038601F8 mov eax, dword ptr fs:[00000030h]2_2_038601F8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038DA118 mov ecx, dword ptr fs:[00000030h]2_2_038DA118
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038DA118 mov eax, dword ptr fs:[00000030h]2_2_038DA118
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038DA118 mov eax, dword ptr fs:[00000030h]2_2_038DA118
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038DA118 mov eax, dword ptr fs:[00000030h]2_2_038DA118
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038F0115 mov eax, dword ptr fs:[00000030h]2_2_038F0115
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03860124 mov eax, dword ptr fs:[00000030h]2_2_03860124
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038C4144 mov eax, dword ptr fs:[00000030h]2_2_038C4144
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038C4144 mov eax, dword ptr fs:[00000030h]2_2_038C4144
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038C4144 mov ecx, dword ptr fs:[00000030h]2_2_038C4144
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038C4144 mov eax, dword ptr fs:[00000030h]2_2_038C4144
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038C4144 mov eax, dword ptr fs:[00000030h]2_2_038C4144
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382C156 mov eax, dword ptr fs:[00000030h]2_2_0382C156
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038C8158 mov eax, dword ptr fs:[00000030h]2_2_038C8158
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03836154 mov eax, dword ptr fs:[00000030h]2_2_03836154
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03836154 mov eax, dword ptr fs:[00000030h]2_2_03836154
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0383208A mov eax, dword ptr fs:[00000030h]2_2_0383208A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038C80A8 mov eax, dword ptr fs:[00000030h]2_2_038C80A8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038F60B8 mov eax, dword ptr fs:[00000030h]2_2_038F60B8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038F60B8 mov ecx, dword ptr fs:[00000030h]2_2_038F60B8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B20DE mov eax, dword ptr fs:[00000030h]2_2_038B20DE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382A0E3 mov ecx, dword ptr fs:[00000030h]2_2_0382A0E3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038380E9 mov eax, dword ptr fs:[00000030h]2_2_038380E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B60E0 mov eax, dword ptr fs:[00000030h]2_2_038B60E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382C0F0 mov eax, dword ptr fs:[00000030h]2_2_0382C0F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038720F0 mov ecx, dword ptr fs:[00000030h]2_2_038720F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B4000 mov ecx, dword ptr fs:[00000030h]2_2_038B4000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0384E016 mov eax, dword ptr fs:[00000030h]2_2_0384E016
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0384E016 mov eax, dword ptr fs:[00000030h]2_2_0384E016
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0384E016 mov eax, dword ptr fs:[00000030h]2_2_0384E016
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0384E016 mov eax, dword ptr fs:[00000030h]2_2_0384E016
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382A020 mov eax, dword ptr fs:[00000030h]2_2_0382A020
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382C020 mov eax, dword ptr fs:[00000030h]2_2_0382C020
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038C6030 mov eax, dword ptr fs:[00000030h]2_2_038C6030
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03832050 mov eax, dword ptr fs:[00000030h]2_2_03832050
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B6050 mov eax, dword ptr fs:[00000030h]2_2_038B6050
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0385C073 mov eax, dword ptr fs:[00000030h]2_2_0385C073
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038307AF mov eax, dword ptr fs:[00000030h]2_2_038307AF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0383C7C0 mov eax, dword ptr fs:[00000030h]2_2_0383C7C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B07C3 mov eax, dword ptr fs:[00000030h]2_2_038B07C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038527ED mov eax, dword ptr fs:[00000030h]2_2_038527ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038527ED mov eax, dword ptr fs:[00000030h]2_2_038527ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038527ED mov eax, dword ptr fs:[00000030h]2_2_038527ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038BE7E1 mov eax, dword ptr fs:[00000030h]2_2_038BE7E1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038347FB mov eax, dword ptr fs:[00000030h]2_2_038347FB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038347FB mov eax, dword ptr fs:[00000030h]2_2_038347FB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386C700 mov eax, dword ptr fs:[00000030h]2_2_0386C700
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03830710 mov eax, dword ptr fs:[00000030h]2_2_03830710
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03860710 mov eax, dword ptr fs:[00000030h]2_2_03860710
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386C720 mov eax, dword ptr fs:[00000030h]2_2_0386C720
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386C720 mov eax, dword ptr fs:[00000030h]2_2_0386C720
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386273C mov eax, dword ptr fs:[00000030h]2_2_0386273C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386273C mov ecx, dword ptr fs:[00000030h]2_2_0386273C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386273C mov eax, dword ptr fs:[00000030h]2_2_0386273C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038AC730 mov eax, dword ptr fs:[00000030h]2_2_038AC730
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386674D mov esi, dword ptr fs:[00000030h]2_2_0386674D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386674D mov eax, dword ptr fs:[00000030h]2_2_0386674D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386674D mov eax, dword ptr fs:[00000030h]2_2_0386674D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03830750 mov eax, dword ptr fs:[00000030h]2_2_03830750
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038BE75D mov eax, dword ptr fs:[00000030h]2_2_038BE75D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03872750 mov eax, dword ptr fs:[00000030h]2_2_03872750
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03872750 mov eax, dword ptr fs:[00000030h]2_2_03872750
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B4755 mov eax, dword ptr fs:[00000030h]2_2_038B4755
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03838770 mov eax, dword ptr fs:[00000030h]2_2_03838770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03840770 mov eax, dword ptr fs:[00000030h]2_2_03840770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03840770 mov eax, dword ptr fs:[00000030h]2_2_03840770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03840770 mov eax, dword ptr fs:[00000030h]2_2_03840770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03840770 mov eax, dword ptr fs:[00000030h]2_2_03840770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03840770 mov eax, dword ptr fs:[00000030h]2_2_03840770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03840770 mov eax, dword ptr fs:[00000030h]2_2_03840770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03840770 mov eax, dword ptr fs:[00000030h]2_2_03840770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03840770 mov eax, dword ptr fs:[00000030h]2_2_03840770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03840770 mov eax, dword ptr fs:[00000030h]2_2_03840770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03840770 mov eax, dword ptr fs:[00000030h]2_2_03840770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03840770 mov eax, dword ptr fs:[00000030h]2_2_03840770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03840770 mov eax, dword ptr fs:[00000030h]2_2_03840770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03834690 mov eax, dword ptr fs:[00000030h]2_2_03834690
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03834690 mov eax, dword ptr fs:[00000030h]2_2_03834690
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386C6A6 mov eax, dword ptr fs:[00000030h]2_2_0386C6A6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038666B0 mov eax, dword ptr fs:[00000030h]2_2_038666B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386A6C7 mov ebx, dword ptr fs:[00000030h]2_2_0386A6C7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386A6C7 mov eax, dword ptr fs:[00000030h]2_2_0386A6C7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038AE6F2 mov eax, dword ptr fs:[00000030h]2_2_038AE6F2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038AE6F2 mov eax, dword ptr fs:[00000030h]2_2_038AE6F2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038AE6F2 mov eax, dword ptr fs:[00000030h]2_2_038AE6F2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038AE6F2 mov eax, dword ptr fs:[00000030h]2_2_038AE6F2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B06F1 mov eax, dword ptr fs:[00000030h]2_2_038B06F1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B06F1 mov eax, dword ptr fs:[00000030h]2_2_038B06F1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038AE609 mov eax, dword ptr fs:[00000030h]2_2_038AE609
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0384260B mov eax, dword ptr fs:[00000030h]2_2_0384260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0384260B mov eax, dword ptr fs:[00000030h]2_2_0384260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0384260B mov eax, dword ptr fs:[00000030h]2_2_0384260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0384260B mov eax, dword ptr fs:[00000030h]2_2_0384260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0384260B mov eax, dword ptr fs:[00000030h]2_2_0384260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0384260B mov eax, dword ptr fs:[00000030h]2_2_0384260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0384260B mov eax, dword ptr fs:[00000030h]2_2_0384260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03872619 mov eax, dword ptr fs:[00000030h]2_2_03872619
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0384E627 mov eax, dword ptr fs:[00000030h]2_2_0384E627
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03866620 mov eax, dword ptr fs:[00000030h]2_2_03866620
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03868620 mov eax, dword ptr fs:[00000030h]2_2_03868620
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0383262C mov eax, dword ptr fs:[00000030h]2_2_0383262C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0384C640 mov eax, dword ptr fs:[00000030h]2_2_0384C640
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038F866E mov eax, dword ptr fs:[00000030h]2_2_038F866E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038F866E mov eax, dword ptr fs:[00000030h]2_2_038F866E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386A660 mov eax, dword ptr fs:[00000030h]2_2_0386A660
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386A660 mov eax, dword ptr fs:[00000030h]2_2_0386A660
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03862674 mov eax, dword ptr fs:[00000030h]2_2_03862674
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03832582 mov eax, dword ptr fs:[00000030h]2_2_03832582
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03832582 mov ecx, dword ptr fs:[00000030h]2_2_03832582
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03864588 mov eax, dword ptr fs:[00000030h]2_2_03864588
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386E59C mov eax, dword ptr fs:[00000030h]2_2_0386E59C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B05A7 mov eax, dword ptr fs:[00000030h]2_2_038B05A7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B05A7 mov eax, dword ptr fs:[00000030h]2_2_038B05A7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B05A7 mov eax, dword ptr fs:[00000030h]2_2_038B05A7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038545B1 mov eax, dword ptr fs:[00000030h]2_2_038545B1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038545B1 mov eax, dword ptr fs:[00000030h]2_2_038545B1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386E5CF mov eax, dword ptr fs:[00000030h]2_2_0386E5CF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386E5CF mov eax, dword ptr fs:[00000030h]2_2_0386E5CF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038365D0 mov eax, dword ptr fs:[00000030h]2_2_038365D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386A5D0 mov eax, dword ptr fs:[00000030h]2_2_0386A5D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386A5D0 mov eax, dword ptr fs:[00000030h]2_2_0386A5D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0385E5E7 mov eax, dword ptr fs:[00000030h]2_2_0385E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0385E5E7 mov eax, dword ptr fs:[00000030h]2_2_0385E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0385E5E7 mov eax, dword ptr fs:[00000030h]2_2_0385E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0385E5E7 mov eax, dword ptr fs:[00000030h]2_2_0385E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0385E5E7 mov eax, dword ptr fs:[00000030h]2_2_0385E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0385E5E7 mov eax, dword ptr fs:[00000030h]2_2_0385E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0385E5E7 mov eax, dword ptr fs:[00000030h]2_2_0385E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0385E5E7 mov eax, dword ptr fs:[00000030h]2_2_0385E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038325E0 mov eax, dword ptr fs:[00000030h]2_2_038325E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386C5ED mov eax, dword ptr fs:[00000030h]2_2_0386C5ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386C5ED mov eax, dword ptr fs:[00000030h]2_2_0386C5ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038C6500 mov eax, dword ptr fs:[00000030h]2_2_038C6500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03904500 mov eax, dword ptr fs:[00000030h]2_2_03904500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03904500 mov eax, dword ptr fs:[00000030h]2_2_03904500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03904500 mov eax, dword ptr fs:[00000030h]2_2_03904500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03904500 mov eax, dword ptr fs:[00000030h]2_2_03904500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03904500 mov eax, dword ptr fs:[00000030h]2_2_03904500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03904500 mov eax, dword ptr fs:[00000030h]2_2_03904500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03904500 mov eax, dword ptr fs:[00000030h]2_2_03904500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03840535 mov eax, dword ptr fs:[00000030h]2_2_03840535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03840535 mov eax, dword ptr fs:[00000030h]2_2_03840535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03840535 mov eax, dword ptr fs:[00000030h]2_2_03840535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03840535 mov eax, dword ptr fs:[00000030h]2_2_03840535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03840535 mov eax, dword ptr fs:[00000030h]2_2_03840535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03840535 mov eax, dword ptr fs:[00000030h]2_2_03840535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0385E53E mov eax, dword ptr fs:[00000030h]2_2_0385E53E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0385E53E mov eax, dword ptr fs:[00000030h]2_2_0385E53E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0385E53E mov eax, dword ptr fs:[00000030h]2_2_0385E53E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0385E53E mov eax, dword ptr fs:[00000030h]2_2_0385E53E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0385E53E mov eax, dword ptr fs:[00000030h]2_2_0385E53E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03838550 mov eax, dword ptr fs:[00000030h]2_2_03838550
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03838550 mov eax, dword ptr fs:[00000030h]2_2_03838550
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386656A mov eax, dword ptr fs:[00000030h]2_2_0386656A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386656A mov eax, dword ptr fs:[00000030h]2_2_0386656A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386656A mov eax, dword ptr fs:[00000030h]2_2_0386656A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038364AB mov eax, dword ptr fs:[00000030h]2_2_038364AB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038644B0 mov ecx, dword ptr fs:[00000030h]2_2_038644B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038BA4B0 mov eax, dword ptr fs:[00000030h]2_2_038BA4B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038304E5 mov ecx, dword ptr fs:[00000030h]2_2_038304E5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03868402 mov eax, dword ptr fs:[00000030h]2_2_03868402
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03868402 mov eax, dword ptr fs:[00000030h]2_2_03868402
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03868402 mov eax, dword ptr fs:[00000030h]2_2_03868402
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382E420 mov eax, dword ptr fs:[00000030h]2_2_0382E420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382E420 mov eax, dword ptr fs:[00000030h]2_2_0382E420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382E420 mov eax, dword ptr fs:[00000030h]2_2_0382E420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382C427 mov eax, dword ptr fs:[00000030h]2_2_0382C427
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B6420 mov eax, dword ptr fs:[00000030h]2_2_038B6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B6420 mov eax, dword ptr fs:[00000030h]2_2_038B6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B6420 mov eax, dword ptr fs:[00000030h]2_2_038B6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B6420 mov eax, dword ptr fs:[00000030h]2_2_038B6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B6420 mov eax, dword ptr fs:[00000030h]2_2_038B6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B6420 mov eax, dword ptr fs:[00000030h]2_2_038B6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B6420 mov eax, dword ptr fs:[00000030h]2_2_038B6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386A430 mov eax, dword ptr fs:[00000030h]2_2_0386A430
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386E443 mov eax, dword ptr fs:[00000030h]2_2_0386E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386E443 mov eax, dword ptr fs:[00000030h]2_2_0386E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386E443 mov eax, dword ptr fs:[00000030h]2_2_0386E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386E443 mov eax, dword ptr fs:[00000030h]2_2_0386E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386E443 mov eax, dword ptr fs:[00000030h]2_2_0386E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386E443 mov eax, dword ptr fs:[00000030h]2_2_0386E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386E443 mov eax, dword ptr fs:[00000030h]2_2_0386E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386E443 mov eax, dword ptr fs:[00000030h]2_2_0386E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382645D mov eax, dword ptr fs:[00000030h]2_2_0382645D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0385245A mov eax, dword ptr fs:[00000030h]2_2_0385245A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038BC460 mov ecx, dword ptr fs:[00000030h]2_2_038BC460
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0385A470 mov eax, dword ptr fs:[00000030h]2_2_0385A470
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0385A470 mov eax, dword ptr fs:[00000030h]2_2_0385A470
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0385A470 mov eax, dword ptr fs:[00000030h]2_2_0385A470
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03840BBE mov eax, dword ptr fs:[00000030h]2_2_03840BBE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03840BBE mov eax, dword ptr fs:[00000030h]2_2_03840BBE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03850BCB mov eax, dword ptr fs:[00000030h]2_2_03850BCB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03850BCB mov eax, dword ptr fs:[00000030h]2_2_03850BCB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03850BCB mov eax, dword ptr fs:[00000030h]2_2_03850BCB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03830BCD mov eax, dword ptr fs:[00000030h]2_2_03830BCD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03830BCD mov eax, dword ptr fs:[00000030h]2_2_03830BCD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03830BCD mov eax, dword ptr fs:[00000030h]2_2_03830BCD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038DEBD0 mov eax, dword ptr fs:[00000030h]2_2_038DEBD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03838BF0 mov eax, dword ptr fs:[00000030h]2_2_03838BF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03838BF0 mov eax, dword ptr fs:[00000030h]2_2_03838BF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03838BF0 mov eax, dword ptr fs:[00000030h]2_2_03838BF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0385EBFC mov eax, dword ptr fs:[00000030h]2_2_0385EBFC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038BCBF0 mov eax, dword ptr fs:[00000030h]2_2_038BCBF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038AEB1D mov eax, dword ptr fs:[00000030h]2_2_038AEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038AEB1D mov eax, dword ptr fs:[00000030h]2_2_038AEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038AEB1D mov eax, dword ptr fs:[00000030h]2_2_038AEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038AEB1D mov eax, dword ptr fs:[00000030h]2_2_038AEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038AEB1D mov eax, dword ptr fs:[00000030h]2_2_038AEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038AEB1D mov eax, dword ptr fs:[00000030h]2_2_038AEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038AEB1D mov eax, dword ptr fs:[00000030h]2_2_038AEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038AEB1D mov eax, dword ptr fs:[00000030h]2_2_038AEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038AEB1D mov eax, dword ptr fs:[00000030h]2_2_038AEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0385EB20 mov eax, dword ptr fs:[00000030h]2_2_0385EB20
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0385EB20 mov eax, dword ptr fs:[00000030h]2_2_0385EB20
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038F8B28 mov eax, dword ptr fs:[00000030h]2_2_038F8B28
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038F8B28 mov eax, dword ptr fs:[00000030h]2_2_038F8B28
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038C6B40 mov eax, dword ptr fs:[00000030h]2_2_038C6B40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038C6B40 mov eax, dword ptr fs:[00000030h]2_2_038C6B40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038FAB40 mov eax, dword ptr fs:[00000030h]2_2_038FAB40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038D8B42 mov eax, dword ptr fs:[00000030h]2_2_038D8B42
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382CB7E mov eax, dword ptr fs:[00000030h]2_2_0382CB7E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0383EA80 mov eax, dword ptr fs:[00000030h]2_2_0383EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0383EA80 mov eax, dword ptr fs:[00000030h]2_2_0383EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0383EA80 mov eax, dword ptr fs:[00000030h]2_2_0383EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0383EA80 mov eax, dword ptr fs:[00000030h]2_2_0383EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0383EA80 mov eax, dword ptr fs:[00000030h]2_2_0383EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0383EA80 mov eax, dword ptr fs:[00000030h]2_2_0383EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0383EA80 mov eax, dword ptr fs:[00000030h]2_2_0383EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0383EA80 mov eax, dword ptr fs:[00000030h]2_2_0383EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0383EA80 mov eax, dword ptr fs:[00000030h]2_2_0383EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03904A80 mov eax, dword ptr fs:[00000030h]2_2_03904A80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03868A90 mov edx, dword ptr fs:[00000030h]2_2_03868A90
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03838AA0 mov eax, dword ptr fs:[00000030h]2_2_03838AA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03838AA0 mov eax, dword ptr fs:[00000030h]2_2_03838AA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03886AA4 mov eax, dword ptr fs:[00000030h]2_2_03886AA4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03886ACC mov eax, dword ptr fs:[00000030h]2_2_03886ACC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03886ACC mov eax, dword ptr fs:[00000030h]2_2_03886ACC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03886ACC mov eax, dword ptr fs:[00000030h]2_2_03886ACC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03830AD0 mov eax, dword ptr fs:[00000030h]2_2_03830AD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03864AD0 mov eax, dword ptr fs:[00000030h]2_2_03864AD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03864AD0 mov eax, dword ptr fs:[00000030h]2_2_03864AD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386AAEE mov eax, dword ptr fs:[00000030h]2_2_0386AAEE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386AAEE mov eax, dword ptr fs:[00000030h]2_2_0386AAEE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038BCA11 mov eax, dword ptr fs:[00000030h]2_2_038BCA11
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386CA24 mov eax, dword ptr fs:[00000030h]2_2_0386CA24
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0385EA2E mov eax, dword ptr fs:[00000030h]2_2_0385EA2E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03854A35 mov eax, dword ptr fs:[00000030h]2_2_03854A35
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03854A35 mov eax, dword ptr fs:[00000030h]2_2_03854A35
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386CA38 mov eax, dword ptr fs:[00000030h]2_2_0386CA38
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03836A50 mov eax, dword ptr fs:[00000030h]2_2_03836A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03836A50 mov eax, dword ptr fs:[00000030h]2_2_03836A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03836A50 mov eax, dword ptr fs:[00000030h]2_2_03836A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03836A50 mov eax, dword ptr fs:[00000030h]2_2_03836A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03836A50 mov eax, dword ptr fs:[00000030h]2_2_03836A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03836A50 mov eax, dword ptr fs:[00000030h]2_2_03836A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03836A50 mov eax, dword ptr fs:[00000030h]2_2_03836A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03840A5B mov eax, dword ptr fs:[00000030h]2_2_03840A5B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03840A5B mov eax, dword ptr fs:[00000030h]2_2_03840A5B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386CA6F mov eax, dword ptr fs:[00000030h]2_2_0386CA6F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386CA6F mov eax, dword ptr fs:[00000030h]2_2_0386CA6F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386CA6F mov eax, dword ptr fs:[00000030h]2_2_0386CA6F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038ACA72 mov eax, dword ptr fs:[00000030h]2_2_038ACA72
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038ACA72 mov eax, dword ptr fs:[00000030h]2_2_038ACA72
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038429A0 mov eax, dword ptr fs:[00000030h]2_2_038429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038429A0 mov eax, dword ptr fs:[00000030h]2_2_038429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038429A0 mov eax, dword ptr fs:[00000030h]2_2_038429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038429A0 mov eax, dword ptr fs:[00000030h]2_2_038429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038429A0 mov eax, dword ptr fs:[00000030h]2_2_038429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038429A0 mov eax, dword ptr fs:[00000030h]2_2_038429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038429A0 mov eax, dword ptr fs:[00000030h]2_2_038429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038429A0 mov eax, dword ptr fs:[00000030h]2_2_038429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038429A0 mov eax, dword ptr fs:[00000030h]2_2_038429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038429A0 mov eax, dword ptr fs:[00000030h]2_2_038429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038429A0 mov eax, dword ptr fs:[00000030h]2_2_038429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038429A0 mov eax, dword ptr fs:[00000030h]2_2_038429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038429A0 mov eax, dword ptr fs:[00000030h]2_2_038429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038309AD mov eax, dword ptr fs:[00000030h]2_2_038309AD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038309AD mov eax, dword ptr fs:[00000030h]2_2_038309AD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B89B3 mov esi, dword ptr fs:[00000030h]2_2_038B89B3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B89B3 mov eax, dword ptr fs:[00000030h]2_2_038B89B3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B89B3 mov eax, dword ptr fs:[00000030h]2_2_038B89B3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038C69C0 mov eax, dword ptr fs:[00000030h]2_2_038C69C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0383A9D0 mov eax, dword ptr fs:[00000030h]2_2_0383A9D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0383A9D0 mov eax, dword ptr fs:[00000030h]2_2_0383A9D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0383A9D0 mov eax, dword ptr fs:[00000030h]2_2_0383A9D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0383A9D0 mov eax, dword ptr fs:[00000030h]2_2_0383A9D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0383A9D0 mov eax, dword ptr fs:[00000030h]2_2_0383A9D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0383A9D0 mov eax, dword ptr fs:[00000030h]2_2_0383A9D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038649D0 mov eax, dword ptr fs:[00000030h]2_2_038649D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038FA9D3 mov eax, dword ptr fs:[00000030h]2_2_038FA9D3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038BE9E0 mov eax, dword ptr fs:[00000030h]2_2_038BE9E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038629F9 mov eax, dword ptr fs:[00000030h]2_2_038629F9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038629F9 mov eax, dword ptr fs:[00000030h]2_2_038629F9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038AE908 mov eax, dword ptr fs:[00000030h]2_2_038AE908
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038AE908 mov eax, dword ptr fs:[00000030h]2_2_038AE908
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038BC912 mov eax, dword ptr fs:[00000030h]2_2_038BC912
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03828918 mov eax, dword ptr fs:[00000030h]2_2_03828918
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03828918 mov eax, dword ptr fs:[00000030h]2_2_03828918
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B892A mov eax, dword ptr fs:[00000030h]2_2_038B892A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038C892B mov eax, dword ptr fs:[00000030h]2_2_038C892B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B0946 mov eax, dword ptr fs:[00000030h]2_2_038B0946
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03856962 mov eax, dword ptr fs:[00000030h]2_2_03856962
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03856962 mov eax, dword ptr fs:[00000030h]2_2_03856962
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03856962 mov eax, dword ptr fs:[00000030h]2_2_03856962
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0387096E mov eax, dword ptr fs:[00000030h]2_2_0387096E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0387096E mov edx, dword ptr fs:[00000030h]2_2_0387096E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0387096E mov eax, dword ptr fs:[00000030h]2_2_0387096E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038BC97C mov eax, dword ptr fs:[00000030h]2_2_038BC97C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03830887 mov eax, dword ptr fs:[00000030h]2_2_03830887
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038BC89D mov eax, dword ptr fs:[00000030h]2_2_038BC89D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0385E8C0 mov eax, dword ptr fs:[00000030h]2_2_0385E8C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038FA8E4 mov eax, dword ptr fs:[00000030h]2_2_038FA8E4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386C8F9 mov eax, dword ptr fs:[00000030h]2_2_0386C8F9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386C8F9 mov eax, dword ptr fs:[00000030h]2_2_0386C8F9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038BC810 mov eax, dword ptr fs:[00000030h]2_2_038BC810
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03852835 mov eax, dword ptr fs:[00000030h]2_2_03852835
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03852835 mov eax, dword ptr fs:[00000030h]2_2_03852835
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03852835 mov eax, dword ptr fs:[00000030h]2_2_03852835
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03852835 mov ecx, dword ptr fs:[00000030h]2_2_03852835
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03852835 mov eax, dword ptr fs:[00000030h]2_2_03852835
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03852835 mov eax, dword ptr fs:[00000030h]2_2_03852835
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386A830 mov eax, dword ptr fs:[00000030h]2_2_0386A830
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03842840 mov ecx, dword ptr fs:[00000030h]2_2_03842840
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03860854 mov eax, dword ptr fs:[00000030h]2_2_03860854
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03834859 mov eax, dword ptr fs:[00000030h]2_2_03834859
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03834859 mov eax, dword ptr fs:[00000030h]2_2_03834859
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038BE872 mov eax, dword ptr fs:[00000030h]2_2_038BE872
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038BE872 mov eax, dword ptr fs:[00000030h]2_2_038BE872
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038C6870 mov eax, dword ptr fs:[00000030h]2_2_038C6870
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038C6870 mov eax, dword ptr fs:[00000030h]2_2_038C6870
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386CF80 mov eax, dword ptr fs:[00000030h]2_2_0386CF80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03862F98 mov eax, dword ptr fs:[00000030h]2_2_03862F98
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03862F98 mov eax, dword ptr fs:[00000030h]2_2_03862F98
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03832FC8 mov eax, dword ptr fs:[00000030h]2_2_03832FC8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03832FC8 mov eax, dword ptr fs:[00000030h]2_2_03832FC8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03832FC8 mov eax, dword ptr fs:[00000030h]2_2_03832FC8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03832FC8 mov eax, dword ptr fs:[00000030h]2_2_03832FC8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382EFD8 mov eax, dword ptr fs:[00000030h]2_2_0382EFD8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382EFD8 mov eax, dword ptr fs:[00000030h]2_2_0382EFD8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382EFD8 mov eax, dword ptr fs:[00000030h]2_2_0382EFD8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0384CFE0 mov eax, dword ptr fs:[00000030h]2_2_0384CFE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0384CFE0 mov eax, dword ptr fs:[00000030h]2_2_0384CFE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03870FF6 mov eax, dword ptr fs:[00000030h]2_2_03870FF6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03870FF6 mov eax, dword ptr fs:[00000030h]2_2_03870FF6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03870FF6 mov eax, dword ptr fs:[00000030h]2_2_03870FF6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03870FF6 mov eax, dword ptr fs:[00000030h]2_2_03870FF6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03904FE7 mov eax, dword ptr fs:[00000030h]2_2_03904FE7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038E6FF7 mov eax, dword ptr fs:[00000030h]2_2_038E6FF7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038E6F00 mov eax, dword ptr fs:[00000030h]2_2_038E6F00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03832F12 mov eax, dword ptr fs:[00000030h]2_2_03832F12
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386CF1F mov eax, dword ptr fs:[00000030h]2_2_0386CF1F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0385EF28 mov eax, dword ptr fs:[00000030h]2_2_0385EF28
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B4F40 mov eax, dword ptr fs:[00000030h]2_2_038B4F40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B4F40 mov eax, dword ptr fs:[00000030h]2_2_038B4F40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B4F40 mov eax, dword ptr fs:[00000030h]2_2_038B4F40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038B4F40 mov eax, dword ptr fs:[00000030h]2_2_038B4F40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382CF50 mov eax, dword ptr fs:[00000030h]2_2_0382CF50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382CF50 mov eax, dword ptr fs:[00000030h]2_2_0382CF50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382CF50 mov eax, dword ptr fs:[00000030h]2_2_0382CF50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382CF50 mov eax, dword ptr fs:[00000030h]2_2_0382CF50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382CF50 mov eax, dword ptr fs:[00000030h]2_2_0382CF50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382CF50 mov eax, dword ptr fs:[00000030h]2_2_0382CF50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0386CF50 mov eax, dword ptr fs:[00000030h]2_2_0386CF50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038D0F50 mov eax, dword ptr fs:[00000030h]2_2_038D0F50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0385AF69 mov eax, dword ptr fs:[00000030h]2_2_0385AF69
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0385AF69 mov eax, dword ptr fs:[00000030h]2_2_0385AF69
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03904F68 mov eax, dword ptr fs:[00000030h]2_2_03904F68
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382AE90 mov eax, dword ptr fs:[00000030h]2_2_0382AE90
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382AE90 mov eax, dword ptr fs:[00000030h]2_2_0382AE90
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0382AE90 mov eax, dword ptr fs:[00000030h]2_2_0382AE90
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03862E9C mov eax, dword ptr fs:[00000030h]2_2_03862E9C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03862E9C mov ecx, dword ptr fs:[00000030h]2_2_03862E9C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038BCEA0 mov eax, dword ptr fs:[00000030h]2_2_038BCEA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038BCEA0 mov eax, dword ptr fs:[00000030h]2_2_038BCEA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038BCEA0 mov eax, dword ptr fs:[00000030h]2_2_038BCEA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038CAEB0 mov eax, dword ptr fs:[00000030h]2_2_038CAEB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038CAEB0 mov eax, dword ptr fs:[00000030h]2_2_038CAEB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03836EE0 mov eax, dword ptr fs:[00000030h]2_2_03836EE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03836EE0 mov eax, dword ptr fs:[00000030h]2_2_03836EE0
          Source: C:\Users\user\Desktop\Bonifico 9252024pdf.exeCode function: 0_2_006A81F7 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_006A81F7
          Source: C:\Windows\SysWOW64\svchost.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Users\user\Desktop\Bonifico 9252024pdf.exeCode function: 0_2_0067A364 SetUnhandledExceptionFilter,0_2_0067A364
          Source: C:\Users\user\Desktop\Bonifico 9252024pdf.exeCode function: 0_2_0067A395 SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0067A395
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_00967A38 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,5_2_00967A38

          HIPS / PFW / Operating System Protection Evasion

          barindex
          Maps a DLL or memory area into another process
          Source: C:\Users\user\Desktop\Bonifico 9252024pdf.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Windows\SysWOW64\wscript.exe protection: execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Windows\SysWOW64\wscript.exe protection: execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: read writeJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Modifies the context of a thread in another process (thread injection)
          Source: C:\Windows\SysWOW64\svchost.exeThread register set: target process: 4004Jump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeThread register set: target process: 4004Jump to behavior
          Queues an APC in another process (thread injection)
          Source: C:\Windows\SysWOW64\svchost.exeThread APC queued: target process: C:\Windows\explorer.exeJump to behavior
          Sample uses process hollowing technique
          Source: C:\Windows\SysWOW64\svchost.exeSection unmapped: C:\Windows\SysWOW64\wscript.exe base address: 950000Jump to behavior
          Writes to foreign memory regions
          Source: C:\Users\user\Desktop\Bonifico 9252024pdf.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 2D9A008Jump to behavior
          Source: C:\Users\user\Desktop\Bonifico 9252024pdf.exeCode function: 0_2_006A8C93 LogonUserW,0_2_006A8C93
          Source: C:\Users\user\Desktop\Bonifico 9252024pdf.exeCode function: 0_2_00653B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00653B4C
          Source: C:\Users\user\Desktop\Bonifico 9252024pdf.exeCode function: 0_2_00654A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_00654A35
          Source: C:\Users\user\Desktop\Bonifico 9252024pdf.exeCode function: 0_2_006B4EF5 mouse_event,0_2_006B4EF5
          Source: C:\Users\user\Desktop\Bonifico 9252024pdf.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Bonifico 9252024pdf.exe"Jump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\SysWOW64\svchost.exe"Jump to behavior
          Source: C:\Users\user\Desktop\Bonifico 9252024pdf.exeCode function: 0_2_006A81F7 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_006A81F7
          Source: C:\Users\user\Desktop\Bonifico 9252024pdf.exeCode function: 0_2_006B4C03 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_006B4C03
          Source: Bonifico 9252024pdf.exeBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
          Source: explorer.exe, 00000003.00000000.2185813165.00000000013A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000002.4618897066.00000000013A1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: IProgram Manager
          Source: Bonifico 9252024pdf.exe, explorer.exe, 00000003.00000002.4622747543.00000000048E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2185813165.00000000013A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000002.4618897066.00000000013A1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000003.00000000.2185813165.00000000013A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000002.4618897066.00000000013A1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
          Source: explorer.exe, 00000003.00000000.2185460312.0000000000D69000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4618096481.0000000000D60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: +Progman
          Source: explorer.exe, 00000003.00000000.2185813165.00000000013A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000002.4618897066.00000000013A1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
          Source: explorer.exe, 00000003.00000002.4626448543.00000000098AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2189744197.00000000098AD000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Shell_TrayWnd31A
          Source: C:\Users\user\Desktop\Bonifico 9252024pdf.exeCode function: 0_2_0067886B cpuid 0_2_0067886B
          Source: C:\Windows\SysWOW64\wscript.exeCode function: GetLocaleInfoW,wcsncmp,5_2_00967084
          Source: C:\Windows\SysWOW64\wscript.exeCode function: GetUserDefaultLCID,GetLocaleInfoW,GetModuleFileNameW,FreeLibrary,GetLocaleInfoA,LoadStringA,GetModuleFileNameA,CharNextA,memcpy,strcpy_s,LoadLibraryExA,LoadLibraryExA,sprintf_s,CharNextA,memcpy,strcpy_s,LoadLibraryExA,LoadLibraryExA,GetUserDefaultLCID,GetLocaleInfoA,sprintf_s,CharNextA,memcpy,strcpy_s,LoadLibraryExA,LoadLibraryExA,5_2_0096544C
          Source: C:\Users\user\Desktop\Bonifico 9252024pdf.exeCode function: 0_2_006850D7 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_006850D7
          Source: C:\Users\user\Desktop\Bonifico 9252024pdf.exeCode function: 0_2_00692230 GetUserNameW,0_2_00692230
          Source: C:\Users\user\Desktop\Bonifico 9252024pdf.exeCode function: 0_2_0068418A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,0_2_0068418A
          Source: C:\Users\user\Desktop\Bonifico 9252024pdf.exeCode function: 0_2_00654AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00654AFE

          Stealing of Sensitive Information

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 0.2.Bonifico 9252024pdf.exe.3f60000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Bonifico 9252024pdf.exe.3f60000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000005.00000002.4617950830.0000000002B50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.4618265496.0000000003180000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.2184510833.0000000003F60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.2229552843.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.2230318671.0000000003680000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.2229820455.0000000002FD0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.4618161057.0000000003040000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Bonifico 9252024pdf.exeBinary or memory string: WIN_81
          Source: Bonifico 9252024pdf.exeBinary or memory string: WIN_XP
          Source: Bonifico 9252024pdf.exeBinary or memory string: WIN_XPe
          Source: Bonifico 9252024pdf.exeBinary or memory string: WIN_VISTA
          Source: Bonifico 9252024pdf.exeBinary or memory string: WIN_7
          Source: Bonifico 9252024pdf.exeBinary or memory string: WIN_8
          Source: Bonifico 9252024pdf.exeBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 5USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

          Remote Access Functionality

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 0.2.Bonifico 9252024pdf.exe.3f60000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Bonifico 9252024pdf.exe.3f60000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000005.00000002.4617950830.0000000002B50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.4618265496.0000000003180000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.2184510833.0000000003F60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.2229552843.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.2230318671.0000000003680000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.2229820455.0000000002FD0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.4618161057.0000000003040000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: C:\Users\user\Desktop\Bonifico 9252024pdf.exeCode function: 0_2_006C6596 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,0_2_006C6596
          Source: C:\Users\user\Desktop\Bonifico 9252024pdf.exeCode function: 0_2_006C6A5A socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_006C6A5A
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_00959D9A CreateBindCtx,SysFreeString,SysAllocStringByteLen,5_2_00959D9A
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_00961170 CreateBindCtx,CreateFileMoniker,MkParseDisplayName,5_2_00961170
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_0095DEED CoCreateInstance,CoCreateInstance,GetUserDefaultLCID,CoGetClassObject,CreateBindCtx,5_2_0095DEED

          Mitre Att&ck Matrix

          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
          Gather Victim Identity InformationAcquire Infrastructure2
          Valid Accounts          		2
          Native API          		1
          DLL Side-Loading          		1
          Exploitation for Privilege Escalation          		1
          Disable or Modify Tools          		21
          Input Capture          		2
          System Time Discovery          		Remote Services1
          Archive Collected Data          		1
          Ingress Tool Transfer          		Exfiltration Over Other Network Medium1
          System Shutdown/Reboot
          CredentialsDomainsDefault Accounts1
          Shared Modules          		2
          Valid Accounts          		1
          DLL Side-Loading          		1
          Deobfuscate/Decode Files or Information          		LSASS Memory1
          Account Discovery          		Remote Desktop Protocol21
          Input Capture          		1
          Encrypted Channel          		Exfiltration Over BluetoothNetwork Denial of Service
          Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)2
          Valid Accounts          		3
          Obfuscated Files or Information          		Security Account Manager1
          File and Directory Discovery          		SMB/Windows Admin Shares3
          Clipboard Data          		1
          Non-Application Layer Protocol          		Automated ExfiltrationData Encrypted for Impact
          Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook21
          Access Token Manipulation          		1
          DLL Side-Loading          		NTDS225
          System Information Discovery          		Distributed Component Object ModelInput Capture11
          Application Layer Protocol          		Traffic DuplicationData Destruction
          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script512
          Process Injection          		2
          Valid Accounts          		LSA Secrets251
          Security Software Discovery          		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts2
          Virtualization/Sandbox Evasion          		Cached Domain Credentials2
          Virtualization/Sandbox Evasion          		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
          DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items21
          Access Token Manipulation          		DCSync3
          Process Discovery          		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
          Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job512
          Process Injection          		Proc Filesystem11
          Application Window Discovery          		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
          Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAtHTML Smuggling/etc/passwd and /etc/shadow1
          System Owner/User Discovery          		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1519632 Sample: Bonifico 9252024pdf.exe Startdate: 26/09/2024 Architecture: WINDOWS Score: 100 28 www.wgxb.top 2->28 30 www.uwueriudsjkdjnfjkdjnkxzk.vip 2->30 32 10 other IPs or domains 2->32 34 Suricata IDS alerts for network traffic 2->34 36 Found malware configuration 2->36 38 Malicious sample detected (through community Yara rule) 2->38 40 9 other signatures 2->40 11 Bonifico 9252024pdf.exe 4 2->11         started        signatures3 process4 signatures5 50 Binary is likely a compiled AutoIt script file 11->50 52 Writes to foreign memory regions 11->52 54 Maps a DLL or memory area into another process 11->54 14 svchost.exe 11->14         started        process6 signatures7 56 Modifies the context of a thread in another process (thread injection) 14->56 58 Maps a DLL or memory area into another process 14->58 60 Sample uses process hollowing technique 14->60 62 3 other signatures 14->62 17 explorer.exe 62 1 14->17 injected process8 process9 19 wscript.exe 17->19         started        22 autofmt.exe 17->22         started        signatures10 42 Modifies the context of a thread in another process (thread injection) 19->42 44 Maps a DLL or memory area into another process 19->44 46 Tries to detect virtualization through RDTSC time measurements 19->46 48 Switches to a custom stack to bypass stack traces 19->48 24 cmd.exe 1 19->24         started        process11 process12 26 conhost.exe 24->26         started       

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          Bonifico 9252024pdf.exe45%ReversingLabsWin32.Backdoor.FormBook
          Bonifico 9252024pdf.exe100%Joe Sandbox ML

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          No Antivirus matches

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV0%URL Reputationsafe
          https://api.msn.com:443/v1/news/Feed/Windows?0%URL Reputationsafe
          https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings0%URL Reputationsafe
          https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew0%URL Reputationsafe
          https://android.notify.windows.com/iOS0%URL Reputationsafe
          http://schemas.micro0%URL Reputationsafe
          https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew0%URL Reputationsafe
          https://api.msn.com/0%URL Reputationsafe
          https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark0%URL Reputationsafe
          http://www.wgxb.top/e23y/0%Avira URL Cloudsafe
          https://www.msn.com/en-us/money/savingandinvesting/americans-average-net-worth-by-age/ar-AA1h4ngF0%Avira URL Cloudsafe
          https://www.msn.com/en-us/money/realestate/why-this-florida-city-is-a-safe-haven-from-hurricanes/ar-0%Avira URL Cloudsafe
          http://www.777.funReferer:0%Avira URL Cloudsafe
          http://www.hwqcoiu.xyz0%Avira URL Cloudsafe
          http://www.eth-paaad.buzzReferer:0%Avira URL Cloudsafe
          http://www.igitalonlineseva.onlineReferer:0%Avira URL Cloudsafe
          http://www.reakinggroundtherapy.proReferer:0%Avira URL Cloudsafe
          https://word.office.comM0%Avira URL Cloudsafe
          www.reakinggroundtherapy.pro/e23y/0%Avira URL Cloudsafe
          http://www.filmyhit.vip0%Avira URL Cloudsafe
          https://www.msn.com/en-us/news/politics/how-donald-trump-helped-kari-lake-become-arizona-s-and-ameri0%Avira URL Cloudsafe
          http://www.777.fun/e23y/www.uwueriudsjkdjnfjkdjnkxzk.vip100%Avira URL Cloudmalware
          http://www.uwueriudsjkdjnfjkdjnkxzk.vip/e23y/0%Avira URL Cloudsafe
          http://www.igitalonlineseva.online/e23y/0%Avira URL Cloudsafe
          http://www.leeconcerned.info0%Avira URL Cloudsafe
          http://www.pboardresult.net/e23y/0%Avira URL Cloudsafe
          http://www.ffg.autos0%Avira URL Cloudsafe
          http://www.ffg.autos/e23y/www.reakinggroundtherapy.pro0%Avira URL Cloudsafe
          http://www.19bet.xyz/e23y/www.wrzlak.buzz0%Avira URL Cloudsafe
          https://wns.windows.com/e0%Avira URL Cloudsafe
          http://www.autoitscript.com/autoit3/J0%Avira URL Cloudsafe
          http://www.mg-marketing.online/e23y/www.wgxb.top0%Avira URL Cloudsafe
          http://www.pboardresult.net/e23y/www.19bet.xyz0%Avira URL Cloudsafe
          http://www.mg-marketing.onlineReferer:0%Avira URL Cloudsafe
          http://www.nitednationsofindia.netReferer:0%Avira URL Cloudsafe
          http://www.pboardresult.net0%Avira URL Cloudsafe
          http://www.ffg.autos/e23y/0%Avira URL Cloudsafe
          https://www.msn.com/en-us/travel/news/you-can-t-beat-bobby-flay-s-phoenix-airport-restaurant-one-of-0%Avira URL Cloudsafe
          https://api.msn.com/v1/news/Feed/Windows?activityId=435B7A89D7D74BDF801F2DA188906BAF&timeOut=5000&oc0%Avira URL Cloudsafe
          http://www.mvqimnpwkxcixccaeafmibpiq.top/e23y/www.eth-paaad.buzz0%Avira URL Cloudsafe
          http://www.wgxb.top/e23y/www.ffg.autos0%Avira URL Cloudsafe
          http://www.nitednationsofindia.net/e23y/www.mvqimnpwkxcixccaeafmibpiq.top0%Avira URL Cloudsafe
          https://outlook.come0%Avira URL Cloudsafe
          https://activity.windows.com/UserActivity.ReadWrite.CreatedByApp0%Avira URL Cloudsafe
          https://www.msn.com/en-us/news/us/dumb-and-dumber-12-states-with-the-absolute-worst-education-in-the0%Avira URL Cloudsafe
          https://www.msn.com/en-us/news/politics/kevin-mccarthy-s-ouster-as-house-speaker-could-cost-gop-its-0%Avira URL Cloudsafe
          http://www.pboardresult.netReferer:0%Avira URL Cloudsafe
          https://api.msn.com/v1/news/Feed/Windows?0%Avira URL Cloudsafe
          http://www.wrzlak.buzz/e23y/0%Avira URL Cloudsafe
          https://api.msn.com/I0%Avira URL Cloudsafe
          http://www.uwueriudsjkdjnfjkdjnkxzk.vipReferer:0%Avira URL Cloudsafe
          http://www.wrzlak.buzzReferer:0%Avira URL Cloudsafe
          http://www.eth-paaad.buzz0%Avira URL Cloudsafe
          http://www.wrzlak.buzz0%Avira URL Cloudsafe
          http://www.wgxb.topReferer:0%Avira URL Cloudsafe
          http://www.uwueriudsjkdjnfjkdjnkxzk.vip/e23y/www.leeconcerned.info0%Avira URL Cloudsafe
          http://www.hwqcoiu.xyz/e23y/0%Avira URL Cloudsafe
          http://www.19bet.xyz0%Avira URL Cloudsafe
          http://www.mg-marketing.online/e23y/0%Avira URL Cloudsafe
          https://www.msn.com/en-us/news/politics/republicans-already-barred-trump-from-being-speaker-of-the-h0%Avira URL Cloudsafe
          https://www.msn.com/en-us/news/politics/trump-campaign-says-he-raised-more-than-45-million-in-3rd-qu0%Avira URL Cloudsafe
          http://www.reakinggroundtherapy.pro0%Avira URL Cloudsafe
          http://www.nitednationsofindia.net0%Avira URL Cloudsafe
          http://www.19bet.xyz/e23y/0%Avira URL Cloudsafe
          http://www.igitalonlineseva.online/e23y/www.nitednationsofindia.net0%Avira URL Cloudsafe
          http://www.hwqcoiu.xyz/e23y/www.pboardresult.net0%Avira URL Cloudsafe
          http://www.eth-paaad.buzz/e23y/0%Avira URL Cloudsafe
          https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMhz0%Avira URL Cloudsafe
          http://www.ffg.autosReferer:0%Avira URL Cloudsafe
          http://www.filmyhit.vip/e23y/0%Avira URL Cloudsafe
          http://www.mvqimnpwkxcixccaeafmibpiq.topReferer:0%Avira URL Cloudsafe
          http://www.nitednationsofindia.net/e23y/0%Avira URL Cloudsafe
          http://www.reakinggroundtherapy.pro/e23y/www.filmyhit.vip0%Avira URL Cloudsafe
          https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehwh2.svg0%Avira URL Cloudsafe
          https://excel.office.com-0%Avira URL Cloudsafe
          http://www.wgxb.top0%Avira URL Cloudsafe
          https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMhz-dark0%Avira URL Cloudsafe
          http://www.777.fun100%Avira URL Cloudmalware
          http://www.leeconcerned.info/e23y/www.hwqcoiu.xyz0%Avira URL Cloudsafe
          http://www.mg-marketing.online0%Avira URL Cloudsafe
          https://www.msn.com/en-us/money/personalfinance/money-matters-changing-institution-of-marriage/ar-AA0%Avira URL Cloudsafe
          http://www.filmyhit.vip/e23y/www.777.fun0%Avira URL Cloudsafe
          http://www.filmyhit.vipReferer:0%Avira URL Cloudsafe
          http://www.hwqcoiu.xyzReferer:0%Avira URL Cloudsafe
          https://www.msn.com/en-us/news/us/biden-administration-waives-26-federal-laws-to-allow-border-wall-c0%Avira URL Cloudsafe
          http://www.reakinggroundtherapy.pro/e23y/0%Avira URL Cloudsafe
          http://www.19bet.xyzReferer:0%Avira URL Cloudsafe
          https://www.msn.com/en-us/weather/topstories/california-s-reservoirs-runneth-over-in-astounding-reve0%Avira URL Cloudsafe
          https://powerpoint.office.comEMd0%Avira URL Cloudsafe
          http://www.leeconcerned.info/e23y/0%Avira URL Cloudsafe
          http://www.igitalonlineseva.online0%Avira URL Cloudsafe
          https://www.msn.com/en-us/news/technology/a-federal-emergency-alert-will-be-sent-to-us-phones-nation0%Avira URL Cloudsafe
          http://www.uwueriudsjkdjnfjkdjnkxzk.vip0%Avira URL Cloudsafe
          http://www.mvqimnpwkxcixccaeafmibpiq.top/e23y/0%Avira URL Cloudsafe
          http://www.leeconcerned.infoReferer:0%Avira URL Cloudsafe
          https://www.msn.com/en-us/money/personalfinance/10-things-rich-people-never-buy-and-you-shouldn-t-ei0%Avira URL Cloudsafe
          http://www.eth-paaad.buzz/e23y/www.mg-marketing.online0%Avira URL Cloudsafe
          http://www.mvqimnpwkxcixccaeafmibpiq.top0%Avira URL Cloudsafe
          https://www.msn.com:443/en-us/feed0%Avira URL Cloudsafe
          https://www.msn.com/en-us/news/world/us-supplies-ukraine-with-a-million-rounds-of-ammunition-seized-0%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          www.filmyhit.vip
          		46.175.150.247
          		truetrue
            		unknown
            www.mg-marketing.online
            		unknown
            		unknowntrue
              		unknown
              www.eth-paaad.buzz
              		unknown
              		unknowntrue
                		unknown
                www.mvqimnpwkxcixccaeafmibpiq.top
                		unknown
                		unknowntrue
                  		unknown
                  www.nitednationsofindia.net
                  		unknown
                  		unknowntrue
                    		unknown
                    www.777.fun
                    		unknown
                    		unknowntrue
                      		unknown
                      www.igitalonlineseva.online
                      		unknown
                      		unknowntrue
                        		unknown
                        www.wgxb.top
                        		unknown
                        		unknowntrue
                          		unknown
                          www.reakinggroundtherapy.pro
                          		unknown
                          		unknowntrue
                            		unknown
                            www.leeconcerned.info
                            		unknown
                            		unknowntrue
                              		unknown
                              www.uwueriudsjkdjnfjkdjnkxzk.vip
                              		unknown
                              		unknowntrue
                                		unknown
                                www.ffg.autos
                                		unknown
                                		unknowntrue
                                  		unknown

                                  Contacted URLs

                                  NameMaliciousAntivirus DetectionReputation
                                  www.reakinggroundtherapy.pro/e23y/true
                                  • Avira URL Cloud: safe
                                  		unknown

                                  URLs from Memory and Binaries

                                  NameSourceMaliciousAntivirus DetectionReputation
                                  https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DVexplorer.exe, 00000003.00000002.4623011941.00000000073E5000.00000004.00000001.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  https://www.msn.com/en-us/money/savingandinvesting/americans-average-net-worth-by-age/ar-AA1h4ngFexplorer.exe, 00000003.00000000.2187354340.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4623011941.00000000073E5000.00000004.00000001.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.hwqcoiu.xyzexplorer.exe, 00000003.00000002.4632974796.000000000C474000.00000004.00000001.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://api.msn.com:443/v1/news/Feed/Windows?explorer.exe, 00000003.00000000.2187354340.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4623011941.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4625438025.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2189317003.000000000973C000.00000004.00000001.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.eth-paaad.buzzReferer:explorer.exe, 00000003.00000002.4632974796.000000000C474000.00000004.00000001.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://word.office.comMexplorer.exe, 00000003.00000000.2192032380.000000000C048000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4631558622.000000000C048000.00000004.00000001.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.reakinggroundtherapy.proReferer:explorer.exe, 00000003.00000002.4632974796.000000000C474000.00000004.00000001.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.wgxb.top/e23y/explorer.exe, 00000003.00000002.4632974796.000000000C474000.00000004.00000001.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.777.funReferer:explorer.exe, 00000003.00000002.4632974796.000000000C474000.00000004.00000001.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://www.msn.com/en-us/money/realestate/why-this-florida-city-is-a-safe-haven-from-hurricanes/ar-explorer.exe, 00000003.00000000.2187354340.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4623011941.00000000073E5000.00000004.00000001.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.igitalonlineseva.onlineReferer:explorer.exe, 00000003.00000002.4632974796.000000000C474000.00000004.00000001.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.filmyhit.vipexplorer.exe, 00000003.00000002.4632974796.000000000C474000.00000004.00000001.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://www.msn.com/en-us/news/politics/how-donald-trump-helped-kari-lake-become-arizona-s-and-ameriexplorer.exe, 00000003.00000000.2187354340.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4623011941.00000000073E5000.00000004.00000001.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.uwueriudsjkdjnfjkdjnkxzk.vip/e23y/explorer.exe, 00000003.00000002.4632974796.000000000C474000.00000004.00000001.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.777.fun/e23y/www.uwueriudsjkdjnfjkdjnkxzk.vipexplorer.exe, 00000003.00000002.4632974796.000000000C474000.00000004.00000001.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: malware
                                  		unknown
                                  http://www.ffg.autosexplorer.exe, 00000003.00000002.4632974796.000000000C474000.00000004.00000001.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.igitalonlineseva.online/e23y/explorer.exe, 00000003.00000002.4632974796.000000000C474000.00000004.00000001.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.ffg.autos/e23y/www.reakinggroundtherapy.proexplorer.exe, 00000003.00000002.4632974796.000000000C474000.00000004.00000001.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.leeconcerned.infoexplorer.exe, 00000003.00000002.4632974796.000000000C474000.00000004.00000001.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.pboardresult.net/e23y/explorer.exe, 00000003.00000002.4632974796.000000000C474000.00000004.00000001.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.19bet.xyz/e23y/www.wrzlak.buzzexplorer.exe, 00000003.00000002.4632974796.000000000C474000.00000004.00000001.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://wns.windows.com/eexplorer.exe, 00000003.00000002.4626448543.00000000099AB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2189744197.00000000099AB000.00000004.00000001.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.pboardresult.net/e23y/www.19bet.xyzexplorer.exe, 00000003.00000002.4632974796.000000000C474000.00000004.00000001.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.mg-marketing.online/e23y/www.wgxb.topexplorer.exe, 00000003.00000002.4632974796.000000000C474000.00000004.00000001.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.autoitscript.com/autoit3/Jexplorer.exe, 00000003.00000003.2982185797.000000000C3E8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2982825062.000000000C40E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2982910337.000000000C3E8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4632774975.000000000C402000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2983540185.000000000C401000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2979375399.000000000C3E8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2192032380.000000000C3E8000.00000004.00000001.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.nitednationsofindia.netReferer:explorer.exe, 00000003.00000002.4632974796.000000000C474000.00000004.00000001.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.mg-marketing.onlineReferer:explorer.exe, 00000003.00000002.4632974796.000000000C474000.00000004.00000001.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earningsexplorer.exe, 00000003.00000002.4623011941.00000000073E5000.00000004.00000001.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.pboardresult.netexplorer.exe, 00000003.00000002.4632974796.000000000C474000.00000004.00000001.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.ffg.autos/e23y/explorer.exe, 00000003.00000002.4632974796.000000000C474000.00000004.00000001.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://api.msn.com/v1/news/Feed/Windows?activityId=435B7A89D7D74BDF801F2DA188906BAF&timeOut=5000&ocexplorer.exe, 00000003.00000000.2187354340.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4623011941.00000000073E5000.00000004.00000001.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNewexplorer.exe, 00000003.00000000.2187354340.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4623011941.00000000073E5000.00000004.00000001.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  https://www.msn.com/en-us/travel/news/you-can-t-beat-bobby-flay-s-phoenix-airport-restaurant-one-of-explorer.exe, 00000003.00000000.2187354340.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4623011941.00000000073E5000.00000004.00000001.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.wgxb.top/e23y/www.ffg.autosexplorer.exe, 00000003.00000002.4632974796.000000000C474000.00000004.00000001.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.mvqimnpwkxcixccaeafmibpiq.top/e23y/www.eth-paaad.buzzexplorer.exe, 00000003.00000002.4632974796.000000000C474000.00000004.00000001.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.nitednationsofindia.net/e23y/www.mvqimnpwkxcixccaeafmibpiq.topexplorer.exe, 00000003.00000002.4632974796.000000000C474000.00000004.00000001.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://android.notify.windows.com/iOSexplorer.exe, 00000003.00000000.2192032380.000000000BFDF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4631558622.000000000BFDF000.00000004.00000001.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  https://outlook.comeexplorer.exe, 00000003.00000000.2192032380.000000000C048000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4631558622.000000000C048000.00000004.00000001.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppexplorer.exe, 00000003.00000000.2189744197.00000000099AB000.00000004.00000001.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://www.msn.com/en-us/news/us/dumb-and-dumber-12-states-with-the-absolute-worst-education-in-theexplorer.exe, 00000003.00000000.2187354340.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4623011941.00000000073E5000.00000004.00000001.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://www.msn.com/en-us/news/politics/kevin-mccarthy-s-ouster-as-house-speaker-could-cost-gop-its-explorer.exe, 00000003.00000000.2187354340.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4623011941.00000000073E5000.00000004.00000001.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.pboardresult.netReferer:explorer.exe, 00000003.00000002.4632974796.000000000C474000.00000004.00000001.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.wrzlak.buzz/e23y/explorer.exe, 00000003.00000002.4632974796.000000000C474000.00000004.00000001.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://api.msn.com/v1/news/Feed/Windows?explorer.exe, 00000003.00000002.4625438025.000000000962B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2189317003.000000000962B000.00000004.00000001.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://api.msn.com/Iexplorer.exe, 00000003.00000002.4625438025.000000000962B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2189317003.000000000962B000.00000004.00000001.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.eth-paaad.buzzexplorer.exe, 00000003.00000002.4632974796.000000000C474000.00000004.00000001.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.wrzlak.buzzReferer:explorer.exe, 00000003.00000002.4632974796.000000000C474000.00000004.00000001.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.uwueriudsjkdjnfjkdjnkxzk.vipReferer:explorer.exe, 00000003.00000002.4632974796.000000000C474000.00000004.00000001.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://schemas.microexplorer.exe, 00000003.00000000.2188229620.0000000007B60000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000002.4624097867.0000000007B50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000002.4619117591.00000000028A0000.00000002.00000001.00040000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.wgxb.topReferer:explorer.exe, 00000003.00000002.4632974796.000000000C474000.00000004.00000001.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.wrzlak.buzzexplorer.exe, 00000003.00000002.4632974796.000000000C474000.00000004.00000001.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.uwueriudsjkdjnfjkdjnkxzk.vip/e23y/www.leeconcerned.infoexplorer.exe, 00000003.00000002.4632974796.000000000C474000.00000004.00000001.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.hwqcoiu.xyz/e23y/explorer.exe, 00000003.00000002.4632974796.000000000C474000.00000004.00000001.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNewexplorer.exe, 00000003.00000000.2187354340.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4623011941.00000000073E5000.00000004.00000001.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.mg-marketing.online/e23y/explorer.exe, 00000003.00000002.4632974796.000000000C474000.00000004.00000001.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.reakinggroundtherapy.proexplorer.exe, 00000003.00000002.4632974796.000000000C474000.00000004.00000001.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.19bet.xyzexplorer.exe, 00000003.00000002.4632974796.000000000C474000.00000004.00000001.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://www.msn.com/en-us/news/politics/republicans-already-barred-trump-from-being-speaker-of-the-hexplorer.exe, 00000003.00000000.2187354340.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4623011941.00000000073E5000.00000004.00000001.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://www.msn.com/en-us/news/politics/trump-campaign-says-he-raised-more-than-45-million-in-3rd-quexplorer.exe, 00000003.00000000.2187354340.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4623011941.00000000073E5000.00000004.00000001.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.nitednationsofindia.netexplorer.exe, 00000003.00000002.4632974796.000000000C474000.00000004.00000001.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.19bet.xyz/e23y/explorer.exe, 00000003.00000002.4632974796.000000000C474000.00000004.00000001.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.igitalonlineseva.online/e23y/www.nitednationsofindia.netexplorer.exe, 00000003.00000002.4632974796.000000000C474000.00000004.00000001.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.hwqcoiu.xyz/e23y/www.pboardresult.netexplorer.exe, 00000003.00000002.4632974796.000000000C474000.00000004.00000001.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.eth-paaad.buzz/e23y/explorer.exe, 00000003.00000002.4632974796.000000000C474000.00000004.00000001.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.nitednationsofindia.net/e23y/explorer.exe, 00000003.00000002.4632974796.000000000C474000.00000004.00000001.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.mvqimnpwkxcixccaeafmibpiq.topReferer:explorer.exe, 00000003.00000002.4632974796.000000000C474000.00000004.00000001.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.ffg.autosReferer:explorer.exe, 00000003.00000002.4632974796.000000000C474000.00000004.00000001.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.filmyhit.vip/e23y/explorer.exe, 00000003.00000002.4632974796.000000000C474000.00000004.00000001.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMhzexplorer.exe, 00000003.00000000.2187354340.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4623011941.00000000073E5000.00000004.00000001.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://excel.office.com-explorer.exe, 00000003.00000000.2192032380.000000000C048000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4631558622.000000000C048000.00000004.00000001.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.reakinggroundtherapy.pro/e23y/www.filmyhit.vipexplorer.exe, 00000003.00000002.4632974796.000000000C474000.00000004.00000001.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.wgxb.topexplorer.exe, 00000003.00000002.4632974796.000000000C474000.00000004.00000001.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehwh2.svgexplorer.exe, 00000003.00000002.4623011941.00000000073E5000.00000004.00000001.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.mg-marketing.onlineexplorer.exe, 00000003.00000002.4632974796.000000000C474000.00000004.00000001.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMhz-darkexplorer.exe, 00000003.00000000.2187354340.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4623011941.00000000073E5000.00000004.00000001.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.777.funexplorer.exe, 00000003.00000002.4632974796.000000000C474000.00000004.00000001.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: malware
                                  		unknown
                                  http://www.leeconcerned.info/e23y/www.hwqcoiu.xyzexplorer.exe, 00000003.00000002.4632974796.000000000C474000.00000004.00000001.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://www.msn.com/en-us/money/personalfinance/money-matters-changing-institution-of-marriage/ar-AAexplorer.exe, 00000003.00000000.2187354340.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4623011941.00000000073E5000.00000004.00000001.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.filmyhit.vip/e23y/www.777.funexplorer.exe, 00000003.00000002.4632974796.000000000C474000.00000004.00000001.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.filmyhit.vipReferer:explorer.exe, 00000003.00000002.4632974796.000000000C474000.00000004.00000001.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.hwqcoiu.xyzReferer:explorer.exe, 00000003.00000002.4632974796.000000000C474000.00000004.00000001.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://www.msn.com/en-us/news/us/biden-administration-waives-26-federal-laws-to-allow-border-wall-cexplorer.exe, 00000003.00000000.2187354340.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4623011941.00000000073E5000.00000004.00000001.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.reakinggroundtherapy.pro/e23y/explorer.exe, 00000003.00000002.4632974796.000000000C474000.00000004.00000001.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://www.msn.com/en-us/weather/topstories/california-s-reservoirs-runneth-over-in-astounding-reveexplorer.exe, 00000003.00000000.2187354340.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4623011941.00000000073E5000.00000004.00000001.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.19bet.xyzReferer:explorer.exe, 00000003.00000002.4632974796.000000000C474000.00000004.00000001.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://powerpoint.office.comEMdexplorer.exe, 00000003.00000000.2192032380.000000000BFEF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4631558622.000000000BFEF000.00000004.00000001.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://www.msn.com/en-us/news/technology/a-federal-emergency-alert-will-be-sent-to-us-phones-nationexplorer.exe, 00000003.00000000.2187354340.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4623011941.00000000073E5000.00000004.00000001.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.igitalonlineseva.onlineexplorer.exe, 00000003.00000002.4632974796.000000000C474000.00000004.00000001.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.leeconcerned.info/e23y/explorer.exe, 00000003.00000002.4632974796.000000000C474000.00000004.00000001.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.uwueriudsjkdjnfjkdjnkxzk.vipexplorer.exe, 00000003.00000002.4632974796.000000000C474000.00000004.00000001.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://api.msn.com/explorer.exe, 00000003.00000002.4625438025.000000000962B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.2189317003.000000000962B000.00000004.00000001.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.mvqimnpwkxcixccaeafmibpiq.top/e23y/explorer.exe, 00000003.00000002.4632974796.000000000C474000.00000004.00000001.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.eth-paaad.buzz/e23y/www.mg-marketing.onlineexplorer.exe, 00000003.00000002.4632974796.000000000C474000.00000004.00000001.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.mvqimnpwkxcixccaeafmibpiq.topexplorer.exe, 00000003.00000002.4632974796.000000000C474000.00000004.00000001.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.leeconcerned.infoReferer:explorer.exe, 00000003.00000002.4632974796.000000000C474000.00000004.00000001.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-darkexplorer.exe, 00000003.00000002.4623011941.00000000073E5000.00000004.00000001.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  https://www.msn.com:443/en-us/feedexplorer.exe, 00000003.00000000.2187354340.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4623011941.00000000073E5000.00000004.00000001.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://www.msn.com/en-us/news/world/us-supplies-ukraine-with-a-million-rounds-of-ammunition-seized-explorer.exe, 00000003.00000000.2187354340.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4623011941.00000000073E5000.00000004.00000001.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://www.msn.com/en-us/money/personalfinance/10-things-rich-people-never-buy-and-you-shouldn-t-eiexplorer.exe, 00000003.00000000.2187354340.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.4623011941.00000000073E5000.00000004.00000001.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown

                                  World Map of Contacted IPs

                                  No contacted IP infos

                                  General Information

                                  Joe Sandbox version:41.0.0 Charoite
                                  Analysis ID:1519632
                                  Start date and time:2024-09-26 18:55:10 +02:00
                                  Joe Sandbox product:CloudBasic
                                  Overall analysis duration:0h 10m 50s
                                  Hypervisor based Inspection enabled:false
                                  Report type:full
                                  Cookbook file name:default.jbs
                                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                  Number of analysed new started processes analysed:9
                                  Number of new started drivers analysed:0
                                  Number of existing processes analysed:0
                                  Number of existing drivers analysed:0
                                  Number of injected processes analysed:1
                                  Technologies:
                                  • HCA enabled
                                  • EGA enabled
                                  • AMSI enabled
                                  Analysis Mode:default
                                  Sample name:Bonifico 9252024pdf.exe
                                  Detection:MAL
                                  Classification:mal100.troj.evad.winEXE@10/4@12/0
                                  EGA Information:
                                  • Successful, ratio: 100%
                                  HCA Information:
                                  • Successful, ratio: 100%
                                  • Number of executed functions: 59
                                  • Number of non-executed functions: 273
                                  Cookbook Comments:
                                  • Found application associated with file extension: .exe
                                  • Override analysis time to 240000 for current running targets taking high CPU consumption

                                  Warnings

                                  • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                  • Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                  • Not all processes where analyzed, report is missing behavior information
                                  • Report creation exceeded maximum time and may have missing disassembly code information.
                                  • Report size exceeded maximum capacity and may have missing disassembly code.
                                  • Report size getting too big, too many NtEnumerateKey calls found.
                                  • Report size getting too big, too many NtOpenKey calls found.
                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                  • Report size getting too big, too many NtQueryValueKey calls found.
                                  • VT rate limit hit for: Bonifico 9252024pdf.exe

                                  Simulations

                                  Behavior and APIs

                                  TimeTypeDescription
                                  12:56:50API Interceptor7843678x Sleep call for process: wscript.exe modified
                                  12:56:51API Interceptor8943832x Sleep call for process: explorer.exe modified

                                  Joe Sandbox View / Context

                                  IPs

                                  No context

                                  Domains

                                  No context

                                  ASNs

                                  No context

                                  JA3 Fingerprints

                                  No context

                                  Dropped Files

                                  No context

                                  Created / dropped Files

                                  C:\Users\user\AppData\Local\Temp\acrorrheuma

                                  Download File
                                  Process:C:\Users\user\Desktop\Bonifico 9252024pdf.exe
                                  File Type:ASCII text, with very long lines (28674), with no line terminators
                                  Category:dropped
                                  Size (bytes):28674
                                  Entropy (8bit):3.5753677529260455
                                  Encrypted:false
                                  SSDEEP:384:yJejrK62+OeUZ8CPlWrqGR5O+rKJmJEcXyNlLApyN0W0VTqdLIsHhC:seirPeU2CPlWrmcJEcXyNjcBqZxC
                                  MD5:94B6E6AA76C5AC15696268733C7CA883
                                  SHA1:DD1C1D7B42557F693A09D34F8D62C6ABB10D1940
                                  SHA-256:94EB669D67A125365A2621070E943E54C2848AF7D35CA6B9D52254F07C77591C
                                  SHA-512:99CD1DFA2D8A73FFA8B67F027562E5F89863A10FBE725310511E237D2F79A645114582A7309498262A6BBC8916B7A9B18C77490844D459693DC4379E0974B135
                                  Malicious:false
                                  Reputation:low
                                  Preview:0k558orp81rppp0200005657o86o00000066894584o96500000066894q86on7200000066895588o86r0000006689458no96500000066894q8pon6p0000006689558ro83300000066894590o93200000066894q92on2r00000066895594o86400000066894596o96p00000066894q98on6p0000006689559n33p06689459po96r00000066898q44sssssson7400000066899546sssssso86400000066898548sssssso96p00000066898q4nsssssson6p0000006689954psssssso82r0000006689854rsssssso96400000066898q50sssssson6p00000066899552sssssso86p00000066898554ssssss33p966898q56sssssson75000000668955q0o873000000668945q2o96500000066894qq4on72000000668955q6o833000000668945q8o93200000066894qqnon2r000000668955qpo864000000668945qro96p00000066894qr0on6p000000668955r233p0668945r4o96100000066898q68sssssson640000006689956nsssssso8760000006689856psssssso96100000066898q6rsssssson7000000066899570sssssso86900000066898572sssssso93300000066898q74sssssson3200000066899576sssssso82r00000066898578sssssso96400000066898q7nsssssson6p0000006689957psssssso86p0000006689857rssssss33p966894q80on73000000668955n0o868

                                  C:\Users\user\AppData\Local\Temp\autD714.tmp

                                  Download File
                                  Process:C:\Users\user\Desktop\Bonifico 9252024pdf.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):179974
                                  Entropy (8bit):7.986211389334781
                                  Encrypted:false
                                  SSDEEP:3072:WSKj7KNCURDAAQjw4N8CK46pY9EnSQ0K63lY3XidGtRDD07cKgg8:WS9NNAAGGFjDnzL4QKu
                                  MD5:BBFD47B61EEC046237A2DC4B90D022F4
                                  SHA1:69531740A9CA0171FBF9B9BD4BC28F099BEB9905
                                  SHA-256:C2B1452BA5E78F2EA5CDAC3D374856655762E1BF9B594DEB4354ADDCDC1933F4
                                  SHA-512:29179658B3999FC37D2676A9478293F8256F85AB3699CF4C6A95958F22C45D5115C4DEEF89904B3409DE8434B7C357EB7FC469BECAFFC6138B668E8F00B90F58
                                  Malicious:false
                                  Reputation:low
                                  Preview:EA06.....F..=}".N.C..........t.n?...L......4....>.Z.........P..&?:.2...B3...gB..&r.L.K=..$.J..ya.J..i-~.(.D`px..G8.Mc.*eB*....6....$?.wNQ...j.m.k....%.}..Q...'...#u..r.^...E2.v.....)......]........P..Z.:.1...-.`.S.5...i......}...4P......iP.....o...(..*S....1..(5...B.i.....#.......,.s...:......4b&tzED...U.....T.7...................p.....)...!..^:GS.n.T.V..D..4..UFc...X..s..S!./o_.=.............+...Qs..5........?Y....8..Ju......6.#.R.....o....]......p...-?....3.+.#...q.......Np.Lb..VgX.w..M..6;...#..7....A.ai.......S0\..'-..nb..g.<.....f...M9......V7YnLJu...x.j.?.>..k..5....[*..v.K1..[...._...:f.!...u...#Y.k(....C...i<.......$.n....nc..V_...v/4.L....~ .l..sD..p.z?.9...'9...CX.`...&C7..*<\.[]@......?....+....L....W.W..q.)...b........[....J..i.....[.E...^....n...M......z.lw.|.ty.)E:...1b.....k9T:<.M.j....Su...;w.*..A.7..oe..S........5........5.-..c.......ge..O|..g?kl.a7............j.....x8...H..iq~......Jgf...f.j.*;..D....9.F...o....-.*.....

                                  C:\Users\user\AppData\Local\Temp\autD744.tmp

                                  Download File
                                  Process:C:\Users\user\Desktop\Bonifico 9252024pdf.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):9710
                                  Entropy (8bit):7.603186067613886
                                  Encrypted:false
                                  SSDEEP:192:K7U22a8TD4D63ItzVBWGgJCFnckciA/akIJIpR/8G8XxuwjqnuU:K7iJ4D6YtSGgJ8hcb/8up8GC0wj2
                                  MD5:A0FB6EF4094FEC941039A415BBE2EA53
                                  SHA1:484C3EE5C01B7AAF6A75F44BE38AC716A9BAC799
                                  SHA-256:E2826C250A4F45154967E680DDB89488E7ED21B252EE8AA49EC2FA1AF34352BE
                                  SHA-512:49A67D1959A860F5A8F3BEED089CC3932D63441B806E9CADE305A5A8C986736FDA6691CC7367E6B41D49872506C4E2623F5FC6AF98C9C5E750726B81A7DE5765
                                  Malicious:false
                                  Reputation:low
                                  Preview:EA06..p..Z.Y..p.LnW...a2....Y..oo.M.....a6.N'3I..io....].......K........|...o..o.M.......8.....9.[.30....3....2.Z..k9..6.@.o.l..\......g.9.L.w...\....N..3I.........9..&....r.'.Y...c ....An.H.......F.3<..\..6....`....f@...x..j....Br.....[..0..n3.|.n...\f@5_..h....f.5_..p.U..m.5_....U..n@5_..`.U..@5\..>3...M.^.n.Z..k6.z..o6......@......y..G../Z.M. .....jr.....n.u....$.`./.o8...f.G_T.......@>_.......zk5....i..... ...................`.M..`... ...p...@....'.4...{>K|..c.Mm.@..[..._..p......>Kx#G.o..3|w...G.4..&@8_..kp..i|w.....p.h............7.MnsK....M...;..8..f.0.L..79..f..+..ff6....6.N. ...f...E...Y....3.I.............w............2p....<d....,vb...t....N@!+..'& ....,fo2..n6........r.2.X...c3k..es.Y.!...Gf@....,f.9.N.`. .#7.....c.0.....y..p.h.s.....,vf...|..t.L@...40.....f.....&3....4..@.6.-..p..S....2...S0.N.@.;5.`...9.......k8.....c.P..\.3.wx.....vl........E......y6....p.c3....4..b.!....F ....B5p.L.3........vn.....f....r...B3P.....;8.X...n.............g......k...p...

                                  C:\Users\user\AppData\Local\Temp\spiketop

                                  Download File
                                  Process:C:\Users\user\Desktop\Bonifico 9252024pdf.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):189440
                                  Entropy (8bit):7.821411776951084
                                  Encrypted:false
                                  SSDEEP:3072:gm6i5tXCAB+eEOFKxXl0yytm3QhthQM2nIpgL4Tx1IDpA4DGFLa+UC/QJzi2W5I9:n68tXnBhpAXmbQ3ktOM2n3L4d1s2YGL+
                                  MD5:C5D86051BFFCEBFD4603C36369D736BC
                                  SHA1:2C212E68B4EC04B88A84275462077FDB387231A6
                                  SHA-256:BB70F95737E94F9F551A0682795BE6594448220E118E5282419642EE7AF18D06
                                  SHA-512:C971F4E01BF70106783EFE24F8D04F5BC1F3FE091E0E16B8E32B3515E681433454D35DF844DF4FFB9E8C8EA2A00349BC00D6A607E9D3F8FD93AC7F7A77404827
                                  Malicious:false
                                  Reputation:low
                                  Preview:...c.HANN..8...{.AM..x2G...GHANNWDP1OAZ1GHANNWDP1OAZ1GHAN.WDP?P.T1.A.o.V....)3Bg83!)%%=., 4_(<a,+w6%_o(4....n#8 5.BLP.GHANNWD..G...!..(..W..Z....(..D....<..H....".c&"2....NNWDP1OAZ1GHANNW..1O.[0G....WDP1OAZ1.HCOEVNP1.CZ1GHANNWD`.NAZ!GHA.LWDPqOAJ1GHCNNRDQ1OAZ1BH@NNWDP1.CZ1EHANNWDR1..Z1WHA^NWDP!OAJ1GHANNGDP1OAZ1GHANNWDP1OAZ1GHANNWDP1OAZ1GHANNWDP1OAZ1GHANNWDP1OAZ1GHANNWDP1OAZ1GHANNWDP1OAZ1GHANNWDP1OAZ1GHANNWDP1OAZ1GHANNWDP1OAZ1GHANNWD~E*9.1GH.LWD@1OA.3GHQNNWDP1OAZ1GHANnWD01OAZ1GHANNWDP1OAZ1GHANNWDP1OAZ1GHANNWDP1OAZ1GHANNWDP1OAZ1GHANNWDP1OAZ1GHANNWDP1OAZ1GHANNWDP1OAZ1GHANNWDP1OAZ1GHANNWDP1OAZ1GHANNWDP1OAZ1GHANNWDP1OAZ1GHANNWDP1OAZ1GHANNWDP1OAZ1GHANNWDP1OAZ1GHANNWDP1OAZ1GHANNWDP1OAZ1GHANNWDP1OAZ1GHANNWDP1OAZ1GHANNWDP1OAZ1GHANNWDP1OAZ1GHANNWDP1OAZ1GHANNWDP1OAZ1GHANNWDP1OAZ1GHANNWDP1OAZ1GHANNWDP1OAZ1GHANNWDP1OAZ1GHANNWDP1OAZ1GHANNWDP1OAZ1GHANNWDP1OAZ1GHANNWDP1OAZ1GHANNWDP1OAZ1GHANNWDP1OAZ1GHANNWDP1OAZ1GHANNWDP1OAZ1GHANNWDP1OAZ1GHANNWDP1OAZ1GHANNWDP1OAZ1GHANNWDP1OAZ1GHANNWDP1OAZ1GHANNWDP

                                  Static File Info

                                  General

                                  File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                  Entropy (8bit):7.056637904105038
                                  TrID:
                                  • Win32 Executable (generic) a (10002005/4) 99.96%
                                  • Generic Win/DOS Executable (2004/3) 0.02%
                                  • DOS Executable Generic (2002/1) 0.02%
                                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                  File name:Bonifico 9252024pdf.exe
                                  File size:1'120'256 bytes
                                  MD5:561e2701898470b157ac37bd29be6a88
                                  SHA1:402b39b4581207298c2696afb4ebe224da9b597f
                                  SHA256:79e31e087939f413301f214a422c46f9d32ed435fc34822611cb08a74266ba44
                                  SHA512:dcac667d4961f1f282f37d9480efba54f852e6ca7277061ea7b0bbafc77dfbd23b27af6dd299fad448847f1fca9fba849a0dd9b414a1034468981006434ceb70
                                  SSDEEP:24576:rAHnh+eWsN3skA4RV1Hom2KXMmHazloS0vXp6riu/5:Gh+ZkldoPK8Yazl0Xpa
                                  TLSH:DD35AD0273D1C036FFAB92739B6AF20556BD79254123852F13982DB9BD701B2263E763
                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........s..R...R...R....C..P.....;.S..._@#.a..._@......_@..g...[j..[...[jo.w...R...r.............#.S..._@'.S...R.k.S.....".S...RichR..

                                  File Icon

                                  Icon Hash:aaf3e3e3938382a0

                                  Static PE Info

                                  General

                                  Entrypoint:0x42800a
                                  Entrypoint Section:.text
                                  Digitally signed:false
                                  Imagebase:0x400000
                                  Subsystem:windows gui
                                  Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                  DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                  Time Stamp:0x66F3ADF2 [Wed Sep 25 06:30:10 2024 UTC]
                                  TLS Callbacks:
                                  CLR (.Net) Version:
                                  OS Version Major:5
                                  OS Version Minor:1
                                  File Version Major:5
                                  File Version Minor:1
                                  Subsystem Version Major:5
                                  Subsystem Version Minor:1
                                  Import Hash:afcdf79be1557326c854b6e20cb900a7

                                  Entrypoint Preview

                                  Instruction
                                  call 00007F9978F1D2ADh
                                  jmp 00007F9978F10064h
                                  int3
                                  int3
                                  int3
                                  int3
                                  int3
                                  int3
                                  int3
                                  int3
                                  int3
                                  int3
                                  int3
                                  int3
                                  push edi
                                  push esi
                                  mov esi, dword ptr [esp+10h]
                                  mov ecx, dword ptr [esp+14h]
                                  mov edi, dword ptr [esp+0Ch]
                                  mov eax, ecx
                                  mov edx, ecx
                                  add eax, esi
                                  cmp edi, esi
                                  jbe 00007F9978F101EAh
                                  cmp edi, eax
                                  jc 00007F9978F1054Eh
                                  bt dword ptr [004C41FCh], 01h
                                  jnc 00007F9978F101E9h
                                  rep movsb
                                  jmp 00007F9978F104FCh
                                  cmp ecx, 00000080h
                                  jc 00007F9978F103B4h
                                  mov eax, edi
                                  xor eax, esi
                                  test eax, 0000000Fh
                                  jne 00007F9978F101F0h
                                  bt dword ptr [004BF324h], 01h
                                  jc 00007F9978F106C0h
                                  bt dword ptr [004C41FCh], 00000000h
                                  jnc 00007F9978F1038Dh
                                  test edi, 00000003h
                                  jne 00007F9978F1039Eh
                                  test esi, 00000003h
                                  jne 00007F9978F1037Dh
                                  bt edi, 02h
                                  jnc 00007F9978F101EFh
                                  mov eax, dword ptr [esi]
                                  sub ecx, 04h
                                  lea esi, dword ptr [esi+04h]
                                  mov dword ptr [edi], eax
                                  lea edi, dword ptr [edi+04h]
                                  bt edi, 03h
                                  jnc 00007F9978F101F3h
                                  movq xmm1, qword ptr [esi]
                                  sub ecx, 08h
                                  lea esi, dword ptr [esi+08h]
                                  movq qword ptr [edi], xmm1
                                  lea edi, dword ptr [edi+08h]
                                  test esi, 00000007h
                                  je 00007F9978F10245h
                                  bt esi, 03h

                                  Rich Headers

                                  Programming Language:
                                  • [ASM] VS2013 build 21005
                                  • [ C ] VS2013 build 21005
                                  • [C++] VS2013 build 21005
                                  • [ C ] VS2008 SP1 build 30729
                                  • [IMP] VS2008 SP1 build 30729
                                  • [ASM] VS2013 UPD5 build 40629
                                  • [RES] VS2013 build 21005
                                  • [LNK] VS2013 UPD5 build 40629

                                  Data Directories

                                  NameVirtual AddressVirtual Size Is in Section
                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_IMPORT0xbc0cc0x17c.rdata
                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0xc80000x47160.rsrc
                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x1100000x7134.reloc
                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x92bc00x1c.rdata
                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xa4b500x40.rdata
                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_IAT0x8f0000x884.rdata
                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                  Sections

                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                  .text0x10000x8dfdd0x8e000310e36668512d53489c005622bb1b4a9False0.5735602580325704data6.675248351711057IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                  .rdata0x8f0000x2fd8e0x2fe00748cf1ab2605ce1fd72d53d912abb68fFalse0.32828818537859006data5.763244005758284IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                  .data0xbf0000x8f740x5200aae9601d920f07080bdfadf43dfeff12False0.1017530487804878data1.1963819235530628IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  .rsrc0xc80000x471600x4720068c9f195228e3d14363c349614c1804fFalse0.9078118134885764data7.847105907424226IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                  .reloc0x1100000x71340x7200f04128ad0f87f42830e4a6cdbc38c719False0.7617530153508771data6.783955557128661IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                  Resources

                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                  RT_ICON0xc85a80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
                                  RT_ICON0xc86d00x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
                                  RT_ICON0xc87f80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
                                  RT_ICON0xc89200x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 0EnglishGreat Britain0.3333333333333333
                                  RT_ICON0xc8c080x128Device independent bitmap graphic, 16 x 32 x 4, image size 0EnglishGreat Britain0.5
                                  RT_ICON0xc8d300xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0EnglishGreat Britain0.2835820895522388
                                  RT_ICON0xc9bd80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0EnglishGreat Britain0.37906137184115524
                                  RT_ICON0xca4800x568Device independent bitmap graphic, 16 x 32 x 8, image size 0EnglishGreat Britain0.23699421965317918
                                  RT_ICON0xca9e80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishGreat Britain0.13858921161825727
                                  RT_ICON0xccf900x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishGreat Britain0.25070356472795496
                                  RT_ICON0xce0380x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishGreat Britain0.3173758865248227
                                  RT_MENU0xce4a00x50dataEnglishGreat Britain0.9
                                  RT_STRING0xce4f00x594dataEnglishGreat Britain0.3333333333333333
                                  RT_STRING0xcea840x68adataEnglishGreat Britain0.2747909199522103
                                  RT_STRING0xcf1100x490dataEnglishGreat Britain0.3715753424657534
                                  RT_STRING0xcf5a00x5fcdataEnglishGreat Britain0.3087467362924282
                                  RT_STRING0xcfb9c0x65cdataEnglishGreat Britain0.34336609336609336
                                  RT_STRING0xd01f80x466dataEnglishGreat Britain0.3605683836589698
                                  RT_STRING0xd06600x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishGreat Britain0.502906976744186
                                  RT_RCDATA0xd07b80x3e426data1.000337236387022
                                  RT_GROUP_ICON0x10ebe00x76dataEnglishGreat Britain0.6610169491525424
                                  RT_GROUP_ICON0x10ec580x14dataEnglishGreat Britain1.25
                                  RT_GROUP_ICON0x10ec6c0x14dataEnglishGreat Britain1.15
                                  RT_GROUP_ICON0x10ec800x14dataEnglishGreat Britain1.25
                                  RT_VERSION0x10ec940xdcdataEnglishGreat Britain0.6181818181818182
                                  RT_MANIFEST0x10ed700x3efASCII text, with CRLF line terminatorsEnglishGreat Britain0.5074478649453823

                                  Imports

                                  DLLImport
                                  WSOCK32.dllWSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect
                                  VERSION.dllGetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
                                  WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
                                  COMCTL32.dllImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
                                  MPR.dllWNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
                                  WININET.dllInternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW
                                  PSAPI.DLLGetProcessMemoryInfo
                                  IPHLPAPI.DLLIcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
                                  USERENV.dllDestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW
                                  UxTheme.dllIsThemeActive
                                  KERNEL32.dllDuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA
                                  USER32.dllAdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW
                                  GDI32.dllStrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath
                                  COMDLG32.dllGetOpenFileNameW, GetSaveFileNameW
                                  ADVAPI32.dllGetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW
                                  SHELL32.dllDragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
                                  ole32.dllCoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity
                                  OLEAUT32.dllLoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit

                                  Possible Origin

                                  Language of compilation systemCountry where language is spokenMap
                                  EnglishGreat Britain

                                  Network Behavior

                                  Suricata IDS Alerts

                                  TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                  2024-09-26T18:59:27.678642+02002031412ET MALWARE FormBook CnC Checkin (GET)1192.168.2.64972346.175.150.24780TCP
                                  2024-09-26T18:59:27.678642+02002031449ET MALWARE FormBook CnC Checkin (GET)1192.168.2.64972346.175.150.24780TCP
                                  2024-09-26T18:59:27.678642+02002031453ET MALWARE FormBook CnC Checkin (GET)1192.168.2.64972346.175.150.24780TCP

                                  Network Port Distribution

                                  UDP Packets

                                  TimestampSource PortDest PortSource IPDest IP
                                  Sep 26, 2024 18:56:42.695445061 CEST5598953192.168.2.61.1.1.1
                                  Sep 26, 2024 18:56:42.912511110 CEST53559891.1.1.1192.168.2.6
                                  Sep 26, 2024 18:57:04.679205894 CEST5326953192.168.2.61.1.1.1
                                  Sep 26, 2024 18:57:04.720674992 CEST53532691.1.1.1192.168.2.6
                                  Sep 26, 2024 18:57:23.553985119 CEST6159953192.168.2.61.1.1.1
                                  Sep 26, 2024 18:57:23.905704975 CEST53615991.1.1.1192.168.2.6
                                  Sep 26, 2024 18:57:44.289397955 CEST5597553192.168.2.61.1.1.1
                                  Sep 26, 2024 18:57:44.299359083 CEST53559751.1.1.1192.168.2.6
                                  Sep 26, 2024 18:58:04.835506916 CEST5110553192.168.2.61.1.1.1
                                  Sep 26, 2024 18:58:04.847345114 CEST53511051.1.1.1192.168.2.6
                                  Sep 26, 2024 18:58:25.288603067 CEST6395553192.168.2.61.1.1.1
                                  Sep 26, 2024 18:58:25.380400896 CEST53639551.1.1.1192.168.2.6
                                  Sep 26, 2024 18:58:45.757198095 CEST4946053192.168.2.61.1.1.1
                                  Sep 26, 2024 18:58:45.777661085 CEST53494601.1.1.1192.168.2.6
                                  Sep 26, 2024 18:59:06.221009970 CEST5814753192.168.2.61.1.1.1
                                  Sep 26, 2024 18:59:06.237842083 CEST53581471.1.1.1192.168.2.6
                                  Sep 26, 2024 18:59:26.658185005 CEST6223153192.168.2.61.1.1.1
                                  Sep 26, 2024 18:59:27.082251072 CEST53622311.1.1.1192.168.2.6
                                  Sep 26, 2024 18:59:47.038610935 CEST5594853192.168.2.61.1.1.1
                                  Sep 26, 2024 18:59:47.056565046 CEST53559481.1.1.1192.168.2.6
                                  Sep 26, 2024 19:00:07.688524961 CEST4969553192.168.2.61.1.1.1
                                  Sep 26, 2024 19:00:07.700645924 CEST53496951.1.1.1192.168.2.6
                                  Sep 26, 2024 19:00:29.601281881 CEST6283753192.168.2.61.1.1.1
                                  Sep 26, 2024 19:00:29.626550913 CEST53628371.1.1.1192.168.2.6

                                  DNS Queries

                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                  Sep 26, 2024 18:56:42.695445061 CEST192.168.2.61.1.1.10xd7c3Standard query (0)www.igitalonlineseva.onlineA (IP address)IN (0x0001)false
                                  Sep 26, 2024 18:57:04.679205894 CEST192.168.2.61.1.1.10xc52Standard query (0)www.nitednationsofindia.netA (IP address)IN (0x0001)false
                                  Sep 26, 2024 18:57:23.553985119 CEST192.168.2.61.1.1.10x875fStandard query (0)www.mvqimnpwkxcixccaeafmibpiq.topA (IP address)IN (0x0001)false
                                  Sep 26, 2024 18:57:44.289397955 CEST192.168.2.61.1.1.10xf335Standard query (0)www.eth-paaad.buzzA (IP address)IN (0x0001)false
                                  Sep 26, 2024 18:58:04.835506916 CEST192.168.2.61.1.1.10xd02aStandard query (0)www.mg-marketing.onlineA (IP address)IN (0x0001)false
                                  Sep 26, 2024 18:58:25.288603067 CEST192.168.2.61.1.1.10xfbe3Standard query (0)www.wgxb.topA (IP address)IN (0x0001)false
                                  Sep 26, 2024 18:58:45.757198095 CEST192.168.2.61.1.1.10x8386Standard query (0)www.ffg.autosA (IP address)IN (0x0001)false
                                  Sep 26, 2024 18:59:06.221009970 CEST192.168.2.61.1.1.10x6525Standard query (0)www.reakinggroundtherapy.proA (IP address)IN (0x0001)false
                                  Sep 26, 2024 18:59:26.658185005 CEST192.168.2.61.1.1.10x8044Standard query (0)www.filmyhit.vipA (IP address)IN (0x0001)false
                                  Sep 26, 2024 18:59:47.038610935 CEST192.168.2.61.1.1.10xd083Standard query (0)www.777.funA (IP address)IN (0x0001)false
                                  Sep 26, 2024 19:00:07.688524961 CEST192.168.2.61.1.1.10x8292Standard query (0)www.uwueriudsjkdjnfjkdjnkxzk.vipA (IP address)IN (0x0001)false
                                  Sep 26, 2024 19:00:29.601281881 CEST192.168.2.61.1.1.10xdb07Standard query (0)www.leeconcerned.infoA (IP address)IN (0x0001)false

                                  DNS Answers

                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                  Sep 26, 2024 18:56:42.912511110 CEST1.1.1.1192.168.2.60xd7c3Name error (3)www.igitalonlineseva.onlinenonenoneA (IP address)IN (0x0001)false
                                  Sep 26, 2024 18:57:04.720674992 CEST1.1.1.1192.168.2.60xc52Name error (3)www.nitednationsofindia.netnonenoneA (IP address)IN (0x0001)false
                                  Sep 26, 2024 18:57:23.905704975 CEST1.1.1.1192.168.2.60x875fName error (3)www.mvqimnpwkxcixccaeafmibpiq.topnonenoneA (IP address)IN (0x0001)false
                                  Sep 26, 2024 18:57:44.299359083 CEST1.1.1.1192.168.2.60xf335Name error (3)www.eth-paaad.buzznonenoneA (IP address)IN (0x0001)false
                                  Sep 26, 2024 18:58:04.847345114 CEST1.1.1.1192.168.2.60xd02aName error (3)www.mg-marketing.onlinenonenoneA (IP address)IN (0x0001)false
                                  Sep 26, 2024 18:58:25.380400896 CEST1.1.1.1192.168.2.60xfbe3Name error (3)www.wgxb.topnonenoneA (IP address)IN (0x0001)false
                                  Sep 26, 2024 18:58:45.777661085 CEST1.1.1.1192.168.2.60x8386Name error (3)www.ffg.autosnonenoneA (IP address)IN (0x0001)false
                                  Sep 26, 2024 18:59:06.237842083 CEST1.1.1.1192.168.2.60x6525Name error (3)www.reakinggroundtherapy.prononenoneA (IP address)IN (0x0001)false
                                  Sep 26, 2024 18:59:27.082251072 CEST1.1.1.1192.168.2.60x8044No error (0)www.filmyhit.vip46.175.150.247A (IP address)IN (0x0001)false
                                  Sep 26, 2024 18:59:47.056565046 CEST1.1.1.1192.168.2.60xd083No error (0)www.777.fund2atqkubdsk7og.cloudfront.netCNAME (Canonical name)IN (0x0001)false
                                  Sep 26, 2024 19:00:07.700645924 CEST1.1.1.1192.168.2.60x8292Name error (3)www.uwueriudsjkdjnfjkdjnkxzk.vipnonenoneA (IP address)IN (0x0001)false
                                  Sep 26, 2024 19:00:29.626550913 CEST1.1.1.1192.168.2.60xdb07Name error (3)www.leeconcerned.infononenoneA (IP address)IN (0x0001)false

                                  Statistics

                                  CPU Usage

                                  Click to jump to process

                                  Memory Usage

                                  Click to jump to process

                                  High Level Behavior Distribution

                                  Click to dive into process behavior distribution

                                  Behavior

                                  Click to jump to process

                                  System Behavior

                                  General

                                  Target ID:0
                                  Start time:12:56:06
                                  Start date:26/09/2024
                                  Path:C:\Users\user\Desktop\Bonifico 9252024pdf.exe
                                  Wow64 process (32bit):true
                                  Commandline:"C:\Users\user\Desktop\Bonifico 9252024pdf.exe"
                                  Imagebase:0x650000
                                  File size:1'120'256 bytes
                                  MD5 hash:561E2701898470B157AC37BD29BE6A88
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Yara matches:
                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.2184510833.0000000003F60000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000000.00000002.2184510833.0000000003F60000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000000.00000002.2184510833.0000000003F60000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.2184510833.0000000003F60000.00000004.00001000.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.2184510833.0000000003F60000.00000004.00001000.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                  Reputation:low
                                  Has exited:true

                                  General

                                  Target ID:2
                                  Start time:12:56:07
                                  Start date:26/09/2024
                                  Path:C:\Windows\SysWOW64\svchost.exe
                                  Wow64 process (32bit):true
                                  Commandline:"C:\Users\user\Desktop\Bonifico 9252024pdf.exe"
                                  Imagebase:0x930000
                                  File size:46'504 bytes
                                  MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Yara matches:
                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.2229552843.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2229552843.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                  • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.2229552843.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.2229552843.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.2229552843.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.2230318671.0000000003680000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2230318671.0000000003680000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                  • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.2230318671.0000000003680000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.2230318671.0000000003680000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.2230318671.0000000003680000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.2229820455.0000000002FD0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2229820455.0000000002FD0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                  • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.2229820455.0000000002FD0000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.2229820455.0000000002FD0000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.2229820455.0000000002FD0000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                  Reputation:high
                                  Has exited:true

                                  General

                                  Target ID:3
                                  Start time:12:56:08
                                  Start date:26/09/2024
                                  Path:C:\Windows\explorer.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\Explorer.EXE
                                  Imagebase:0x7ff609140000
                                  File size:5'141'208 bytes
                                  MD5 hash:662F4F92FDE3557E86D110526BB578D5
                                  Has elevated privileges:false
                                  Has administrator privileges:false
                                  Programmed in:C, C++ or other language
                                  Yara matches:
                                  • Rule: Windows_Trojan_Formbook_772cc62d, Description: unknown, Source: 00000003.00000002.4633750023.0000000010266000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                  Reputation:high
                                  Has exited:false

                                  General

                                  Target ID:4
                                  Start time:12:56:10
                                  Start date:26/09/2024
                                  Path:C:\Windows\SysWOW64\autofmt.exe
                                  Wow64 process (32bit):false
                                  Commandline:"C:\Windows\SysWOW64\autofmt.exe"
                                  Imagebase:0x990000
                                  File size:822'272 bytes
                                  MD5 hash:C72D80A976B7EB40534E8464957A979F
                                  Has elevated privileges:false
                                  Has administrator privileges:false
                                  Programmed in:C, C++ or other language
                                  Reputation:moderate
                                  Has exited:true

                                  General

                                  Target ID:5
                                  Start time:12:56:10
                                  Start date:26/09/2024
                                  Path:C:\Windows\SysWOW64\wscript.exe
                                  Wow64 process (32bit):true
                                  Commandline:"C:\Windows\SysWOW64\wscript.exe"
                                  Imagebase:0x950000
                                  File size:147'456 bytes
                                  MD5 hash:FF00E0480075B095948000BDC66E81F0
                                  Has elevated privileges:false
                                  Has administrator privileges:false
                                  Programmed in:C, C++ or other language
                                  Yara matches:
                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.4617950830.0000000002B50000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.4617950830.0000000002B50000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                  • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000005.00000002.4617950830.0000000002B50000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.4617950830.0000000002B50000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.4617950830.0000000002B50000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.4618265496.0000000003180000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.4618265496.0000000003180000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000005.00000002.4618265496.0000000003180000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.4618265496.0000000003180000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.4618265496.0000000003180000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.4618161057.0000000003040000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.4618161057.0000000003040000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                  • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000005.00000002.4618161057.0000000003040000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.4618161057.0000000003040000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.4618161057.0000000003040000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                  Reputation:high
                                  Has exited:false

                                  General

                                  Target ID:6
                                  Start time:12:56:14
                                  Start date:26/09/2024
                                  Path:C:\Windows\SysWOW64\cmd.exe
                                  Wow64 process (32bit):true
                                  Commandline:/c del "C:\Windows\SysWOW64\svchost.exe"
                                  Imagebase:0x1c0000
                                  File size:236'544 bytes
                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                  Has elevated privileges:false
                                  Has administrator privileges:false
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:true

                                  General

                                  Target ID:7
                                  Start time:12:56:14
                                  Start date:26/09/2024
                                  Path:C:\Windows\System32\conhost.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                  Imagebase:0x7ff66e660000
                                  File size:862'208 bytes
                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                  Has elevated privileges:false
                                  Has administrator privileges:false
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:true

                                  Disassembly

                                  Reset < >

                                    Execution Graph

                                    Execution Coverage:4%
                                    Dynamic/Decrypted Code Coverage:1.3%
                                    Signature Coverage:6.2%
                                    Total number of Nodes:2000
                                    Total number of Limit Nodes:172
                                    execution_graph 97835 651055 97840 652649 97835->97840 97850 6577c7 97840->97850 97844 652754 97846 65105a 97844->97846 97858 653416 59 API calls 2 library calls 97844->97858 97847 672f80 97846->97847 97904 672e84 97847->97904 97849 651064 97859 670ff6 97850->97859 97852 6577e8 97853 670ff6 Mailbox 59 API calls 97852->97853 97854 6526b7 97853->97854 97855 653582 97854->97855 97897 6535b0 97855->97897 97858->97844 97861 670ffe 97859->97861 97862 671018 97861->97862 97864 67101c std::exception::exception 97861->97864 97869 67594c 97861->97869 97886 6735e1 DecodePointer 97861->97886 97862->97852 97887 6787db RaiseException 97864->97887 97866 671046 97888 678711 58 API calls _free 97866->97888 97868 671058 97868->97852 97870 6759c7 97869->97870 97877 675958 97869->97877 97895 6735e1 DecodePointer 97870->97895 97872 6759cd 97896 678d68 58 API calls __getptd_noexit 97872->97896 97875 67598b RtlAllocateHeap 97875->97877 97885 6759bf 97875->97885 97877->97875 97878 6759b3 97877->97878 97882 6759b1 97877->97882 97883 675963 97877->97883 97892 6735e1 DecodePointer 97877->97892 97893 678d68 58 API calls __getptd_noexit 97878->97893 97894 678d68 58 API calls __getptd_noexit 97882->97894 97883->97877 97889 67a3ab 58 API calls __NMSG_WRITE 97883->97889 97890 67a408 58 API calls 5 library calls 97883->97890 97891 6732df GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 97883->97891 97885->97861 97886->97861 97887->97866 97888->97868 97889->97883 97890->97883 97892->97877 97893->97882 97894->97885 97895->97872 97896->97885 97898 6535bd 97897->97898 97899 6535a1 97897->97899 97898->97899 97900 6535c4 RegOpenKeyExW 97898->97900 97899->97844 97900->97899 97901 6535de RegQueryValueExW 97900->97901 97902 653614 RegCloseKey 97901->97902 97903 6535ff 97901->97903 97902->97899 97903->97902 97905 672e90 _wprintf 97904->97905 97912 673457 97905->97912 97911 672eb7 _wprintf 97911->97849 97929 679e4b 97912->97929 97914 672e99 97915 672ec8 DecodePointer DecodePointer 97914->97915 97916 672ea5 97915->97916 97917 672ef5 97915->97917 97926 672ec2 97916->97926 97917->97916 97975 6789e4 59 API calls _W_expandtime 97917->97975 97919 672f58 EncodePointer EncodePointer 97919->97916 97920 672f07 97920->97919 97921 672f2c 97920->97921 97976 678aa4 61 API calls 2 library calls 97920->97976 97921->97916 97924 672f46 EncodePointer 97921->97924 97977 678aa4 61 API calls 2 library calls 97921->97977 97924->97919 97925 672f40 97925->97916 97925->97924 97978 673460 97926->97978 97930 679e6f EnterCriticalSection 97929->97930 97931 679e5c 97929->97931 97930->97914 97936 679ed3 97931->97936 97933 679e62 97933->97930 97960 6732f5 58 API calls 3 library calls 97933->97960 97937 679edf _wprintf 97936->97937 97938 679f00 97937->97938 97939 679ee8 97937->97939 97948 679f21 _wprintf 97938->97948 97964 678a5d 58 API calls 2 library calls 97938->97964 97961 67a3ab 58 API calls __NMSG_WRITE 97939->97961 97941 679eed 97962 67a408 58 API calls 5 library calls 97941->97962 97944 679f15 97946 679f1c 97944->97946 97947 679f2b 97944->97947 97945 679ef4 97963 6732df GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 97945->97963 97965 678d68 58 API calls __getptd_noexit 97946->97965 97949 679e4b __lock 58 API calls 97947->97949 97948->97933 97952 679f32 97949->97952 97954 679f57 97952->97954 97955 679f3f 97952->97955 97967 672f95 97954->97967 97966 67a06b InitializeCriticalSectionAndSpinCount 97955->97966 97958 679f4b 97973 679f73 LeaveCriticalSection _doexit 97958->97973 97961->97941 97962->97945 97964->97944 97965->97948 97966->97958 97968 672f9e RtlFreeHeap 97967->97968 97969 672fc7 __dosmaperr 97967->97969 97968->97969 97970 672fb3 97968->97970 97969->97958 97974 678d68 58 API calls __getptd_noexit 97970->97974 97972 672fb9 GetLastError 97972->97969 97973->97948 97974->97972 97975->97920 97976->97921 97977->97925 97981 679fb5 LeaveCriticalSection 97978->97981 97980 672ec7 97980->97911 97981->97980 97982 651066 97987 65f8cf 97982->97987 97984 65106c 97985 672f80 __cinit 67 API calls 97984->97985 97986 651076 97985->97986 97988 65f8f0 97987->97988 98020 670143 97988->98020 97992 65f937 97993 6577c7 59 API calls 97992->97993 97994 65f941 97993->97994 97995 6577c7 59 API calls 97994->97995 97996 65f94b 97995->97996 97997 6577c7 59 API calls 97996->97997 97998 65f955 97997->97998 97999 6577c7 59 API calls 97998->97999 98000 65f993 97999->98000 98001 6577c7 59 API calls 98000->98001 98002 65fa5e 98001->98002 98030 6660e7 98002->98030 98006 65fa90 98007 6577c7 59 API calls 98006->98007 98008 65fa9a 98007->98008 98058 66ffde 98008->98058 98010 65fae1 98011 65faf1 GetStdHandle 98010->98011 98012 65fb3d 98011->98012 98013 6949d5 98011->98013 98014 65fb45 OleInitialize 98012->98014 98013->98012 98015 6949de 98013->98015 98014->97984 98065 6b6dda 64 API calls Mailbox 98015->98065 98017 6949e5 98066 6b74a9 CreateThread 98017->98066 98019 6949f1 CloseHandle 98019->98014 98067 67021c 98020->98067 98023 67021c 59 API calls 98024 670185 98023->98024 98025 6577c7 59 API calls 98024->98025 98026 670191 98025->98026 98074 657d2c 98026->98074 98028 65f8f6 98029 6703a2 6 API calls 98028->98029 98029->97992 98031 6577c7 59 API calls 98030->98031 98032 6660f7 98031->98032 98033 6577c7 59 API calls 98032->98033 98034 6660ff 98033->98034 98095 665bfd 98034->98095 98037 665bfd 59 API calls 98038 66610f 98037->98038 98039 6577c7 59 API calls 98038->98039 98040 66611a 98039->98040 98041 670ff6 Mailbox 59 API calls 98040->98041 98042 65fa68 98041->98042 98043 666259 98042->98043 98044 666267 98043->98044 98045 6577c7 59 API calls 98044->98045 98046 666272 98045->98046 98047 6577c7 59 API calls 98046->98047 98048 66627d 98047->98048 98049 6577c7 59 API calls 98048->98049 98050 666288 98049->98050 98051 6577c7 59 API calls 98050->98051 98052 666293 98051->98052 98053 665bfd 59 API calls 98052->98053 98054 66629e 98053->98054 98055 670ff6 Mailbox 59 API calls 98054->98055 98056 6662a5 RegisterWindowMessageW 98055->98056 98056->98006 98059 66ffee 98058->98059 98060 6a5cc3 98058->98060 98062 670ff6 Mailbox 59 API calls 98059->98062 98098 6b9d71 60 API calls 98060->98098 98063 66fff6 98062->98063 98063->98010 98064 6a5cce 98065->98017 98066->98019 98099 6b748f 65 API calls 98066->98099 98068 6577c7 59 API calls 98067->98068 98069 670227 98068->98069 98070 6577c7 59 API calls 98069->98070 98071 67022f 98070->98071 98072 6577c7 59 API calls 98071->98072 98073 67017b 98072->98073 98073->98023 98075 657da5 98074->98075 98076 657d38 __NMSG_WRITE 98074->98076 98087 657e8c 98075->98087 98079 657d73 98076->98079 98080 657d4e 98076->98080 98078 657d56 _memmove 98078->98028 98084 658189 98079->98084 98083 658087 59 API calls Mailbox 98080->98083 98083->98078 98085 670ff6 Mailbox 59 API calls 98084->98085 98086 658193 98085->98086 98086->98078 98088 657e9a 98087->98088 98090 657ea3 _memmove 98087->98090 98088->98090 98091 657faf 98088->98091 98090->98078 98092 657fc2 98091->98092 98094 657fbf _memmove 98091->98094 98093 670ff6 Mailbox 59 API calls 98092->98093 98093->98094 98094->98090 98096 6577c7 59 API calls 98095->98096 98097 665c05 98096->98097 98097->98037 98098->98064 98100 651016 98105 654ad2 98100->98105 98103 672f80 __cinit 67 API calls 98104 651025 98103->98104 98106 670ff6 Mailbox 59 API calls 98105->98106 98107 654ada 98106->98107 98108 65101b 98107->98108 98112 654a94 98107->98112 98108->98103 98113 654aaf 98112->98113 98114 654a9d 98112->98114 98116 654afe 98113->98116 98115 672f80 __cinit 67 API calls 98114->98115 98115->98113 98117 6577c7 59 API calls 98116->98117 98118 654b16 GetVersionExW 98117->98118 98119 657d2c 59 API calls 98118->98119 98120 654b59 98119->98120 98121 657e8c 59 API calls 98120->98121 98130 654b86 98120->98130 98122 654b7a 98121->98122 98144 657886 98122->98144 98124 654bf1 GetCurrentProcess IsWow64Process 98125 654c0a 98124->98125 98127 654c20 98125->98127 98128 654c89 GetSystemInfo 98125->98128 98126 68dc8d 98140 654c95 98127->98140 98129 654c56 98128->98129 98129->98108 98130->98124 98130->98126 98133 654c32 98136 654c95 2 API calls 98133->98136 98134 654c7d GetSystemInfo 98135 654c47 98134->98135 98135->98129 98138 654c4d FreeLibrary 98135->98138 98137 654c3a GetNativeSystemInfo 98136->98137 98137->98135 98138->98129 98141 654c2e 98140->98141 98142 654c9e LoadLibraryA 98140->98142 98141->98133 98141->98134 98142->98141 98143 654caf GetProcAddress 98142->98143 98143->98141 98145 657894 98144->98145 98146 657e8c 59 API calls 98145->98146 98147 6578a4 98146->98147 98147->98130 98148 677e93 98149 677e9f _wprintf 98148->98149 98185 67a048 GetStartupInfoW 98149->98185 98151 677ea4 98187 678dbc GetProcessHeap 98151->98187 98153 677efc 98156 677f07 98153->98156 98270 677fe3 58 API calls 3 library calls 98153->98270 98188 679d26 98156->98188 98157 677f0d 98158 677f18 __RTC_Initialize 98157->98158 98271 677fe3 58 API calls 3 library calls 98157->98271 98209 67d812 98158->98209 98161 677f27 98162 677f33 GetCommandLineW 98161->98162 98272 677fe3 58 API calls 3 library calls 98161->98272 98228 685173 GetEnvironmentStringsW 98162->98228 98165 677f32 98165->98162 98168 677f4d 98169 677f58 98168->98169 98273 6732f5 58 API calls 3 library calls 98168->98273 98238 684fa8 98169->98238 98172 677f5e 98173 677f69 98172->98173 98274 6732f5 58 API calls 3 library calls 98172->98274 98252 67332f 98173->98252 98176 677f71 98177 677f7c __wwincmdln 98176->98177 98275 6732f5 58 API calls 3 library calls 98176->98275 98258 65492e 98177->98258 98180 677f90 98181 677f9f 98180->98181 98276 673598 58 API calls _doexit 98180->98276 98277 673320 58 API calls _doexit 98181->98277 98184 677fa4 _wprintf 98186 67a05e 98185->98186 98186->98151 98187->98153 98278 6733c7 36 API calls 2 library calls 98188->98278 98190 679d2b 98279 679f7c InitializeCriticalSectionAndSpinCount __mtinitlocknum 98190->98279 98192 679d30 98193 679d34 98192->98193 98281 679fca TlsAlloc 98192->98281 98280 679d9c 61 API calls 2 library calls 98193->98280 98196 679d39 98196->98157 98197 679d46 98197->98193 98198 679d51 98197->98198 98282 678a15 98198->98282 98201 679d93 98290 679d9c 61 API calls 2 library calls 98201->98290 98204 679d72 98204->98201 98206 679d78 98204->98206 98205 679d98 98205->98157 98289 679c73 58 API calls 4 library calls 98206->98289 98208 679d80 GetCurrentThreadId 98208->98157 98210 67d81e _wprintf 98209->98210 98211 679e4b __lock 58 API calls 98210->98211 98212 67d825 98211->98212 98213 678a15 __calloc_crt 58 API calls 98212->98213 98216 67d836 98213->98216 98214 67d841 _wprintf @_EH4_CallFilterFunc@8 98214->98161 98215 67d8a1 GetStartupInfoW 98222 67d9e5 98215->98222 98223 67d8b6 98215->98223 98216->98214 98216->98215 98217 67daad 98304 67dabd LeaveCriticalSection _doexit 98217->98304 98219 678a15 __calloc_crt 58 API calls 98219->98223 98220 67da32 GetStdHandle 98220->98222 98221 67da45 GetFileType 98221->98222 98222->98217 98222->98220 98222->98221 98303 67a06b InitializeCriticalSectionAndSpinCount 98222->98303 98223->98219 98223->98222 98224 67d904 98223->98224 98224->98222 98225 67d938 GetFileType 98224->98225 98302 67a06b InitializeCriticalSectionAndSpinCount 98224->98302 98225->98224 98229 677f43 98228->98229 98230 685184 98228->98230 98234 684d6b GetModuleFileNameW 98229->98234 98230->98230 98305 678a5d 58 API calls 2 library calls 98230->98305 98232 6851aa _memmove 98233 6851c0 FreeEnvironmentStringsW 98232->98233 98233->98229 98235 684d9f _wparse_cmdline 98234->98235 98237 684ddf _wparse_cmdline 98235->98237 98306 678a5d 58 API calls 2 library calls 98235->98306 98237->98168 98239 684fb9 98238->98239 98240 684fc1 __NMSG_WRITE 98238->98240 98239->98172 98241 678a15 __calloc_crt 58 API calls 98240->98241 98242 684fea __NMSG_WRITE 98241->98242 98242->98239 98244 678a15 __calloc_crt 58 API calls 98242->98244 98245 685041 98242->98245 98246 685066 98242->98246 98249 68507d 98242->98249 98307 684857 58 API calls _W_expandtime 98242->98307 98243 672f95 _free 58 API calls 98243->98239 98244->98242 98245->98243 98247 672f95 _free 58 API calls 98246->98247 98247->98239 98308 679006 IsProcessorFeaturePresent 98249->98308 98251 685089 98251->98172 98253 67333b __IsNonwritableInCurrentImage 98252->98253 98331 67a711 98253->98331 98255 673359 __initterm_e 98256 672f80 __cinit 67 API calls 98255->98256 98257 673378 _doexit __IsNonwritableInCurrentImage 98255->98257 98256->98257 98257->98176 98259 654948 98258->98259 98269 6549e7 98258->98269 98260 654982 IsThemeActive 98259->98260 98334 6735ac 98260->98334 98264 6549ae 98346 654a5b SystemParametersInfoW SystemParametersInfoW 98264->98346 98266 6549ba 98347 653b4c 98266->98347 98268 6549c2 SystemParametersInfoW 98268->98269 98269->98180 98270->98156 98271->98158 98272->98165 98276->98181 98277->98184 98278->98190 98279->98192 98280->98196 98281->98197 98283 678a1c 98282->98283 98285 678a57 98283->98285 98287 678a3a 98283->98287 98291 685446 98283->98291 98285->98201 98288 67a026 TlsSetValue 98285->98288 98287->98283 98287->98285 98299 67a372 Sleep 98287->98299 98288->98204 98289->98208 98290->98205 98292 685451 98291->98292 98298 68546c 98291->98298 98293 68545d 98292->98293 98292->98298 98300 678d68 58 API calls __getptd_noexit 98293->98300 98295 68547c HeapAlloc 98296 685462 98295->98296 98295->98298 98296->98283 98298->98295 98298->98296 98301 6735e1 DecodePointer 98298->98301 98299->98287 98300->98296 98301->98298 98302->98224 98303->98222 98304->98214 98305->98232 98306->98237 98307->98242 98309 679011 98308->98309 98314 678e99 98309->98314 98313 67902c 98313->98251 98315 678eb3 _memset ___raise_securityfailure 98314->98315 98316 678ed3 IsDebuggerPresent 98315->98316 98322 67a395 SetUnhandledExceptionFilter UnhandledExceptionFilter 98316->98322 98319 678f97 ___raise_securityfailure 98323 67c836 98319->98323 98320 678fba 98321 67a380 GetCurrentProcess TerminateProcess 98320->98321 98321->98313 98322->98319 98324 67c840 IsProcessorFeaturePresent 98323->98324 98325 67c83e 98323->98325 98327 685b5a 98324->98327 98325->98320 98330 685b09 5 API calls 2 library calls 98327->98330 98329 685c3d 98329->98320 98330->98329 98332 67a714 EncodePointer 98331->98332 98332->98332 98333 67a72e 98332->98333 98333->98255 98335 679e4b __lock 58 API calls 98334->98335 98336 6735b7 DecodePointer EncodePointer 98335->98336 98399 679fb5 LeaveCriticalSection 98336->98399 98338 6549a7 98339 673614 98338->98339 98340 67361e 98339->98340 98341 673638 98339->98341 98340->98341 98400 678d68 58 API calls __getptd_noexit 98340->98400 98341->98264 98343 673628 98401 678ff6 9 API calls _W_expandtime 98343->98401 98345 673633 98345->98264 98346->98266 98348 653b59 __write_nolock 98347->98348 98349 6577c7 59 API calls 98348->98349 98350 653b63 GetCurrentDirectoryW 98349->98350 98402 653778 98350->98402 98352 653b8c IsDebuggerPresent 98353 68d4ad MessageBoxA 98352->98353 98354 653b9a 98352->98354 98356 68d4c7 98353->98356 98354->98356 98357 653bb7 98354->98357 98386 653c73 98354->98386 98355 653c7a SetCurrentDirectoryW 98360 653c87 Mailbox 98355->98360 98612 657373 59 API calls Mailbox 98356->98612 98483 6573e5 98357->98483 98360->98268 98362 653bd5 GetFullPathNameW 98364 657d2c 59 API calls 98362->98364 98363 68d4d7 98366 68d4ed SetCurrentDirectoryW 98363->98366 98365 653c10 98364->98365 98499 660a8d 98365->98499 98366->98360 98369 653c2e 98370 653c38 98369->98370 98613 6b4c03 AllocateAndInitializeSid CheckTokenMembership FreeSid 98369->98613 98515 653a58 GetSysColorBrush LoadCursorW LoadIconW LoadIconW LoadIconW 98370->98515 98374 68d50a 98374->98370 98376 68d51b 98374->98376 98614 654864 98376->98614 98377 653c42 98379 653c55 98377->98379 98523 6543db 98377->98523 98534 660b30 98379->98534 98380 68d523 98386->98355 98399->98338 98400->98343 98401->98345 98403 6577c7 59 API calls 98402->98403 98404 65378e 98403->98404 98641 653d43 98404->98641 98406 6537ac 98407 654864 61 API calls 98406->98407 98408 6537c0 98407->98408 98409 657f41 59 API calls 98408->98409 98410 6537cd 98409->98410 98655 654f3d 98410->98655 98413 68d3ae 98726 6b97e5 98413->98726 98414 6537ee Mailbox 98679 6581a7 98414->98679 98417 68d3cd 98420 672f95 _free 58 API calls 98417->98420 98422 68d3da 98420->98422 98424 654faa 84 API calls 98422->98424 98426 68d3e3 98424->98426 98430 653ee2 59 API calls 98426->98430 98427 657f41 59 API calls 98428 65381a 98427->98428 98686 658620 98428->98686 98432 68d3fe 98430->98432 98431 65382c Mailbox 98433 657f41 59 API calls 98431->98433 98434 653ee2 59 API calls 98432->98434 98435 653852 98433->98435 98436 68d41a 98434->98436 98437 658620 69 API calls 98435->98437 98438 654864 61 API calls 98436->98438 98440 653861 Mailbox 98437->98440 98439 68d43f 98438->98439 98441 653ee2 59 API calls 98439->98441 98443 6577c7 59 API calls 98440->98443 98442 68d44b 98441->98442 98444 6581a7 59 API calls 98442->98444 98445 65387f 98443->98445 98446 68d459 98444->98446 98690 653ee2 98445->98690 98448 653ee2 59 API calls 98446->98448 98452 68d468 98448->98452 98451 653899 98451->98426 98453 6538a3 98451->98453 98456 6581a7 59 API calls 98452->98456 98454 67313d _W_store_winword 60 API calls 98453->98454 98455 6538ae 98454->98455 98455->98432 98457 6538b8 98455->98457 98458 68d48a 98456->98458 98459 67313d _W_store_winword 60 API calls 98457->98459 98460 653ee2 59 API calls 98458->98460 98461 6538c3 98459->98461 98462 68d497 98460->98462 98461->98436 98463 6538cd 98461->98463 98462->98462 98464 67313d _W_store_winword 60 API calls 98463->98464 98465 6538d8 98464->98465 98465->98452 98466 653919 98465->98466 98468 653ee2 59 API calls 98465->98468 98466->98452 98467 653926 98466->98467 98706 65942e 98467->98706 98470 6538fc 98468->98470 98472 6581a7 59 API calls 98470->98472 98473 65390a 98472->98473 98475 653ee2 59 API calls 98473->98475 98475->98466 98478 6593ea 59 API calls 98480 653961 98478->98480 98479 659040 60 API calls 98479->98480 98480->98478 98480->98479 98481 653ee2 59 API calls 98480->98481 98482 6539a7 Mailbox 98480->98482 98481->98480 98482->98352 98484 6573f2 __write_nolock 98483->98484 98485 68ee4b _memset 98484->98485 98486 65740b 98484->98486 98488 68ee67 GetOpenFileNameW 98485->98488 99592 6548ae 98486->99592 98490 68eeb6 98488->98490 98492 657d2c 59 API calls 98490->98492 98494 68eecb 98492->98494 98494->98494 98496 657429 99620 6569ca 98496->99620 98500 660a9a __write_nolock 98499->98500 99939 656ee0 98500->99939 98502 660a9f 98503 653c26 98502->98503 99950 6612fe 89 API calls 98502->99950 98503->98363 98503->98369 98505 660aac 98505->98503 99951 664047 91 API calls Mailbox 98505->99951 98507 660ab5 98507->98503 98508 660ab9 GetFullPathNameW 98507->98508 98509 657d2c 59 API calls 98508->98509 98510 660ae5 98509->98510 98511 657d2c 59 API calls 98510->98511 98512 660af2 98511->98512 98513 6950d5 _wcscat 98512->98513 98514 657d2c 59 API calls 98512->98514 98514->98503 98516 68d49c 98515->98516 98517 653ac2 LoadImageW RegisterClassExW 98515->98517 99955 6548fe LoadImageW EnumResourceNamesW 98516->99955 99954 653041 7 API calls 98517->99954 98520 653b46 98522 6539e7 CreateWindowExW CreateWindowExW ShowWindow ShowWindow 98520->98522 98521 68d4a5 98522->98377 98524 654406 _memset 98523->98524 99956 654213 98524->99956 98535 6950ed 98534->98535 98546 660b55 98534->98546 100050 6ba0b5 89 API calls 4 library calls 98535->100050 98542 660bab PeekMessageW 98610 660b65 Mailbox 98542->98610 98546->98610 100051 659fbd 60 API calls 98546->100051 100052 6a68bf 341 API calls 98546->100052 98560 660fdd Sleep 98595 660fee Mailbox 98560->98595 98561 6581a7 59 API calls 98561->98610 98564 670ff6 59 API calls Mailbox 98564->98610 98565 695f22 Sleep 98565->98595 98566 65b89c 314 API calls 98566->98610 98569 6610ae timeGetTime 98580 659fbd 60 API calls 98580->98610 98593 6610f5 98595->98593 98595->98610 98596 6ba0b5 89 API calls 98596->98610 98598 659df0 59 API calls Mailbox 98598->98610 98599 65a000 314 API calls 98599->98610 98600 658620 69 API calls 98600->98610 98602 6a66f4 59 API calls Mailbox 98602->98610 98603 6959ff VariantClear 98603->98610 98604 658e34 59 API calls Mailbox 98604->98610 98605 695a95 VariantClear 98605->98610 98606 695843 VariantClear 98606->98610 98607 6a7405 59 API calls 98607->98610 98608 657f41 59 API calls 98608->98610 98609 658b13 69 API calls 98609->98610 98610->98542 98610->98560 98610->98561 98610->98564 98610->98565 98610->98566 98610->98569 98610->98580 98610->98593 98610->98595 98610->98596 98610->98598 98610->98599 98610->98600 98610->98602 98610->98603 98610->98604 98610->98605 98610->98606 98610->98607 98610->98608 98610->98609 98612->98363 98613->98374 98615 681b90 __write_nolock 98614->98615 98616 654871 GetModuleFileNameW 98615->98616 98617 657f41 59 API calls 98616->98617 98618 654897 98617->98618 98619 6548ae 60 API calls 98618->98619 98620 6548a1 Mailbox 98619->98620 98620->98380 98642 653d50 __write_nolock 98641->98642 98643 657d2c 59 API calls 98642->98643 98649 653eb6 Mailbox 98642->98649 98644 653d82 98643->98644 98654 653db8 Mailbox 98644->98654 98767 657b52 98644->98767 98646 657b52 59 API calls 98646->98654 98647 653e89 98648 657f41 59 API calls 98647->98648 98647->98649 98651 653eaa 98648->98651 98649->98406 98650 657f41 59 API calls 98650->98654 98652 653f84 59 API calls 98651->98652 98652->98649 98654->98646 98654->98647 98654->98649 98654->98650 98770 653f84 98654->98770 98776 654d13 98655->98776 98660 68dd0f 98662 654faa 84 API calls 98660->98662 98661 654f68 LoadLibraryExW 98786 654cc8 98661->98786 98664 68dd16 98662->98664 98666 654cc8 3 API calls 98664->98666 98668 68dd1e 98666->98668 98812 65506b 98668->98812 98669 654f8f 98669->98668 98670 654f9b 98669->98670 98672 654faa 84 API calls 98670->98672 98673 6537e6 98672->98673 98673->98413 98673->98414 98676 68dd45 98820 655027 98676->98820 98678 68dd52 98680 6581b2 98679->98680 98681 653801 98679->98681 99250 6580d7 59 API calls 2 library calls 98680->99250 98683 6593ea 98681->98683 98684 670ff6 Mailbox 59 API calls 98683->98684 98685 65380d 98684->98685 98685->98427 98687 65862b 98686->98687 98688 658652 98687->98688 99251 658b13 69 API calls Mailbox 98687->99251 98688->98431 98691 653f05 98690->98691 98692 653eec 98690->98692 98694 657d2c 59 API calls 98691->98694 98693 6581a7 59 API calls 98692->98693 98695 65388b 98693->98695 98694->98695 98696 67313d 98695->98696 98697 6731be 98696->98697 98698 673149 98696->98698 99254 6731d0 60 API calls 3 library calls 98697->99254 98705 67316e 98698->98705 99252 678d68 58 API calls __getptd_noexit 98698->99252 98700 6731cb 98700->98451 98702 673155 99253 678ff6 9 API calls _W_expandtime 98702->99253 98704 673160 98704->98451 98705->98451 98707 659436 98706->98707 98708 670ff6 Mailbox 59 API calls 98707->98708 98709 659444 98708->98709 98710 653936 98709->98710 99255 65935c 59 API calls Mailbox 98709->99255 98712 6591b0 98710->98712 99256 6592c0 98712->99256 98714 6591bf 98715 670ff6 Mailbox 59 API calls 98714->98715 98716 653944 98714->98716 98715->98716 98717 659040 98716->98717 98718 68f5a5 98717->98718 98720 659057 98717->98720 98718->98720 99266 658d3b 59 API calls Mailbox 98718->99266 98721 6591a0 98720->98721 98722 659158 98720->98722 98725 65915f 98720->98725 99265 659e9c 60 API calls Mailbox 98721->99265 98724 670ff6 Mailbox 59 API calls 98722->98724 98724->98725 98725->98480 98727 655045 85 API calls 98726->98727 98728 6b9854 98727->98728 99267 6b99be 98728->99267 98731 65506b 74 API calls 98732 6b9881 98731->98732 98733 65506b 74 API calls 98732->98733 98734 6b9891 98733->98734 98735 65506b 74 API calls 98734->98735 98736 6b98ac 98735->98736 98737 65506b 74 API calls 98736->98737 98738 6b98c7 98737->98738 98739 655045 85 API calls 98738->98739 98740 6b98de 98739->98740 98741 67594c _W_store_winword 58 API calls 98740->98741 98742 6b98e5 98741->98742 98743 67594c _W_store_winword 58 API calls 98742->98743 98744 6b98ef 98743->98744 98745 65506b 74 API calls 98744->98745 98746 6b9903 98745->98746 98747 6b9393 GetSystemTimeAsFileTime 98746->98747 98748 6b9916 98747->98748 98749 6b992b 98748->98749 98750 6b9940 98748->98750 98753 672f95 _free 58 API calls 98749->98753 98751 6b9946 98750->98751 98752 6b99a5 98750->98752 99273 6b8d90 98751->99273 98755 672f95 _free 58 API calls 98752->98755 98756 6b9931 98753->98756 98760 68d3c1 98755->98760 98758 672f95 _free 58 API calls 98756->98758 98758->98760 98759 672f95 _free 58 API calls 98759->98760 98760->98417 98761 654faa 98760->98761 98762 654fb4 98761->98762 98763 654fbb 98761->98763 98764 6755d6 __fcloseall 83 API calls 98762->98764 98765 654fdb FreeLibrary 98763->98765 98766 654fca 98763->98766 98764->98763 98765->98766 98766->98417 98768 657faf 59 API calls 98767->98768 98769 657b5d 98768->98769 98769->98644 98771 653f92 98770->98771 98775 653fb4 _memmove 98770->98775 98773 670ff6 Mailbox 59 API calls 98771->98773 98772 670ff6 Mailbox 59 API calls 98774 653fc8 98772->98774 98773->98775 98774->98654 98775->98772 98825 654d61 98776->98825 98779 654d61 2 API calls 98782 654d3a 98779->98782 98780 654d53 98783 67548b 98780->98783 98781 654d4a FreeLibrary 98781->98780 98782->98780 98782->98781 98829 6754a0 98783->98829 98785 654f5c 98785->98660 98785->98661 98987 654d94 98786->98987 98789 654ced 98790 654cff FreeLibrary 98789->98790 98791 654d08 98789->98791 98790->98791 98793 654dd0 98791->98793 98792 654d94 2 API calls 98792->98789 98794 670ff6 Mailbox 59 API calls 98793->98794 98795 654de5 98794->98795 98991 65538e 98795->98991 98797 654df1 _memmove 98798 654e2c 98797->98798 98800 654f21 98797->98800 98801 654ee9 98797->98801 98799 655027 69 API calls 98798->98799 98807 654e35 98799->98807 99005 6b9ba5 95 API calls 98800->99005 98994 654fe9 CreateStreamOnHGlobal 98801->98994 98804 65506b 74 API calls 98804->98807 98806 654ec9 98806->98669 98807->98804 98807->98806 98808 68dcd0 98807->98808 99000 655045 98807->99000 98809 655045 85 API calls 98808->98809 98810 68dce4 98809->98810 98811 65506b 74 API calls 98810->98811 98811->98806 98813 65507d 98812->98813 98814 68ddf6 98812->98814 99029 675812 98813->99029 98817 6b9393 99227 6b91e9 98817->99227 98819 6b93a9 98819->98676 98821 68ddb9 98820->98821 98822 655036 98820->98822 99232 675e90 98822->99232 98824 65503e 98824->98678 98826 654d2e 98825->98826 98827 654d6a LoadLibraryA 98825->98827 98826->98779 98826->98782 98827->98826 98828 654d7b GetProcAddress 98827->98828 98828->98826 98831 6754ac _wprintf 98829->98831 98830 6754bf 98878 678d68 58 API calls __getptd_noexit 98830->98878 98831->98830 98833 6754f0 98831->98833 98848 680738 98833->98848 98834 6754c4 98879 678ff6 9 API calls _W_expandtime 98834->98879 98837 6754f5 98838 6754fe 98837->98838 98839 67550b 98837->98839 98880 678d68 58 API calls __getptd_noexit 98838->98880 98841 675535 98839->98841 98842 675515 98839->98842 98863 680857 98841->98863 98881 678d68 58 API calls __getptd_noexit 98842->98881 98846 6754cf _wprintf @_EH4_CallFilterFunc@8 98846->98785 98849 680744 _wprintf 98848->98849 98850 679e4b __lock 58 API calls 98849->98850 98860 680752 98850->98860 98851 6807cd 98888 678a5d 58 API calls 2 library calls 98851->98888 98854 6807d4 98861 6807c6 98854->98861 98889 67a06b InitializeCriticalSectionAndSpinCount 98854->98889 98855 680843 _wprintf 98855->98837 98857 679ed3 __mtinitlocknum 58 API calls 98857->98860 98859 6807fa EnterCriticalSection 98859->98861 98860->98851 98860->98857 98860->98861 98886 676e8d 59 API calls __lock 98860->98886 98887 676ef7 LeaveCriticalSection LeaveCriticalSection _doexit 98860->98887 98883 68084e 98861->98883 98871 680877 __wopenfile 98863->98871 98864 680891 98894 678d68 58 API calls __getptd_noexit 98864->98894 98866 680896 98895 678ff6 9 API calls _W_expandtime 98866->98895 98868 675540 98882 675562 LeaveCriticalSection LeaveCriticalSection _fseek 98868->98882 98869 680aaf 98891 6887f1 98869->98891 98871->98864 98877 680a4c 98871->98877 98896 673a0b 60 API calls 2 library calls 98871->98896 98873 680a45 98873->98877 98897 673a0b 60 API calls 2 library calls 98873->98897 98875 680a64 98875->98877 98898 673a0b 60 API calls 2 library calls 98875->98898 98877->98864 98877->98869 98878->98834 98879->98846 98880->98846 98881->98846 98882->98846 98890 679fb5 LeaveCriticalSection 98883->98890 98885 680855 98885->98855 98886->98860 98887->98860 98888->98854 98889->98859 98890->98885 98899 687fd5 98891->98899 98893 68880a 98893->98868 98894->98866 98895->98868 98896->98873 98897->98875 98898->98877 98902 687fe1 _wprintf 98899->98902 98900 687ff7 98984 678d68 58 API calls __getptd_noexit 98900->98984 98902->98900 98904 68802d 98902->98904 98903 687ffc 98985 678ff6 9 API calls _W_expandtime 98903->98985 98910 68809e 98904->98910 98907 688049 98986 688072 LeaveCriticalSection __unlock_fhandle 98907->98986 98909 688006 _wprintf 98909->98893 98911 6880be 98910->98911 98912 67471a __wsopen_nolock 58 API calls 98911->98912 98915 6880da 98912->98915 98913 679006 __invoke_watson 8 API calls 98914 6887f0 98913->98914 98917 687fd5 __wsopen_helper 103 API calls 98914->98917 98916 688114 98915->98916 98923 688137 98915->98923 98983 688211 98915->98983 98918 678d34 __dosmaperr 58 API calls 98916->98918 98919 68880a 98917->98919 98920 688119 98918->98920 98919->98907 98921 678d68 _W_expandtime 58 API calls 98920->98921 98922 688126 98921->98922 98925 678ff6 _W_expandtime 9 API calls 98922->98925 98924 6881f5 98923->98924 98932 6881d3 98923->98932 98926 678d34 __dosmaperr 58 API calls 98924->98926 98927 688130 98925->98927 98928 6881fa 98926->98928 98927->98907 98929 678d68 _W_expandtime 58 API calls 98928->98929 98930 688207 98929->98930 98931 678ff6 _W_expandtime 9 API calls 98930->98931 98931->98983 98933 67d4d4 __alloc_osfhnd 61 API calls 98932->98933 98934 6882a1 98933->98934 98935 6882ab 98934->98935 98936 6882ce 98934->98936 98938 678d34 __dosmaperr 58 API calls 98935->98938 98937 687f4d ___createFile GetModuleHandleW GetProcAddress CreateFileW 98936->98937 98946 6882f0 98937->98946 98939 6882b0 98938->98939 98941 678d68 _W_expandtime 58 API calls 98939->98941 98940 68836e GetFileType 98944 688379 GetLastError 98940->98944 98945 6883bb 98940->98945 98943 6882ba 98941->98943 98942 68833c GetLastError 98947 678d47 __dosmaperr 58 API calls 98942->98947 98948 678d68 _W_expandtime 58 API calls 98943->98948 98949 678d47 __dosmaperr 58 API calls 98944->98949 98955 67d76a __set_osfhnd 59 API calls 98945->98955 98946->98940 98946->98942 98951 687f4d ___createFile GetModuleHandleW GetProcAddress CreateFileW 98946->98951 98952 688361 98947->98952 98948->98927 98950 6883a0 CloseHandle 98949->98950 98950->98952 98953 6883ae 98950->98953 98954 688331 98951->98954 98957 678d68 _W_expandtime 58 API calls 98952->98957 98956 678d68 _W_expandtime 58 API calls 98953->98956 98954->98940 98954->98942 98959 6883d9 98955->98959 98958 6883b3 98956->98958 98957->98983 98958->98952 98960 688594 98959->98960 98961 681b11 __lseeki64_nolock 60 API calls 98959->98961 98975 68845a 98959->98975 98962 688767 CloseHandle 98960->98962 98960->98983 98963 688443 98961->98963 98964 687f4d ___createFile GetModuleHandleW GetProcAddress CreateFileW 98962->98964 98965 678d34 __dosmaperr 58 API calls 98963->98965 98963->98975 98967 68878e 98964->98967 98965->98975 98966 6810ab 70 API calls __read_nolock 98966->98975 98968 6887c2 98967->98968 98969 688796 GetLastError 98967->98969 98968->98983 98970 678d47 __dosmaperr 58 API calls 98969->98970 98971 6887a2 98970->98971 98974 67d67d __free_osfhnd 59 API calls 98971->98974 98972 680d2d __close_nolock 61 API calls 98972->98975 98973 68848c 98973->98975 98976 6899f2 __chsize_nolock 82 API calls 98973->98976 98974->98968 98975->98960 98975->98966 98975->98972 98975->98973 98977 67dac6 __write 78 API calls 98975->98977 98978 688611 98975->98978 98980 681b11 60 API calls __lseeki64_nolock 98975->98980 98976->98973 98977->98975 98979 680d2d __close_nolock 61 API calls 98978->98979 98981 688618 98979->98981 98980->98975 98982 678d68 _W_expandtime 58 API calls 98981->98982 98982->98983 98983->98913 98984->98903 98985->98909 98986->98909 98988 654ce1 98987->98988 98989 654d9d LoadLibraryA 98987->98989 98988->98789 98988->98792 98989->98988 98990 654dae GetProcAddress 98989->98990 98990->98988 98992 670ff6 Mailbox 59 API calls 98991->98992 98993 6553a0 98992->98993 98993->98797 98995 655003 FindResourceExW 98994->98995 98999 655020 98994->98999 98996 68dd5c LoadResource 98995->98996 98995->98999 98997 68dd71 SizeofResource 98996->98997 98996->98999 98998 68dd85 LockResource 98997->98998 98997->98999 98998->98999 98999->98798 99001 655054 99000->99001 99004 68ddd4 99000->99004 99006 675a7d 99001->99006 99003 655062 99003->98807 99005->98798 99009 675a89 _wprintf 99006->99009 99007 675a9b 99019 678d68 58 API calls __getptd_noexit 99007->99019 99009->99007 99010 675ac1 99009->99010 99021 676e4e 99010->99021 99012 675aa0 99020 678ff6 9 API calls _W_expandtime 99012->99020 99013 675ac7 99027 6759ee 83 API calls 5 library calls 99013->99027 99016 675ad6 99028 675af8 LeaveCriticalSection LeaveCriticalSection _fseek 99016->99028 99018 675aab _wprintf 99018->99003 99019->99012 99020->99018 99022 676e80 EnterCriticalSection 99021->99022 99023 676e5e 99021->99023 99024 676e76 99022->99024 99023->99022 99025 676e66 99023->99025 99024->99013 99026 679e4b __lock 58 API calls 99025->99026 99026->99024 99027->99016 99028->99018 99032 67582d 99029->99032 99031 65508e 99031->98817 99033 675839 _wprintf 99032->99033 99034 67587c 99033->99034 99035 675874 _wprintf 99033->99035 99038 67584f _memset 99033->99038 99036 676e4e __lock_file 59 API calls 99034->99036 99035->99031 99037 675882 99036->99037 99045 67564d 99037->99045 99059 678d68 58 API calls __getptd_noexit 99038->99059 99041 675869 99060 678ff6 9 API calls _W_expandtime 99041->99060 99048 675668 _memset 99045->99048 99051 675683 99045->99051 99046 675673 99157 678d68 58 API calls __getptd_noexit 99046->99157 99048->99046 99048->99051 99056 6756c3 99048->99056 99049 675678 99158 678ff6 9 API calls _W_expandtime 99049->99158 99061 6758b6 LeaveCriticalSection LeaveCriticalSection _fseek 99051->99061 99053 6757d4 _memset 99160 678d68 58 API calls __getptd_noexit 99053->99160 99056->99051 99056->99053 99062 674916 99056->99062 99069 6810ab 99056->99069 99137 680df7 99056->99137 99159 680f18 58 API calls 3 library calls 99056->99159 99059->99041 99060->99035 99061->99035 99063 674935 99062->99063 99064 674920 99062->99064 99063->99056 99161 678d68 58 API calls __getptd_noexit 99064->99161 99066 674925 99162 678ff6 9 API calls _W_expandtime 99066->99162 99068 674930 99068->99056 99070 6810cc 99069->99070 99071 6810e3 99069->99071 99172 678d34 58 API calls __getptd_noexit 99070->99172 99073 68181b 99071->99073 99078 68111d 99071->99078 99188 678d34 58 API calls __getptd_noexit 99073->99188 99075 6810d1 99173 678d68 58 API calls __getptd_noexit 99075->99173 99076 681820 99189 678d68 58 API calls __getptd_noexit 99076->99189 99080 681125 99078->99080 99086 68113c 99078->99086 99174 678d34 58 API calls __getptd_noexit 99080->99174 99081 681131 99190 678ff6 9 API calls _W_expandtime 99081->99190 99082 6810d8 99082->99056 99084 68112a 99175 678d68 58 API calls __getptd_noexit 99084->99175 99086->99082 99087 681151 99086->99087 99090 68116b 99086->99090 99092 681189 99086->99092 99176 678d34 58 API calls __getptd_noexit 99087->99176 99090->99087 99091 681176 99090->99091 99163 685ebb 99091->99163 99177 678a5d 58 API calls 2 library calls 99092->99177 99094 681199 99096 6811bc 99094->99096 99097 6811a1 99094->99097 99180 681b11 60 API calls 3 library calls 99096->99180 99178 678d68 58 API calls __getptd_noexit 99097->99178 99098 68128a 99100 681303 ReadFile 99098->99100 99105 6812a0 GetConsoleMode 99098->99105 99103 6817e3 GetLastError 99100->99103 99104 681325 99100->99104 99102 6811a6 99179 678d34 58 API calls __getptd_noexit 99102->99179 99107 6817f0 99103->99107 99108 6812e3 99103->99108 99104->99103 99112 6812f5 99104->99112 99109 681300 99105->99109 99110 6812b4 99105->99110 99186 678d68 58 API calls __getptd_noexit 99107->99186 99122 6812e9 99108->99122 99181 678d47 58 API calls 2 library calls 99108->99181 99109->99100 99110->99109 99113 6812ba ReadConsoleW 99110->99113 99120 68135a 99112->99120 99112->99122 99124 6815c7 99112->99124 99113->99112 99115 6812dd GetLastError 99113->99115 99114 6817f5 99187 678d34 58 API calls __getptd_noexit 99114->99187 99115->99108 99118 672f95 _free 58 API calls 99118->99082 99121 6813c6 ReadFile 99120->99121 99128 681447 99120->99128 99125 6813e7 GetLastError 99121->99125 99135 6813f1 99121->99135 99122->99082 99122->99118 99123 6816cd ReadFile 99130 6816f0 GetLastError 99123->99130 99136 6816fe 99123->99136 99124->99122 99124->99123 99125->99135 99126 681504 99131 6814b4 MultiByteToWideChar 99126->99131 99184 681b11 60 API calls 3 library calls 99126->99184 99127 6814f4 99183 678d68 58 API calls __getptd_noexit 99127->99183 99128->99122 99128->99126 99128->99127 99128->99131 99130->99136 99131->99115 99131->99122 99135->99120 99182 681b11 60 API calls 3 library calls 99135->99182 99136->99124 99185 681b11 60 API calls 3 library calls 99136->99185 99138 680e02 99137->99138 99142 680e17 99137->99142 99224 678d68 58 API calls __getptd_noexit 99138->99224 99140 680e07 99225 678ff6 9 API calls _W_expandtime 99140->99225 99143 680e4c 99142->99143 99149 680e12 99142->99149 99226 686234 58 API calls __malloc_crt 99142->99226 99145 674916 _fprintf 58 API calls 99143->99145 99146 680e60 99145->99146 99191 680f97 99146->99191 99148 680e67 99148->99149 99150 674916 _fprintf 58 API calls 99148->99150 99149->99056 99151 680e8a 99150->99151 99151->99149 99152 674916 _fprintf 58 API calls 99151->99152 99153 680e96 99152->99153 99153->99149 99154 674916 _fprintf 58 API calls 99153->99154 99155 680ea3 99154->99155 99156 674916 _fprintf 58 API calls 99155->99156 99156->99149 99157->99049 99158->99051 99159->99056 99160->99049 99161->99066 99162->99068 99164 685ed3 99163->99164 99165 685ec6 99163->99165 99167 685edf 99164->99167 99168 678d68 _W_expandtime 58 API calls 99164->99168 99166 678d68 _W_expandtime 58 API calls 99165->99166 99169 685ecb 99166->99169 99167->99098 99170 685f00 99168->99170 99169->99098 99171 678ff6 _W_expandtime 9 API calls 99170->99171 99171->99169 99172->99075 99173->99082 99174->99084 99175->99081 99176->99084 99177->99094 99178->99102 99179->99082 99180->99091 99181->99122 99182->99135 99183->99122 99184->99131 99185->99136 99186->99114 99187->99122 99188->99076 99189->99081 99190->99082 99192 680fa3 _wprintf 99191->99192 99193 680fb0 99192->99193 99194 680fc7 99192->99194 99195 678d34 __dosmaperr 58 API calls 99193->99195 99196 68108b 99194->99196 99199 680fdb 99194->99199 99198 680fb5 99195->99198 99197 678d34 __dosmaperr 58 API calls 99196->99197 99200 680ffe 99197->99200 99201 678d68 _W_expandtime 58 API calls 99198->99201 99202 680ff9 99199->99202 99203 681006 99199->99203 99208 678d68 _W_expandtime 58 API calls 99200->99208 99215 680fbc _wprintf 99201->99215 99204 678d34 __dosmaperr 58 API calls 99202->99204 99205 681028 99203->99205 99206 681013 99203->99206 99204->99200 99207 67d446 ___lock_fhandle 59 API calls 99205->99207 99209 678d34 __dosmaperr 58 API calls 99206->99209 99210 68102e 99207->99210 99211 681020 99208->99211 99212 681018 99209->99212 99213 681041 99210->99213 99214 681054 99210->99214 99218 678ff6 _W_expandtime 9 API calls 99211->99218 99216 678d68 _W_expandtime 58 API calls 99212->99216 99217 6810ab __read_nolock 70 API calls 99213->99217 99219 678d68 _W_expandtime 58 API calls 99214->99219 99215->99148 99216->99211 99220 68104d 99217->99220 99218->99215 99221 681059 99219->99221 99223 681083 __read LeaveCriticalSection 99220->99223 99222 678d34 __dosmaperr 58 API calls 99221->99222 99222->99220 99223->99215 99224->99140 99225->99149 99226->99143 99230 67543a GetSystemTimeAsFileTime 99227->99230 99229 6b91f8 99229->98819 99231 675468 __aulldiv 99230->99231 99231->99229 99233 675e9c _wprintf 99232->99233 99234 675ec3 99233->99234 99235 675eae 99233->99235 99236 676e4e __lock_file 59 API calls 99234->99236 99246 678d68 58 API calls __getptd_noexit 99235->99246 99238 675ec9 99236->99238 99248 675b00 67 API calls 6 library calls 99238->99248 99239 675eb3 99247 678ff6 9 API calls _W_expandtime 99239->99247 99242 675ed4 99249 675ef4 LeaveCriticalSection LeaveCriticalSection _fseek 99242->99249 99244 675ebe _wprintf 99244->98824 99245 675ee6 99245->99244 99246->99239 99247->99244 99248->99242 99249->99245 99250->98681 99251->98688 99252->98702 99253->98704 99254->98700 99255->98710 99257 6592c9 Mailbox 99256->99257 99258 68f5c8 99257->99258 99263 6592d3 99257->99263 99259 670ff6 Mailbox 59 API calls 99258->99259 99261 68f5d4 99259->99261 99260 6592da 99260->98714 99263->99260 99264 659df0 59 API calls Mailbox 99263->99264 99264->99263 99265->98725 99266->98720 99268 6b99d2 __tzset_nolock _wcscmp 99267->99268 99269 6b9866 99268->99269 99270 65506b 74 API calls 99268->99270 99271 6b9393 GetSystemTimeAsFileTime 99268->99271 99272 655045 85 API calls 99268->99272 99269->98731 99269->98760 99270->99268 99271->99268 99272->99268 99274 6b8d9b 99273->99274 99275 6b8da9 99273->99275 99276 67548b 115 API calls 99274->99276 99277 6b8dee 99275->99277 99278 67548b 115 API calls 99275->99278 99303 6b8db2 99275->99303 99276->99275 99304 6b901b 99277->99304 99280 6b8dd3 99278->99280 99280->99277 99282 6b8ddc 99280->99282 99281 6b8e32 99283 6b8e57 99281->99283 99284 6b8e36 99281->99284 99285 6755d6 __fcloseall 83 API calls 99282->99285 99282->99303 99308 6b8c33 99283->99308 99288 6755d6 __fcloseall 83 API calls 99284->99288 99289 6b8e43 99284->99289 99285->99303 99288->99289 99292 6755d6 __fcloseall 83 API calls 99289->99292 99289->99303 99290 6b8e85 99317 6b8eb5 99290->99317 99291 6b8e65 99293 6b8e72 99291->99293 99295 6755d6 __fcloseall 83 API calls 99291->99295 99292->99303 99297 6755d6 __fcloseall 83 API calls 99293->99297 99293->99303 99295->99293 99297->99303 99300 6b8ea0 99302 6755d6 __fcloseall 83 API calls 99300->99302 99300->99303 99302->99303 99303->98759 99305 6b9029 __tzset_nolock _memmove 99304->99305 99306 6b9040 99304->99306 99305->99281 99307 675812 __fread_nolock 74 API calls 99306->99307 99307->99305 99309 67594c _W_store_winword 58 API calls 99308->99309 99310 6b8c42 99309->99310 99311 67594c _W_store_winword 58 API calls 99310->99311 99312 6b8c56 99311->99312 99313 67594c _W_store_winword 58 API calls 99312->99313 99314 6b8c6a 99313->99314 99315 6b8f97 58 API calls 99314->99315 99316 6b8c7d 99314->99316 99315->99316 99316->99290 99316->99291 99318 6b8eca 99317->99318 99319 6b8f82 99318->99319 99321 6b8c8f 74 API calls 99318->99321 99324 6b8e8c 99318->99324 99346 6b909c 99318->99346 99354 6b8d2b 74 API calls 99318->99354 99350 6b91bf 99319->99350 99321->99318 99325 6b8f97 99324->99325 99326 6b8faa 99325->99326 99327 6b8fa4 99325->99327 99329 672f95 _free 58 API calls 99326->99329 99331 6b8fbb 99326->99331 99328 672f95 _free 58 API calls 99327->99328 99328->99326 99329->99331 99330 6b8e93 99330->99300 99333 6755d6 99330->99333 99331->99330 99332 672f95 _free 58 API calls 99331->99332 99332->99330 99334 6755e2 _wprintf 99333->99334 99335 6755f6 99334->99335 99336 67560e 99334->99336 99403 678d68 58 API calls __getptd_noexit 99335->99403 99338 676e4e __lock_file 59 API calls 99336->99338 99340 675606 _wprintf 99336->99340 99341 675620 99338->99341 99339 6755fb 99404 678ff6 9 API calls _W_expandtime 99339->99404 99340->99300 99387 67556a 99341->99387 99347 6b90eb 99346->99347 99348 6b90ab 99346->99348 99347->99348 99355 6b9172 99347->99355 99348->99318 99351 6b91cc 99350->99351 99352 6b91dd 99350->99352 99353 674a93 80 API calls 99351->99353 99352->99324 99353->99352 99354->99318 99356 6b91af 99355->99356 99357 6b919e 99355->99357 99356->99347 99359 674a93 99357->99359 99360 674a9f _wprintf 99359->99360 99361 674ad5 99360->99361 99362 674abd 99360->99362 99363 674acd _wprintf 99360->99363 99364 676e4e __lock_file 59 API calls 99361->99364 99384 678d68 58 API calls __getptd_noexit 99362->99384 99363->99356 99366 674adb 99364->99366 99372 67493a 99366->99372 99367 674ac2 99385 678ff6 9 API calls _W_expandtime 99367->99385 99374 674949 99372->99374 99378 674967 99372->99378 99373 674957 99375 678d68 _W_expandtime 58 API calls 99373->99375 99374->99373 99374->99378 99382 674981 _memmove 99374->99382 99376 67495c 99375->99376 99377 678ff6 _W_expandtime 9 API calls 99376->99377 99377->99378 99386 674b0d LeaveCriticalSection LeaveCriticalSection _fseek 99378->99386 99379 67b05e __flsbuf 78 API calls 99379->99382 99380 674c6d __flush 78 API calls 99380->99382 99381 674916 _fprintf 58 API calls 99381->99382 99382->99378 99382->99379 99382->99380 99382->99381 99383 67dac6 __write 78 API calls 99382->99383 99383->99382 99384->99367 99385->99363 99386->99363 99388 67558d 99387->99388 99389 675579 99387->99389 99391 675589 99388->99391 99406 674c6d 99388->99406 99442 678d68 58 API calls __getptd_noexit 99389->99442 99405 675645 LeaveCriticalSection LeaveCriticalSection _fseek 99391->99405 99392 67557e 99443 678ff6 9 API calls _W_expandtime 99392->99443 99398 674916 _fprintf 58 API calls 99399 6755a7 99398->99399 99416 680c52 99399->99416 99401 6755ad 99401->99391 99402 672f95 _free 58 API calls 99401->99402 99402->99391 99403->99339 99404->99340 99405->99340 99407 674c80 99406->99407 99411 674ca4 99406->99411 99408 674916 _fprintf 58 API calls 99407->99408 99407->99411 99409 674c9d 99408->99409 99444 67dac6 99409->99444 99412 680dc7 99411->99412 99413 6755a1 99412->99413 99414 680dd4 99412->99414 99413->99398 99414->99413 99415 672f95 _free 58 API calls 99414->99415 99415->99413 99417 680c5e _wprintf 99416->99417 99418 680c6b 99417->99418 99419 680c82 99417->99419 99569 678d34 58 API calls __getptd_noexit 99418->99569 99421 680d0d 99419->99421 99423 680c92 99419->99423 99574 678d34 58 API calls __getptd_noexit 99421->99574 99422 680c70 99570 678d68 58 API calls __getptd_noexit 99422->99570 99426 680cba 99423->99426 99427 680cb0 99423->99427 99430 67d446 ___lock_fhandle 59 API calls 99426->99430 99571 678d34 58 API calls __getptd_noexit 99427->99571 99428 680cb5 99575 678d68 58 API calls __getptd_noexit 99428->99575 99431 680cc0 99430->99431 99433 680cde 99431->99433 99434 680cd3 99431->99434 99572 678d68 58 API calls __getptd_noexit 99433->99572 99554 680d2d 99434->99554 99435 680d19 99576 678ff6 9 API calls _W_expandtime 99435->99576 99438 680c77 _wprintf 99438->99401 99440 680cd9 99573 680d05 LeaveCriticalSection __unlock_fhandle 99440->99573 99442->99392 99443->99391 99445 67dad2 _wprintf 99444->99445 99446 67daf6 99445->99446 99447 67dadf 99445->99447 99448 67db95 99446->99448 99450 67db0a 99446->99450 99545 678d34 58 API calls __getptd_noexit 99447->99545 99551 678d34 58 API calls __getptd_noexit 99448->99551 99454 67db32 99450->99454 99455 67db28 99450->99455 99452 67dae4 99546 678d68 58 API calls __getptd_noexit 99452->99546 99472 67d446 99454->99472 99547 678d34 58 API calls __getptd_noexit 99455->99547 99456 67db2d 99552 678d68 58 API calls __getptd_noexit 99456->99552 99457 67daeb _wprintf 99457->99411 99460 67db38 99462 67db5e 99460->99462 99463 67db4b 99460->99463 99548 678d68 58 API calls __getptd_noexit 99462->99548 99481 67dbb5 99463->99481 99464 67dba1 99553 678ff6 9 API calls _W_expandtime 99464->99553 99468 67db63 99549 678d34 58 API calls __getptd_noexit 99468->99549 99469 67db57 99550 67db8d LeaveCriticalSection __unlock_fhandle 99469->99550 99473 67d452 _wprintf 99472->99473 99474 67d4a1 EnterCriticalSection 99473->99474 99476 679e4b __lock 58 API calls 99473->99476 99475 67d4c7 _wprintf 99474->99475 99475->99460 99477 67d477 99476->99477 99478 67d48f 99477->99478 99479 67a06b __mtinitlocknum InitializeCriticalSectionAndSpinCount 99477->99479 99480 67d4cb ___lock_fhandle LeaveCriticalSection 99478->99480 99479->99478 99480->99474 99482 67dbc2 __write_nolock 99481->99482 99483 67dc01 99482->99483 99484 67dc20 99482->99484 99512 67dbf6 99482->99512 99486 678d34 __dosmaperr 58 API calls 99483->99486 99487 67dc78 99484->99487 99488 67dc5c 99484->99488 99485 67c836 __except_handler4 6 API calls 99489 67e416 99485->99489 99490 67dc06 99486->99490 99492 67dc91 99487->99492 99495 681b11 __lseeki64_nolock 60 API calls 99487->99495 99491 678d34 __dosmaperr 58 API calls 99488->99491 99489->99469 99493 678d68 _W_expandtime 58 API calls 99490->99493 99494 67dc61 99491->99494 99497 685ebb __flswbuf 58 API calls 99492->99497 99496 67dc0d 99493->99496 99498 678d68 _W_expandtime 58 API calls 99494->99498 99495->99492 99499 678ff6 _W_expandtime 9 API calls 99496->99499 99500 67dc9f 99497->99500 99502 67dc68 99498->99502 99499->99512 99501 67dff8 99500->99501 99506 679bec _wcstok 58 API calls 99500->99506 99503 67e016 99501->99503 99504 67e38b WriteFile 99501->99504 99505 678ff6 _W_expandtime 9 API calls 99502->99505 99507 67e13a 99503->99507 99515 67e02c 99503->99515 99508 67dfeb GetLastError 99504->99508 99513 67dfb8 99504->99513 99505->99512 99509 67dccb GetConsoleMode 99506->99509 99519 67e22f 99507->99519 99521 67e145 99507->99521 99508->99513 99509->99501 99511 67dd0a 99509->99511 99510 67e3c4 99510->99512 99517 678d68 _W_expandtime 58 API calls 99510->99517 99511->99501 99514 67dd1a GetConsoleCP 99511->99514 99512->99485 99513->99510 99513->99512 99518 67e118 99513->99518 99514->99510 99542 67dd49 99514->99542 99515->99510 99516 67e09b WriteFile 99515->99516 99516->99508 99520 67e0d8 99516->99520 99522 67e3f2 99517->99522 99523 67e123 99518->99523 99524 67e3bb 99518->99524 99519->99510 99525 67e2a4 WideCharToMultiByte 99519->99525 99520->99515 99526 67e0fc 99520->99526 99521->99510 99527 67e1aa WriteFile 99521->99527 99528 678d34 __dosmaperr 58 API calls 99522->99528 99530 678d68 _W_expandtime 58 API calls 99523->99530 99531 678d47 __dosmaperr 58 API calls 99524->99531 99525->99508 99537 67e2eb 99525->99537 99526->99513 99527->99508 99529 67e1f9 99527->99529 99528->99512 99529->99513 99529->99521 99529->99526 99532 67e128 99530->99532 99531->99512 99534 678d34 __dosmaperr 58 API calls 99532->99534 99533 67e2f3 WriteFile 99536 67e346 GetLastError 99533->99536 99533->99537 99534->99512 99535 673835 __write_nolock 58 API calls 99535->99542 99536->99537 99537->99513 99537->99519 99537->99526 99537->99533 99538 687cae WriteConsoleW CreateFileW __putwch_nolock 99543 67de9f 99538->99543 99539 68650a 60 API calls __write_nolock 99539->99542 99540 67de32 WideCharToMultiByte 99540->99513 99541 67de6d WriteFile 99540->99541 99541->99508 99541->99543 99542->99513 99542->99535 99542->99539 99542->99540 99542->99543 99543->99508 99543->99513 99543->99538 99543->99542 99544 67dec7 WriteFile 99543->99544 99544->99508 99544->99543 99545->99452 99546->99457 99547->99456 99548->99468 99549->99469 99550->99457 99551->99456 99552->99464 99553->99457 99577 67d703 99554->99577 99556 680d91 99590 67d67d 59 API calls 2 library calls 99556->99590 99558 680d3b 99558->99556 99561 67d703 __lseeki64_nolock 58 API calls 99558->99561 99568 680d6f 99558->99568 99559 67d703 __lseeki64_nolock 58 API calls 99562 680d7b CloseHandle 99559->99562 99560 680d99 99567 680dbb 99560->99567 99591 678d47 58 API calls 2 library calls 99560->99591 99563 680d66 99561->99563 99562->99556 99565 680d87 GetLastError 99562->99565 99564 67d703 __lseeki64_nolock 58 API calls 99563->99564 99564->99568 99565->99556 99567->99440 99568->99556 99568->99559 99569->99422 99570->99438 99571->99428 99572->99440 99573->99438 99574->99428 99575->99435 99576->99438 99578 67d70e 99577->99578 99581 67d723 99577->99581 99579 678d34 __dosmaperr 58 API calls 99578->99579 99580 67d713 99579->99580 99584 678d68 _W_expandtime 58 API calls 99580->99584 99582 678d34 __dosmaperr 58 API calls 99581->99582 99585 67d748 99581->99585 99583 67d752 99582->99583 99586 678d68 _W_expandtime 58 API calls 99583->99586 99587 67d71b 99584->99587 99585->99558 99588 67d75a 99586->99588 99587->99558 99589 678ff6 _W_expandtime 9 API calls 99588->99589 99589->99587 99590->99560 99591->99567 99654 681b90 99592->99654 99595 6548f7 99656 657eec 99595->99656 99596 6548da 99598 657d2c 59 API calls 99596->99598 99599 6548e6 99598->99599 99600 657886 59 API calls 99599->99600 99601 6548f2 99600->99601 99602 6709d5 99601->99602 99603 681b90 __write_nolock 99602->99603 99604 6709e2 GetLongPathNameW 99603->99604 99605 657d2c 59 API calls 99604->99605 99606 65741d 99605->99606 99607 65716b 99606->99607 99608 6577c7 59 API calls 99607->99608 99609 65717d 99608->99609 99610 6548ae 60 API calls 99609->99610 99611 657188 99610->99611 99612 68ecae 99611->99612 99613 657193 99611->99613 99618 68ecc8 99612->99618 99666 657a68 61 API calls 99612->99666 99614 653f84 59 API calls 99613->99614 99616 65719f 99614->99616 99660 6534c2 99616->99660 99619 6571b2 Mailbox 99619->98496 99621 654f3d 136 API calls 99620->99621 99622 6569ef 99621->99622 99623 68e45a 99622->99623 99624 654f3d 136 API calls 99622->99624 99625 6b97e5 122 API calls 99623->99625 99626 656a03 99624->99626 99627 68e46f 99625->99627 99626->99623 99630 656a0b 99626->99630 99628 68e490 99627->99628 99629 68e473 99627->99629 99632 670ff6 Mailbox 59 API calls 99628->99632 99631 654faa 84 API calls 99629->99631 99633 656a17 99630->99633 99634 68e47b 99630->99634 99631->99634 99653 68e4d5 Mailbox 99632->99653 99667 656bec 99633->99667 99777 6b4534 90 API calls _wprintf 99634->99777 99637 68e489 99637->99628 99639 68e689 99640 672f95 _free 58 API calls 99639->99640 99641 68e691 99640->99641 99642 654faa 84 API calls 99641->99642 99647 68e69a 99642->99647 99646 672f95 _free 58 API calls 99646->99647 99647->99646 99649 654faa 84 API calls 99647->99649 99780 6afcb1 89 API calls 4 library calls 99647->99780 99649->99647 99650 657f41 59 API calls 99650->99653 99653->99639 99653->99647 99653->99650 99760 6afc4d 99653->99760 99763 65766f 99653->99763 99771 6574bd 99653->99771 99778 6afb6e 61 API calls 2 library calls 99653->99778 99779 6b7621 59 API calls Mailbox 99653->99779 99655 6548bb GetFullPathNameW 99654->99655 99655->99595 99655->99596 99657 657f06 99656->99657 99659 657ef9 99656->99659 99658 670ff6 Mailbox 59 API calls 99657->99658 99658->99659 99659->99599 99661 6534d4 99660->99661 99665 6534f3 _memmove 99660->99665 99663 670ff6 Mailbox 59 API calls 99661->99663 99662 670ff6 Mailbox 59 API calls 99664 65350a 99662->99664 99663->99665 99664->99619 99665->99662 99666->99612 99668 656c15 99667->99668 99669 68e847 99667->99669 99786 655906 60 API calls Mailbox 99668->99786 99872 6afcb1 89 API calls 4 library calls 99669->99872 99672 68e85a 99873 6afcb1 89 API calls 4 library calls 99672->99873 99673 656c37 99787 655956 99673->99787 99676 656c54 99678 6577c7 59 API calls 99676->99678 99680 656c60 99678->99680 99679 68e876 99682 656cc1 99679->99682 99800 670b9b 60 API calls __write_nolock 99680->99800 99684 68e889 99682->99684 99685 656ccf 99682->99685 99683 656c6c 99686 6577c7 59 API calls 99683->99686 99687 655dcf CloseHandle 99684->99687 99688 6577c7 59 API calls 99685->99688 99690 656c78 99686->99690 99691 68e895 99687->99691 99689 656cd8 99688->99689 99692 6577c7 59 API calls 99689->99692 99693 6548ae 60 API calls 99690->99693 99694 654f3d 136 API calls 99691->99694 99695 656ce1 99692->99695 99696 656c86 99693->99696 99697 68e8b1 99694->99697 99810 6546f9 99695->99810 99801 6559b0 ReadFile SetFilePointerEx 99696->99801 99698 68e8da 99697->99698 99701 6b97e5 122 API calls 99697->99701 99874 6afcb1 89 API calls 4 library calls 99698->99874 99705 68e8cd 99701->99705 99702 656cf8 99706 657c8e 59 API calls 99702->99706 99704 656cb2 99802 655c4e 99704->99802 99709 68e8d5 99705->99709 99710 68e8f6 99705->99710 99711 656d09 SetCurrentDirectoryW 99706->99711 99707 68e8f1 99715 656e6c Mailbox 99707->99715 99712 654faa 84 API calls 99709->99712 99713 654faa 84 API calls 99710->99713 99717 656d1c Mailbox 99711->99717 99712->99698 99714 68e8fb 99713->99714 99716 670ff6 Mailbox 59 API calls 99714->99716 99781 655934 99715->99781 99722 68e92f 99716->99722 99719 670ff6 Mailbox 59 API calls 99717->99719 99721 656d2f 99719->99721 99720 653bcd 99720->98362 99720->98386 99723 65538e 59 API calls 99721->99723 99724 65766f 59 API calls 99722->99724 99738 68e978 Mailbox 99724->99738 99727 68eb69 99878 6b7581 59 API calls Mailbox 99727->99878 99732 68eb8b 99879 6bf835 59 API calls 2 library calls 99732->99879 99735 68eb98 99737 672f95 _free 58 API calls 99735->99737 99737->99715 99738->99727 99741 65766f 59 API calls 99738->99741 99749 6afc4d 59 API calls 99738->99749 99751 657f41 59 API calls 99738->99751 99755 68ebbb 99738->99755 99875 6afb6e 61 API calls 2 library calls 99738->99875 99876 6b7621 59 API calls Mailbox 99738->99876 99877 657373 59 API calls Mailbox 99738->99877 99741->99738 99749->99738 99751->99738 99880 6afcb1 89 API calls 4 library calls 99755->99880 99757 68ebd4 99758 672f95 _free 58 API calls 99757->99758 99759 68ebe7 99758->99759 99759->99715 99761 670ff6 Mailbox 59 API calls 99760->99761 99762 6afc7d _memmove 99761->99762 99762->99653 99762->99762 99764 65770f 99763->99764 99767 657682 _memmove 99763->99767 99766 670ff6 Mailbox 59 API calls 99764->99766 99765 670ff6 Mailbox 59 API calls 99768 657689 99765->99768 99766->99767 99767->99765 99769 670ff6 Mailbox 59 API calls 99768->99769 99770 6576b2 99768->99770 99769->99770 99770->99653 99772 6574d0 99771->99772 99775 65757e 99771->99775 99774 670ff6 Mailbox 59 API calls 99772->99774 99776 657502 99772->99776 99773 670ff6 59 API calls Mailbox 99773->99776 99774->99776 99775->99653 99776->99773 99776->99775 99777->99637 99778->99653 99779->99653 99780->99647 99782 655dcf CloseHandle 99781->99782 99783 65593c Mailbox 99782->99783 99784 655dcf CloseHandle 99783->99784 99785 65594b 99784->99785 99785->99720 99786->99673 99788 655dcf CloseHandle 99787->99788 99789 655962 99788->99789 99883 655df9 99789->99883 99791 655981 99792 6559a4 99791->99792 99891 655770 99791->99891 99792->99672 99792->99676 99794 655993 99908 6553db SetFilePointerEx SetFilePointerEx 99794->99908 99796 65599a 99796->99792 99797 68e030 99796->99797 99909 6b3696 SetFilePointerEx SetFilePointerEx WriteFile 99797->99909 99799 68e060 99799->99792 99800->99683 99801->99704 99809 655c68 99802->99809 99803 655cef SetFilePointerEx 99922 655dae SetFilePointerEx 99803->99922 99804 68e151 99923 655dae SetFilePointerEx 99804->99923 99807 68e16b 99808 655cc3 99808->99682 99809->99803 99809->99804 99809->99808 99811 6577c7 59 API calls 99810->99811 99812 65470f 99811->99812 99813 6577c7 59 API calls 99812->99813 99814 654717 99813->99814 99815 6577c7 59 API calls 99814->99815 99816 65471f 99815->99816 99817 6577c7 59 API calls 99816->99817 99818 654727 99817->99818 99819 68d8fb 99818->99819 99820 65475b 99818->99820 99821 6581a7 59 API calls 99819->99821 99822 6579ab 59 API calls 99820->99822 99823 68d904 99821->99823 99824 654769 99822->99824 99825 657eec 59 API calls 99823->99825 99826 657e8c 59 API calls 99824->99826 99828 65479e 99825->99828 99827 654773 99826->99827 99827->99828 99829 6579ab 59 API calls 99827->99829 99831 6547bd 99828->99831 99832 68d924 99828->99832 99847 6547de 99828->99847 99833 654794 99829->99833 99837 657b52 59 API calls 99831->99837 99835 68d9f4 99832->99835 99845 68d9dd 99832->99845 99854 68d95b 99832->99854 99836 657e8c 59 API calls 99833->99836 99834 6547ef 99839 6581a7 59 API calls 99834->99839 99841 654801 99834->99841 99838 657d2c 59 API calls 99835->99838 99836->99828 99842 6547c7 99837->99842 99856 68d9b1 99838->99856 99839->99841 99840 654811 99846 654818 99840->99846 99848 6581a7 59 API calls 99840->99848 99841->99840 99844 6581a7 59 API calls 99841->99844 99843 6579ab 59 API calls 99842->99843 99842->99847 99843->99847 99844->99840 99845->99835 99850 68d9c8 99845->99850 99849 6581a7 59 API calls 99846->99849 99858 65481f Mailbox 99846->99858 99924 6579ab 99847->99924 99848->99846 99849->99858 99852 657d2c 59 API calls 99850->99852 99851 68d9b9 99853 657d2c 59 API calls 99851->99853 99852->99856 99853->99856 99854->99851 99859 68d9a4 99854->99859 99855 657b52 59 API calls 99855->99856 99856->99847 99856->99855 99937 657a84 59 API calls 2 library calls 99856->99937 99858->99702 99860 657d2c 59 API calls 99859->99860 99860->99856 99872->99672 99873->99679 99874->99707 99875->99738 99876->99738 99877->99738 99878->99732 99879->99735 99880->99757 99884 655e12 CreateFileW 99883->99884 99885 68e181 99883->99885 99886 655e34 99884->99886 99885->99886 99887 68e187 CreateFileW 99885->99887 99886->99791 99887->99886 99888 68e1ad 99887->99888 99889 655c4e 2 API calls 99888->99889 99890 68e1b8 99889->99890 99890->99886 99892 65578b 99891->99892 99895 68dfce 99891->99895 99893 655c4e 2 API calls 99892->99893 99907 65581a 99892->99907 99894 6557ad 99893->99894 99896 65538e 59 API calls 99894->99896 99895->99907 99916 655e3f 99895->99916 99898 6557b7 99896->99898 99898->99895 99899 6557c4 99898->99899 99900 670ff6 Mailbox 59 API calls 99899->99900 99901 6557cf 99900->99901 99902 65538e 59 API calls 99901->99902 99903 6557da 99902->99903 99910 655d20 99903->99910 99906 655c4e 2 API calls 99906->99907 99907->99794 99908->99796 99909->99799 99911 655d93 99910->99911 99912 655d2e 99910->99912 99921 655dae SetFilePointerEx 99911->99921 99914 655807 99912->99914 99915 655d66 ReadFile 99912->99915 99914->99906 99915->99912 99915->99914 99917 655c4e 2 API calls 99916->99917 99918 655e60 99917->99918 99919 655c4e 2 API calls 99918->99919 99920 655e74 99919->99920 99920->99907 99921->99912 99922->99808 99923->99807 99925 657a17 99924->99925 99926 6579ba 99924->99926 99927 657e8c 59 API calls 99925->99927 99926->99925 99928 6579c5 99926->99928 99933 6579e8 _memmove 99927->99933 99929 6579e0 99928->99929 99930 68ef32 99928->99930 99938 658087 59 API calls Mailbox 99929->99938 99932 658189 59 API calls 99930->99932 99934 68ef3c 99932->99934 99933->99834 99935 670ff6 Mailbox 59 API calls 99934->99935 99936 68ef5c 99935->99936 99937->99856 99938->99933 99940 656ef5 99939->99940 99941 657009 99939->99941 99940->99941 99942 670ff6 Mailbox 59 API calls 99940->99942 99941->98502 99944 656f1c 99942->99944 99943 670ff6 Mailbox 59 API calls 99945 656f91 99943->99945 99944->99943 99945->99941 99947 6574bd 59 API calls 99945->99947 99949 65766f 59 API calls 99945->99949 99952 6563a0 94 API calls 2 library calls 99945->99952 99953 6a6ac9 59 API calls Mailbox 99945->99953 99947->99945 99949->99945 99950->98505 99951->98507 99952->99945 99953->99945 99954->98520 99955->98521 99957 68d638 99956->99957 99958 654227 99956->99958 99957->99958 100050->98546 100051->98546 100052->98546 100491 3f523b0 100505 3f50000 100491->100505 100493 3f52450 100508 3f522a0 100493->100508 100511 3f53480 GetPEB 100505->100511 100507 3f5068b 100507->100493 100509 3f522a9 Sleep 100508->100509 100510 3f522b7 100509->100510 100512 3f534aa 100511->100512 100512->100507 100513 653633 100514 65366a 100513->100514 100515 6536e7 100514->100515 100516 653688 100514->100516 100553 6536e5 100514->100553 100517 68d31c 100515->100517 100518 6536ed 100515->100518 100519 653695 100516->100519 100520 65375d PostQuitMessage 100516->100520 100563 6611d0 10 API calls Mailbox 100517->100563 100522 653715 SetTimer RegisterWindowMessageW 100518->100522 100523 6536f2 100518->100523 100524 6536a0 100519->100524 100525 68d38f 100519->100525 100555 6536d8 100520->100555 100521 6536ca DefWindowProcW 100521->100555 100529 65373e CreatePopupMenu 100522->100529 100522->100555 100527 68d2bf 100523->100527 100528 6536f9 KillTimer 100523->100528 100530 653767 100524->100530 100531 6536a8 100524->100531 100567 6b2a16 71 API calls _memset 100525->100567 100534 68d2f8 MoveWindow 100527->100534 100535 68d2c4 100527->100535 100558 6544cb Shell_NotifyIconW _memset 100528->100558 100529->100555 100561 654531 64 API calls _memset 100530->100561 100537 6536b3 100531->100537 100543 68d374 100531->100543 100533 68d343 100564 6611f3 341 API calls Mailbox 100533->100564 100534->100555 100540 68d2c8 100535->100540 100541 68d2e7 SetFocus 100535->100541 100544 6536be 100537->100544 100545 65374b 100537->100545 100540->100544 100548 68d2d1 100540->100548 100541->100555 100542 65370c 100559 653114 DeleteObject DestroyWindow Mailbox 100542->100559 100543->100521 100566 6a817e 59 API calls Mailbox 100543->100566 100544->100521 100565 6544cb Shell_NotifyIconW _memset 100544->100565 100560 6545df 81 API calls _memset 100545->100560 100546 68d3a1 100546->100521 100546->100555 100547 65375b 100547->100555 100562 6611d0 10 API calls Mailbox 100548->100562 100553->100521 100556 68d368 100557 6543db 68 API calls 100556->100557 100557->100553 100558->100542 100559->100555 100560->100547 100561->100547 100562->100555 100563->100533 100564->100544 100565->100556 100566->100553 100567->100546 100568 65107d 100573 6571eb 100568->100573 100570 65108c 100571 672f80 __cinit 67 API calls 100570->100571 100572 651096 100571->100572 100574 6571fb __write_nolock 100573->100574 100575 6577c7 59 API calls 100574->100575 100576 6572b1 100575->100576 100577 654864 61 API calls 100576->100577 100578 6572ba 100577->100578 100604 67074f 100578->100604 100581 657e0b 59 API calls 100582 6572d3 100581->100582 100583 653f84 59 API calls 100582->100583 100584 6572e2 100583->100584 100585 6577c7 59 API calls 100584->100585 100586 6572eb 100585->100586 100587 657eec 59 API calls 100586->100587 100588 6572f4 RegOpenKeyExW 100587->100588 100589 68ecda RegQueryValueExW 100588->100589 100593 657316 Mailbox 100588->100593 100590 68ed6c RegCloseKey 100589->100590 100591 68ecf7 100589->100591 100590->100593 100596 68ed7e _wcscat Mailbox __NMSG_WRITE 100590->100596 100592 670ff6 Mailbox 59 API calls 100591->100592 100594 68ed10 100592->100594 100593->100570 100595 65538e 59 API calls 100594->100595 100597 68ed1b RegQueryValueExW 100595->100597 100596->100593 100598 657b52 59 API calls 100596->100598 100602 657f41 59 API calls 100596->100602 100603 653f84 59 API calls 100596->100603 100599 68ed38 100597->100599 100600 68ed52 100597->100600 100598->100596 100601 657d2c 59 API calls 100599->100601 100600->100590 100601->100600 100602->100596 100603->100596 100605 681b90 __write_nolock 100604->100605 100606 67075c GetFullPathNameW 100605->100606 100607 67077e 100606->100607 100608 657d2c 59 API calls 100607->100608 100609 6572c5 100608->100609 100609->100581 100610 65e608 100613 65d260 100610->100613 100612 65e616 100614 65d4dd 100613->100614 100615 65d27d 100613->100615 100627 65d6ab 100614->100627 100662 6ba0b5 89 API calls 4 library calls 100614->100662 100616 692abb 100615->100616 100617 692b0a 100615->100617 100644 65d2a4 100615->100644 100620 692abe 100616->100620 100623 692ad9 100616->100623 100657 6ca6fb 341 API calls __cinit 100617->100657 100621 692aca 100620->100621 100620->100644 100655 6cad0f 341 API calls 100621->100655 100623->100614 100656 6cb1b7 341 API calls 3 library calls 100623->100656 100624 672f80 __cinit 67 API calls 100624->100644 100626 692cdf 100626->100626 100627->100612 100628 65d594 100649 658bb2 68 API calls 100628->100649 100632 65d5a3 100632->100612 100633 692c26 100661 6caa66 89 API calls 100633->100661 100637 658620 69 API calls 100637->100644 100643 65a000 341 API calls 100643->100644 100644->100614 100644->100624 100644->100627 100644->100628 100644->100633 100644->100637 100644->100643 100645 6581a7 59 API calls 100644->100645 100647 6588a0 68 API calls __cinit 100644->100647 100648 6586a2 68 API calls 100644->100648 100650 65859a 68 API calls 100644->100650 100651 65d0dc 341 API calls 100644->100651 100652 659f3a 59 API calls Mailbox 100644->100652 100653 65d060 89 API calls 100644->100653 100654 65cedd 341 API calls 100644->100654 100658 658bb2 68 API calls 100644->100658 100659 659e9c 60 API calls Mailbox 100644->100659 100660 6a6d03 60 API calls 100644->100660 100645->100644 100647->100644 100648->100644 100649->100632 100650->100644 100651->100644 100652->100644 100653->100644 100654->100644 100655->100627 100656->100614 100657->100644 100658->100644 100659->100644 100660->100644 100661->100614 100662->100626 100663 3f5295b 100666 3f525d0 100663->100666 100665 3f529a7 100667 3f50000 GetPEB 100666->100667 100670 3f5266f 100667->100670 100669 3f526a0 CreateFileW 100669->100670 100672 3f526ad 100669->100672 100671 3f526c9 VirtualAlloc 100670->100671 100670->100672 100677 3f527d0 CloseHandle 100670->100677 100678 3f527e0 VirtualFree 100670->100678 100679 3f534e0 GetPEB 100670->100679 100671->100672 100673 3f526ea ReadFile 100671->100673 100674 3f528bc VirtualFree 100672->100674 100675 3f528ca 100672->100675 100673->100672 100676 3f52708 VirtualAlloc 100673->100676 100674->100675 100675->100665 100676->100670 100676->100672 100677->100670 100678->100670 100680 3f5350a 100679->100680 100680->100669 100681 68ff06 100682 68ff10 100681->100682 100692 65ac90 Mailbox _memmove 100681->100692 100872 658e34 59 API calls Mailbox 100682->100872 100687 670ff6 59 API calls Mailbox 100709 65a097 Mailbox 100687->100709 100690 65b5d5 100693 6581a7 59 API calls 100690->100693 100691 65a6ba 100880 6ba0b5 89 API calls 4 library calls 100691->100880 100698 657f41 59 API calls 100692->100698 100702 65b685 100692->100702 100707 65a1b7 100692->100707 100692->100709 100712 6cbf80 341 API calls 100692->100712 100714 670ff6 59 API calls Mailbox 100692->100714 100715 65b416 100692->100715 100717 65a000 341 API calls 100692->100717 100718 690c94 100692->100718 100720 690ca2 100692->100720 100723 65b37c 100692->100723 100730 65ade2 Mailbox 100692->100730 100825 6cc5f4 100692->100825 100857 6b7be0 100692->100857 100863 6a66f4 100692->100863 100873 6a7405 59 API calls 100692->100873 100874 6cc4a7 85 API calls 2 library calls 100692->100874 100693->100707 100694 69047f 100876 6ba0b5 89 API calls 4 library calls 100694->100876 100695 65b5da 100882 6ba0b5 89 API calls 4 library calls 100695->100882 100698->100692 100699 6577c7 59 API calls 100699->100709 100701 6581a7 59 API calls 100701->100709 100877 6ba0b5 89 API calls 4 library calls 100702->100877 100703 69048e 100704 6a7405 59 API calls 100704->100709 100706 672f80 67 API calls __cinit 100706->100709 100708 6a66f4 Mailbox 59 API calls 100708->100707 100709->100687 100709->100690 100709->100691 100709->100694 100709->100695 100709->100699 100709->100701 100709->100704 100709->100706 100709->100707 100710 690e00 100709->100710 100866 65ca20 341 API calls 2 library calls 100709->100866 100867 65ba60 60 API calls Mailbox 100709->100867 100881 6ba0b5 89 API calls 4 library calls 100710->100881 100712->100692 100714->100692 100871 65f803 341 API calls 100715->100871 100717->100692 100878 659df0 59 API calls Mailbox 100718->100878 100879 6ba0b5 89 API calls 4 library calls 100720->100879 100722 690c86 100722->100707 100722->100708 100869 659e9c 60 API calls Mailbox 100723->100869 100725 65b38d 100870 659e9c 60 API calls Mailbox 100725->100870 100730->100702 100730->100707 100730->100722 100731 6900e0 VariantClear 100730->100731 100735 6ce237 100730->100735 100738 662123 100730->100738 100778 6bd2e6 100730->100778 100868 659df0 59 API calls Mailbox 100730->100868 100875 6a7405 59 API calls 100730->100875 100731->100730 100736 6ccdf1 130 API calls 100735->100736 100737 6ce247 100736->100737 100737->100730 100883 659bf8 100738->100883 100742 670ff6 Mailbox 59 API calls 100743 662154 100742->100743 100744 662164 100743->100744 100911 655906 60 API calls Mailbox 100743->100911 100747 659997 84 API calls 100744->100747 100745 6969af 100756 662189 100745->100756 100915 6bf7df 59 API calls 100745->100915 100749 662172 100747->100749 100751 655956 67 API calls 100749->100751 100750 6969f7 100752 662196 100750->100752 100753 6969ff 100750->100753 100754 662181 100751->100754 100757 655e3f 2 API calls 100752->100757 100917 659c9c 59 API calls 100753->100917 100754->100745 100754->100756 100914 655a1a CloseHandle 100754->100914 100756->100752 100916 659c9c 59 API calls 100756->100916 100759 66219d 100757->100759 100760 6621b7 100759->100760 100761 696a11 100759->100761 100762 6577c7 59 API calls 100760->100762 100763 670ff6 Mailbox 59 API calls 100761->100763 100764 6621bf 100762->100764 100765 696a17 100763->100765 100896 6556d2 100764->100896 100767 696a2b 100765->100767 100918 6559b0 ReadFile SetFilePointerEx 100765->100918 100772 696a2f _memmove 100767->100772 100919 6b794e 59 API calls 2 library calls 100767->100919 100769 6621ce 100769->100772 100912 659b9c 59 API calls Mailbox 100769->100912 100773 6621e2 Mailbox 100774 66221c 100773->100774 100775 655dcf CloseHandle 100773->100775 100774->100730 100776 662210 100775->100776 100776->100774 100913 655a1a CloseHandle 100776->100913 100779 6bd310 100778->100779 100780 6bd305 100778->100780 100782 6bd3ea Mailbox 100779->100782 100785 6577c7 59 API calls 100779->100785 100943 659c9c 59 API calls 100780->100943 100783 670ff6 Mailbox 59 API calls 100782->100783 100822 6bd3f3 Mailbox 100782->100822 100784 6bd433 100783->100784 100786 6bd43f 100784->100786 100946 655906 60 API calls Mailbox 100784->100946 100787 6bd334 100785->100787 100790 659997 84 API calls 100786->100790 100789 6577c7 59 API calls 100787->100789 100791 6bd33d 100789->100791 100792 6bd457 100790->100792 100793 659997 84 API calls 100791->100793 100794 655956 67 API calls 100792->100794 100795 6bd349 100793->100795 100796 6bd466 100794->100796 100797 6546f9 59 API calls 100795->100797 100798 6bd46a GetLastError 100796->100798 100799 6bd49e 100796->100799 100800 6bd35e 100797->100800 100802 6bd483 100798->100802 100804 6bd4c9 100799->100804 100805 6bd500 100799->100805 100801 657c8e 59 API calls 100800->100801 100803 6bd391 100801->100803 100802->100822 100947 655a1a CloseHandle 100802->100947 100806 6bd3e3 100803->100806 100811 6b3e73 3 API calls 100803->100811 100808 670ff6 Mailbox 59 API calls 100804->100808 100807 670ff6 Mailbox 59 API calls 100805->100807 100945 659c9c 59 API calls 100806->100945 100812 6bd505 100807->100812 100813 6bd4ce 100808->100813 100814 6bd3a1 100811->100814 100817 6577c7 59 API calls 100812->100817 100812->100822 100815 6bd4df 100813->100815 100818 6577c7 59 API calls 100813->100818 100814->100806 100816 6bd3a5 100814->100816 100948 6bf835 59 API calls 2 library calls 100815->100948 100820 657f41 59 API calls 100816->100820 100817->100822 100818->100815 100821 6bd3b2 100820->100821 100944 6b3c66 63 API calls Mailbox 100821->100944 100822->100730 100824 6bd3bb Mailbox 100824->100806 100826 6577c7 59 API calls 100825->100826 100827 6cc608 100826->100827 100828 6577c7 59 API calls 100827->100828 100829 6cc610 100828->100829 100830 6577c7 59 API calls 100829->100830 100831 6cc618 100830->100831 100832 659997 84 API calls 100831->100832 100833 6cc626 100832->100833 100834 6cc83c Mailbox 100833->100834 100835 657d2c 59 API calls 100833->100835 100837 6cc7f6 100833->100837 100839 6cc811 100833->100839 100841 657a84 59 API calls 100833->100841 100843 6581a7 59 API calls 100833->100843 100844 657faf 59 API calls 100833->100844 100848 6cc80f 100833->100848 100850 657faf 59 API calls 100833->100850 100854 659997 84 API calls 100833->100854 100855 657e0b 59 API calls 100833->100855 100856 657c8e 59 API calls 100833->100856 100834->100692 100835->100833 100838 657e0b 59 API calls 100837->100838 100840 6cc803 100838->100840 100842 657e0b 59 API calls 100839->100842 100845 657c8e 59 API calls 100840->100845 100841->100833 100846 6cc820 100842->100846 100843->100833 100847 6cc6bd CharUpperBuffW 100844->100847 100845->100848 100849 657c8e 59 API calls 100846->100849 100949 65859a 68 API calls 100847->100949 100848->100834 100951 659b9c 59 API calls Mailbox 100848->100951 100849->100848 100852 6cc77d CharUpperBuffW 100850->100852 100950 65c707 69 API calls 2 library calls 100852->100950 100854->100833 100855->100833 100856->100833 100858 6b7bec 100857->100858 100859 670ff6 Mailbox 59 API calls 100858->100859 100860 6b7bfa 100859->100860 100861 6b7c08 100860->100861 100862 6577c7 59 API calls 100860->100862 100861->100692 100862->100861 100952 6a6636 100863->100952 100865 6a6702 100865->100692 100866->100709 100867->100709 100868->100730 100869->100725 100870->100715 100871->100702 100872->100692 100873->100692 100874->100692 100875->100730 100876->100703 100877->100722 100878->100722 100879->100722 100880->100707 100881->100695 100882->100707 100884 68fbff 100883->100884 100886 659c08 100883->100886 100885 68fc10 100884->100885 100887 657d2c 59 API calls 100884->100887 100888 657eec 59 API calls 100885->100888 100890 670ff6 Mailbox 59 API calls 100886->100890 100887->100885 100889 68fc1a 100888->100889 100893 659c34 100889->100893 100895 6577c7 59 API calls 100889->100895 100891 659c1b 100890->100891 100891->100889 100892 659c26 100891->100892 100892->100893 100894 657f41 59 API calls 100892->100894 100893->100742 100893->100745 100894->100893 100895->100893 100897 655702 100896->100897 100898 6556dd 100896->100898 100899 657eec 59 API calls 100897->100899 100898->100897 100903 6556ec 100898->100903 100902 6b349a 100899->100902 100900 6b34c9 100900->100769 100902->100900 100920 6b3436 ReadFile SetFilePointerEx 100902->100920 100921 657a84 59 API calls 2 library calls 100902->100921 100922 655c18 100903->100922 100910 6b35d8 Mailbox 100910->100769 100911->100744 100912->100773 100913->100774 100914->100745 100915->100745 100916->100750 100917->100759 100918->100767 100919->100772 100920->100902 100921->100902 100923 670ff6 Mailbox 59 API calls 100922->100923 100924 655c2b 100923->100924 100925 670ff6 Mailbox 59 API calls 100924->100925 100926 655c37 100925->100926 100927 655632 100926->100927 100934 655a2f 100927->100934 100929 655674 100929->100910 100933 65793a 61 API calls Mailbox 100929->100933 100930 655d20 2 API calls 100931 655643 100930->100931 100931->100929 100931->100930 100941 655bda 59 API calls 2 library calls 100931->100941 100933->100910 100935 655a40 100934->100935 100936 68e065 100934->100936 100935->100931 100942 6a6443 59 API calls Mailbox 100936->100942 100938 68e06f 100939 670ff6 Mailbox 59 API calls 100938->100939 100940 68e07b 100939->100940 100941->100931 100942->100938 100943->100779 100944->100824 100945->100782 100946->100786 100947->100822 100948->100822 100949->100833 100950->100833 100951->100834 100953 6a665e 100952->100953 100954 6a6641 100952->100954 100953->100865 100954->100953 100956 6a6621 59 API calls Mailbox 100954->100956 100956->100954 100957 690226 100963 65ade2 Mailbox 100957->100963 100959 690c86 100960 6a66f4 Mailbox 59 API calls 100959->100960 100961 690c8f 100960->100961 100963->100959 100963->100961 100964 6900e0 VariantClear 100963->100964 100965 65b6c1 100963->100965 100967 662123 95 API calls 100963->100967 100968 6ce237 130 API calls 100963->100968 100969 6bd2e6 101 API calls 100963->100969 100970 659df0 59 API calls Mailbox 100963->100970 100971 6a7405 59 API calls 100963->100971 100964->100963 100972 6ba0b5 89 API calls 4 library calls 100965->100972 100967->100963 100968->100963 100969->100963 100970->100963 100971->100963 100972->100959 100973 65568a 100974 655c18 59 API calls 100973->100974 100975 65569c 100974->100975 100976 655632 61 API calls 100975->100976 100977 6556aa 100976->100977 100978 6556ba Mailbox 100977->100978 100980 6581c1 MultiByteToWideChar 100977->100980 100981 6581e7 100980->100981 100982 65822e 100980->100982 100983 670ff6 Mailbox 59 API calls 100981->100983 100984 657eec 59 API calls 100982->100984 100985 6581fc MultiByteToWideChar 100983->100985 100987 658220 100984->100987 100988 6578ad 59 API calls 2 library calls 100985->100988 100987->100978 100988->100987

                                    Executed Functions

                                    Function 00653B4C Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 153windowCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    APIs
                                    • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00653B7A
                                    • IsDebuggerPresent.KERNEL32 ref: 00653B8C
                                    • GetFullPathNameW.KERNEL32(00007FFF,?,?,007162F8,007162E0,?,?), ref: 00653BFD
                                      • Part of subcall function 00657D2C: _memmove.LIBCMT ref: 00657D66
                                      • Part of subcall function 00660A8D: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00653C26,007162F8,?,?,?), ref: 00660ACE
                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 00653C81
                                    • MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,007093F0,00000010), ref: 0068D4BC
                                    • SetCurrentDirectoryW.KERNEL32(?,007162F8,?,?,?), ref: 0068D4F4
                                    • GetForegroundWindow.USER32(runas,?,?,?,00000001,?,00705D40,007162F8,?,?,?), ref: 0068D57A
                                    • ShellExecuteW.SHELL32(00000000,?,?), ref: 0068D581
                                      • Part of subcall function 00653A58: GetSysColorBrush.USER32(0000000F), ref: 00653A62
                                      • Part of subcall function 00653A58: LoadCursorW.USER32(00000000,00007F00), ref: 00653A71
                                      • Part of subcall function 00653A58: LoadIconW.USER32(00000063), ref: 00653A88
                                      • Part of subcall function 00653A58: LoadIconW.USER32(000000A4), ref: 00653A9A
                                      • Part of subcall function 00653A58: LoadIconW.USER32(000000A2), ref: 00653AAC
                                      • Part of subcall function 00653A58: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00653AD2
                                      • Part of subcall function 00653A58: RegisterClassExW.USER32(?), ref: 00653B28
                                      • Part of subcall function 006539E7: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00653A15
                                      • Part of subcall function 006539E7: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00653A36
                                      • Part of subcall function 006539E7: ShowWindow.USER32(00000000,?,?), ref: 00653A4A
                                      • Part of subcall function 006539E7: ShowWindow.USER32(00000000,?,?), ref: 00653A53
                                      • Part of subcall function 006543DB: _memset.LIBCMT ref: 00654401
                                      • Part of subcall function 006543DB: Shell_NotifyIconW.SHELL32(00000000,?), ref: 006544A6
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
                                    • String ID: This is a third-party compiled AutoIt script.$runas$%n
                                    • API String ID: 529118366-38505642
                                    • Opcode ID: 4b80337d6dca99ca443fc61040946c8e57fd7da263a9d722104667d3145f8eea
                                    • Instruction ID: 1371413446ac22048fb8b126dcc13267054a1d11741e1abf87b61fbaa8e39c29
                                    • Opcode Fuzzy Hash: 4b80337d6dca99ca443fc61040946c8e57fd7da263a9d722104667d3145f8eea
                                    • Instruction Fuzzy Hash: 7051E970D04258AACF11EBB8EC159ED7BB7BB04741F04817DFC51A22E2DA78564ACB29
                                    Function 00654FE9 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 62COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 983 654fe9-655001 CreateStreamOnHGlobal 984 655021-655026 983->984 985 655003-65501a FindResourceExW 983->985 986 68dd5c-68dd6b LoadResource 985->986 987 655020 985->987 986->987 988 68dd71-68dd7f SizeofResource 986->988 987->984 988->987 989 68dd85-68dd90 LockResource 988->989 989->987 990 68dd96-68ddb4 989->990 990->987
                                    APIs
                                    • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,00654EEE,?,?,00000000,00000000), ref: 00654FF9
                                    • FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00654EEE,?,?,00000000,00000000), ref: 00655010
                                    • LoadResource.KERNEL32(?,00000000,?,?,00654EEE,?,?,00000000,00000000,?,?,?,?,?,?,00654F8F), ref: 0068DD60
                                    • SizeofResource.KERNEL32(?,00000000,?,?,00654EEE,?,?,00000000,00000000,?,?,?,?,?,?,00654F8F), ref: 0068DD75
                                    • LockResource.KERNEL32(Ne,?,?,00654EEE,?,?,00000000,00000000,?,?,?,?,?,?,00654F8F,00000000), ref: 0068DD88
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: Resource$CreateFindGlobalLoadLockSizeofStream
                                    • String ID: SCRIPT$Ne
                                    • API String ID: 3051347437-3757719499
                                    • Opcode ID: 63d608e195eed4faeadd3920d99173b7904d524359d53313c9e2116e2946b92c
                                    • Instruction ID: 11d37896fdb6f382d02c3d950bca12c49d2b8e26491850fd1bc5a028090c5343
                                    • Opcode Fuzzy Hash: 63d608e195eed4faeadd3920d99173b7904d524359d53313c9e2116e2946b92c
                                    • Instruction Fuzzy Hash: E4115A75600700AFD7218B65DC58F677BBAEFC9B12F24816DF807862A0DB61E8048660
                                    Function 00654AFE Relevance: 10.7, APIs: 7, Instructions: 223COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1047 654afe-654b5e call 6577c7 GetVersionExW call 657d2c 1052 654b64 1047->1052 1053 654c69-654c6b 1047->1053 1054 654b67-654b6c 1052->1054 1055 68db90-68db9c 1053->1055 1057 654c70-654c71 1054->1057 1058 654b72 1054->1058 1056 68db9d-68dba1 1055->1056 1059 68dba3 1056->1059 1060 68dba4-68dbb0 1056->1060 1061 654b73-654baa call 657e8c call 657886 1057->1061 1058->1061 1059->1060 1060->1056 1062 68dbb2-68dbb7 1060->1062 1070 68dc8d-68dc90 1061->1070 1071 654bb0-654bb1 1061->1071 1062->1054 1064 68dbbd-68dbc4 1062->1064 1064->1055 1066 68dbc6 1064->1066 1069 68dbcb-68dbce 1066->1069 1072 654bf1-654c08 GetCurrentProcess IsWow64Process 1069->1072 1073 68dbd4-68dbf2 1069->1073 1074 68dca9-68dcad 1070->1074 1075 68dc92 1070->1075 1071->1069 1076 654bb7-654bc2 1071->1076 1079 654c0d-654c1e 1072->1079 1080 654c0a 1072->1080 1073->1072 1081 68dbf8-68dbfe 1073->1081 1077 68dc98-68dca1 1074->1077 1078 68dcaf-68dcb8 1074->1078 1082 68dc95 1075->1082 1083 68dc13-68dc19 1076->1083 1084 654bc8-654bca 1076->1084 1077->1074 1078->1082 1087 68dcba-68dcbd 1078->1087 1088 654c20-654c30 call 654c95 1079->1088 1089 654c89-654c93 GetSystemInfo 1079->1089 1080->1079 1090 68dc08-68dc0e 1081->1090 1091 68dc00-68dc03 1081->1091 1082->1077 1085 68dc1b-68dc1e 1083->1085 1086 68dc23-68dc29 1083->1086 1092 654bd0-654bd3 1084->1092 1093 68dc2e-68dc3a 1084->1093 1085->1072 1086->1072 1087->1077 1104 654c32-654c3f call 654c95 1088->1104 1105 654c7d-654c87 GetSystemInfo 1088->1105 1094 654c56-654c66 1089->1094 1090->1072 1091->1072 1098 68dc5a-68dc5d 1092->1098 1099 654bd9-654be8 1092->1099 1095 68dc3c-68dc3f 1093->1095 1096 68dc44-68dc4a 1093->1096 1095->1072 1096->1072 1098->1072 1101 68dc63-68dc78 1098->1101 1102 68dc4f-68dc55 1099->1102 1103 654bee 1099->1103 1106 68dc7a-68dc7d 1101->1106 1107 68dc82-68dc88 1101->1107 1102->1072 1103->1072 1112 654c76-654c7b 1104->1112 1113 654c41-654c45 GetNativeSystemInfo 1104->1113 1108 654c47-654c4b 1105->1108 1106->1072 1107->1072 1108->1094 1111 654c4d-654c50 FreeLibrary 1108->1111 1111->1094 1112->1113 1113->1108
                                    APIs
                                    • GetVersionExW.KERNEL32(?), ref: 00654B2B
                                      • Part of subcall function 00657D2C: _memmove.LIBCMT ref: 00657D66
                                    • GetCurrentProcess.KERNEL32(?,006DFAEC,00000000,00000000,?), ref: 00654BF8
                                    • IsWow64Process.KERNEL32(00000000), ref: 00654BFF
                                    • GetNativeSystemInfo.KERNELBASE(00000000), ref: 00654C45
                                    • FreeLibrary.KERNEL32(00000000), ref: 00654C50
                                    • GetSystemInfo.KERNEL32(00000000), ref: 00654C81
                                    • GetSystemInfo.KERNEL32(00000000), ref: 00654C8D
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
                                    • String ID:
                                    • API String ID: 1986165174-0
                                    • Opcode ID: b0084ed357b8f5c97beae584512982807ba854ab2deb84a95ac08571d8fd49be
                                    • Instruction ID: c5c4080987ae25ddea0b3f73b8f2d353eacdd7b58d614fb287f3337fa7938829
                                    • Opcode Fuzzy Hash: b0084ed357b8f5c97beae584512982807ba854ab2deb84a95ac08571d8fd49be
                                    • Instruction Fuzzy Hash: 6A91D43194A7C0DEC731DB6894511EABFE6AF2A305F484E9ED4CB93B41D620E94CC729
                                    Function 0065E800 Relevance: 7.4, Strings: 5, Instructions: 1102COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: Dtq$Dtq$Dtq$Dtq$Variable must be of type 'Object'.
                                    • API String ID: 0-522314805
                                    • Opcode ID: 61f0b03cee0e0e53e390e5abf17048d52aaf5b9cb423a703069bb7af2f46dd35
                                    • Instruction ID: cb0a9870d111abfc3957beeef7b9a69ee37244b337d10c95d67ad6985b08d8c9
                                    • Opcode Fuzzy Hash: 61f0b03cee0e0e53e390e5abf17048d52aaf5b9cb423a703069bb7af2f46dd35
                                    • Instruction Fuzzy Hash: 07A26C74A04205CBCF28CF58C580AA9B7B7FF58301F648169ED16AB351D736AE4ACB91
                                    Function 006B4696 Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetFileAttributesW.KERNELBASE(?,0068E7C1), ref: 006B46A6
                                    • FindFirstFileW.KERNELBASE(?,?), ref: 006B46B7
                                    • FindClose.KERNEL32(00000000), ref: 006B46C7
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: FileFind$AttributesCloseFirst
                                    • String ID:
                                    • API String ID: 48322524-0
                                    • Opcode ID: 277565d88dfd0814a71abe8eaf93aa1e906f2770a06722244192ecf353f5d732
                                    • Instruction ID: da6f4f398fc7d85c361f6a5758f88a9af63482588935037522a03e8934ce51be
                                    • Opcode Fuzzy Hash: 277565d88dfd0814a71abe8eaf93aa1e906f2770a06722244192ecf353f5d732
                                    • Instruction Fuzzy Hash: A2E0D8718114005B87106778EC4D4EA775E9E06335F100716F836C11E0FBB05E9086D5
                                    Function 00660B30 Relevance: 64.3, APIs: 27, Strings: 9, Instructions: 1300windowsleeptimeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00660BBB
                                    • timeGetTime.WINMM ref: 00660E76
                                    • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00660FB3
                                    • TranslateMessage.USER32(?), ref: 00660FC7
                                    • DispatchMessageW.USER32(?), ref: 00660FD5
                                    • Sleep.KERNEL32(0000000A), ref: 00660FDF
                                    • LockWindowUpdate.USER32(00000000,?,?), ref: 0066105A
                                    • DestroyWindow.USER32 ref: 00661066
                                    • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00661080
                                    • Sleep.KERNEL32(0000000A,?,?), ref: 006952AD
                                    • TranslateMessage.USER32(?), ref: 0069608A
                                    • DispatchMessageW.USER32(?), ref: 00696098
                                    • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 006960AC
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: Message$DispatchPeekSleepTranslateWindow$DestroyLockTimeUpdatetime
                                    • String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID$prq$prq$prq$prq
                                    • API String ID: 4003667617-3597775008
                                    • Opcode ID: f4a31f6fd4de77d5a74989a6d572be78e35e53f75946b5c6a009c16a888f6685
                                    • Instruction ID: ce0158c931e08d13a512b9778d088c8562944e3f231b284927d3e86b7528b8cd
                                    • Opcode Fuzzy Hash: f4a31f6fd4de77d5a74989a6d572be78e35e53f75946b5c6a009c16a888f6685
                                    • Instruction Fuzzy Hash: 46B2C470608741DFDB25DF24C884BAAB7EABF84304F14892DF44A877A1DB75E845CB86
                                    Function 006B93DF Relevance: 19.8, APIs: 13, Instructions: 322fileCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    APIs
                                      • Part of subcall function 006B91E9: __time64.LIBCMT ref: 006B91F3
                                      • Part of subcall function 00655045: _fseek.LIBCMT ref: 0065505D
                                    • __wsplitpath.LIBCMT ref: 006B94BE
                                      • Part of subcall function 0067432E: __wsplitpath_helper.LIBCMT ref: 0067436E
                                    • _wcscpy.LIBCMT ref: 006B94D1
                                    • _wcscat.LIBCMT ref: 006B94E4
                                    • __wsplitpath.LIBCMT ref: 006B9509
                                    • _wcscat.LIBCMT ref: 006B951F
                                    • _wcscat.LIBCMT ref: 006B9532
                                      • Part of subcall function 006B922F: _memmove.LIBCMT ref: 006B9268
                                      • Part of subcall function 006B922F: _memmove.LIBCMT ref: 006B9277
                                    • _wcscmp.LIBCMT ref: 006B9479
                                      • Part of subcall function 006B99BE: _wcscmp.LIBCMT ref: 006B9AAE
                                      • Part of subcall function 006B99BE: _wcscmp.LIBCMT ref: 006B9AC1
                                    • DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 006B96DC
                                    • _wcsncpy.LIBCMT ref: 006B974F
                                    • DeleteFileW.KERNEL32(?,?), ref: 006B9785
                                    • CopyFileW.KERNEL32(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 006B979B
                                    • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 006B97AC
                                    • DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 006B97BE
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
                                    • String ID:
                                    • API String ID: 1500180987-0
                                    • Opcode ID: 4ee54c2597544f60699e62adc825f04f41599e99907796ccaedf0495565aa492
                                    • Instruction ID: 0d399605db10294435184212ae88f70d7bb8dfc4b9580dda97845f5f47c0652f
                                    • Opcode Fuzzy Hash: 4ee54c2597544f60699e62adc825f04f41599e99907796ccaedf0495565aa492
                                    • Instruction Fuzzy Hash: 47C13DB1D00219AADF61DF95CC85ADEB7BEEF45300F0040AAF609E7251EB709A848F65
                                    Function 00653015 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 73windowregistryCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    APIs
                                    • GetSysColorBrush.USER32(0000000F), ref: 00653074
                                    • RegisterClassExW.USER32(00000030), ref: 0065309E
                                    • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 006530AF
                                    • InitCommonControlsEx.COMCTL32(?), ref: 006530CC
                                    • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 006530DC
                                    • LoadIconW.USER32(000000A9), ref: 006530F2
                                    • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00653101
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                    • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                    • API String ID: 2914291525-1005189915
                                    • Opcode ID: cc59587d490b6fe944e66a284d94e4d67d42316c75bbd87fdf15d3f1e28066e0
                                    • Instruction ID: c7add58d1c1064c2c1ce3f12b2f94c977761c42dea090a192c171685b2da43e6
                                    • Opcode Fuzzy Hash: cc59587d490b6fe944e66a284d94e4d67d42316c75bbd87fdf15d3f1e28066e0
                                    • Instruction Fuzzy Hash: 4C3138B1D41349AFDB009FA8EC88ADDBFF1FB09310F14816AE541E62A0D3BA4645CF95
                                    Function 00653041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54windowregistryCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    APIs
                                    • GetSysColorBrush.USER32(0000000F), ref: 00653074
                                    • RegisterClassExW.USER32(00000030), ref: 0065309E
                                    • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 006530AF
                                    • InitCommonControlsEx.COMCTL32(?), ref: 006530CC
                                    • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 006530DC
                                    • LoadIconW.USER32(000000A9), ref: 006530F2
                                    • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00653101
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                    • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                    • API String ID: 2914291525-1005189915
                                    • Opcode ID: 70e6a74b23f4cbb8927b15517a37bf051858e95cc94efb96db55881d349e8c19
                                    • Instruction ID: e29ef5f9e0caaa733bbcd2f036702a7eb1cf778c549fd207f3a8e6836bc36520
                                    • Opcode Fuzzy Hash: 70e6a74b23f4cbb8927b15517a37bf051858e95cc94efb96db55881d349e8c19
                                    • Instruction Fuzzy Hash: 7C21C4B1D12218AFDB00DFA8EC89BDDBBF5FB08700F00912AF911A62A0D7B54644CF95
                                    Function 006571EB Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201registryCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    APIs
                                      • Part of subcall function 00654864: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,007162F8,?,006537C0,?), ref: 00654882
                                      • Part of subcall function 0067074F: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,006572C5), ref: 00670771
                                    • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00657308
                                    • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 0068ECF1
                                    • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 0068ED32
                                    • RegCloseKey.ADVAPI32(?), ref: 0068ED70
                                    • _wcscat.LIBCMT ref: 0068EDC9
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
                                    • String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
                                    • API String ID: 2673923337-2727554177
                                    • Opcode ID: 51119c285283034f715a7c80df77d00ce75bef1ebcaca5c26d675973abd189eb
                                    • Instruction ID: b47cb5dfdc3f70b2bb1cfb7dadd6e51abf401a07bb7434819ae95631895a3bcb
                                    • Opcode Fuzzy Hash: 51119c285283034f715a7c80df77d00ce75bef1ebcaca5c26d675973abd189eb
                                    • Instruction Fuzzy Hash: 87718F714093019EC318EF29EC9189BBBF9FF58750F40852EF845872A0EB759949CB69
                                    Function 00653633 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 151windowtimeregistryCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 760 653633-653681 762 6536e1-6536e3 760->762 763 653683-653686 760->763 762->763 766 6536e5 762->766 764 6536e7 763->764 765 653688-65368f 763->765 767 68d31c-68d34a call 6611d0 call 6611f3 764->767 768 6536ed-6536f0 764->768 769 653695-65369a 765->769 770 65375d-653765 PostQuitMessage 765->770 771 6536ca-6536d2 DefWindowProcW 766->771 807 68d34f-68d356 767->807 772 653715-65373c SetTimer RegisterWindowMessageW 768->772 773 6536f2-6536f3 768->773 774 6536a0-6536a2 769->774 775 68d38f-68d3a3 call 6b2a16 769->775 778 653711-653713 770->778 777 6536d8-6536de 771->777 772->778 781 65373e-653749 CreatePopupMenu 772->781 779 68d2bf-68d2c2 773->779 780 6536f9-65370c KillTimer call 6544cb call 653114 773->780 782 653767-653776 call 654531 774->782 783 6536a8-6536ad 774->783 775->778 800 68d3a9 775->800 778->777 786 68d2f8-68d317 MoveWindow 779->786 787 68d2c4-68d2c6 779->787 780->778 781->778 782->778 789 6536b3-6536b8 783->789 790 68d374-68d37b 783->790 786->778 794 68d2c8-68d2cb 787->794 795 68d2e7-68d2f3 SetFocus 787->795 798 6536be-6536c4 789->798 799 65374b-65375b call 6545df 789->799 790->771 797 68d381-68d38a call 6a817e 790->797 794->798 803 68d2d1-68d2e2 call 6611d0 794->803 795->778 797->771 798->771 798->807 799->778 800->771 803->778 807->771 811 68d35c-68d36f call 6544cb call 6543db 807->811 811->771
                                    APIs
                                    • DefWindowProcW.USER32(?,?,?,?), ref: 006536D2
                                    • KillTimer.USER32(?,00000001), ref: 006536FC
                                    • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 0065371F
                                    • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 0065372A
                                    • CreatePopupMenu.USER32 ref: 0065373E
                                    • PostQuitMessage.USER32(00000000), ref: 0065375F
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
                                    • String ID: TaskbarCreated$%n
                                    • API String ID: 129472671-3795218793
                                    • Opcode ID: 7660fa9acb8d7ecb1fc35ef512ef356909cb8a7df0d1e1d03d0b00d8c9d0e052
                                    • Instruction ID: ac4dc275ba283e171c026e47a948e70e884dbe0d15b9a6353e23f77f51aa5fb2
                                    • Opcode Fuzzy Hash: 7660fa9acb8d7ecb1fc35ef512ef356909cb8a7df0d1e1d03d0b00d8c9d0e052
                                    • Instruction Fuzzy Hash: 074138B1600115ABDF106F28EC19BF937A7E705B82F14412DFD02C63E1DAB8AE499369
                                    Function 00653A58 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71windowregistryCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    APIs
                                    • GetSysColorBrush.USER32(0000000F), ref: 00653A62
                                    • LoadCursorW.USER32(00000000,00007F00), ref: 00653A71
                                    • LoadIconW.USER32(00000063), ref: 00653A88
                                    • LoadIconW.USER32(000000A4), ref: 00653A9A
                                    • LoadIconW.USER32(000000A2), ref: 00653AAC
                                    • LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00653AD2
                                    • RegisterClassExW.USER32(?), ref: 00653B28
                                      • Part of subcall function 00653041: GetSysColorBrush.USER32(0000000F), ref: 00653074
                                      • Part of subcall function 00653041: RegisterClassExW.USER32(00000030), ref: 0065309E
                                      • Part of subcall function 00653041: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 006530AF
                                      • Part of subcall function 00653041: InitCommonControlsEx.COMCTL32(?), ref: 006530CC
                                      • Part of subcall function 00653041: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 006530DC
                                      • Part of subcall function 00653041: LoadIconW.USER32(000000A9), ref: 006530F2
                                      • Part of subcall function 00653041: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00653101
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                                    • String ID: #$0$AutoIt v3
                                    • API String ID: 423443420-4155596026
                                    • Opcode ID: c70216a447a40387bf03481a953616d00eb17bcd760887a8aca00be9bdb8548f
                                    • Instruction ID: 7bd482069a713890a0c1e7bfe4c4547c020e90d8fb1ca2969fa4d949901d1c28
                                    • Opcode Fuzzy Hash: c70216a447a40387bf03481a953616d00eb17bcd760887a8aca00be9bdb8548f
                                    • Instruction Fuzzy Hash: 7D211971E11304AFEB109FA8EC09BDD7BB5FB08711F00812AF904A62E0D7BA5654CF98
                                    Function 00653778 Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 267COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: FileLibraryLoadModuleName__wcsicmp_l_memmove
                                    • String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$>>>AUTOIT NO CMDEXECUTE<<<$CMDLINE$CMDLINERAW$bq
                                    • API String ID: 1825951767-1838696661
                                    • Opcode ID: 447cf9b93f4181b15b2896ab4cc90df594dd61b86bbcb4ee893ba32e197df2c9
                                    • Instruction ID: 107821af06818b5cbfe4b08f669cae18c5339917b4de14bcdd52c8697d70484e
                                    • Opcode Fuzzy Hash: 447cf9b93f4181b15b2896ab4cc90df594dd61b86bbcb4ee893ba32e197df2c9
                                    • Instruction Fuzzy Hash: 0AA16071C102299ACF44EBA4CC92AEEB7BABF14741F04452EF816B7291DF745A0DCB64
                                    Function 0065F8CF Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 168comCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    APIs
                                      • Part of subcall function 006703A2: MapVirtualKeyW.USER32(0000005B,00000000), ref: 006703D3
                                      • Part of subcall function 006703A2: MapVirtualKeyW.USER32(00000010,00000000), ref: 006703DB
                                      • Part of subcall function 006703A2: MapVirtualKeyW.USER32(000000A0,00000000), ref: 006703E6
                                      • Part of subcall function 006703A2: MapVirtualKeyW.USER32(000000A1,00000000), ref: 006703F1
                                      • Part of subcall function 006703A2: MapVirtualKeyW.USER32(00000011,00000000), ref: 006703F9
                                      • Part of subcall function 006703A2: MapVirtualKeyW.USER32(00000012,00000000), ref: 00670401
                                      • Part of subcall function 00666259: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,0065FA90), ref: 006662B4
                                    • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0065FB2D
                                    • OleInitialize.OLE32(00000000), ref: 0065FBAA
                                    • CloseHandle.KERNEL32(00000000), ref: 006949F2
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
                                    • String ID: <gq$\dq$%n$cq
                                    • API String ID: 1986988660-3293497968
                                    • Opcode ID: 9db400524927ee3dd1db9ffc6faa052f3104dba38470caeda813a66da3a642ca
                                    • Instruction ID: 8d48e1334b3332fdbac34f12ddaede0a4a7ef20f395efc2c2b3058253ab79df9
                                    • Opcode Fuzzy Hash: 9db400524927ee3dd1db9ffc6faa052f3104dba38470caeda813a66da3a642ca
                                    • Instruction Fuzzy Hash: AF81BAB09022808ED784EF6DE9456D57BEAEB48708711C17E9819C72E2EB3D8648CF1C
                                    Function 03F525D0 Relevance: 10.7, APIs: 7, Instructions: 239fileCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 993 3f525d0-3f5267e call 3f50000 996 3f52685-3f526ab call 3f534e0 CreateFileW 993->996 999 3f526b2-3f526c2 996->999 1000 3f526ad 996->1000 1005 3f526c4 999->1005 1006 3f526c9-3f526e3 VirtualAlloc 999->1006 1001 3f527fd-3f52801 1000->1001 1003 3f52843-3f52846 1001->1003 1004 3f52803-3f52807 1001->1004 1007 3f52849-3f52850 1003->1007 1008 3f52813-3f52817 1004->1008 1009 3f52809-3f5280c 1004->1009 1005->1001 1010 3f526e5 1006->1010 1011 3f526ea-3f52701 ReadFile 1006->1011 1012 3f528a5-3f528ba 1007->1012 1013 3f52852-3f5285d 1007->1013 1014 3f52827-3f5282b 1008->1014 1015 3f52819-3f52823 1008->1015 1009->1008 1010->1001 1020 3f52703 1011->1020 1021 3f52708-3f52748 VirtualAlloc 1011->1021 1016 3f528bc-3f528c7 VirtualFree 1012->1016 1017 3f528ca-3f528d2 1012->1017 1022 3f52861-3f5286d 1013->1022 1023 3f5285f 1013->1023 1018 3f5282d-3f52837 1014->1018 1019 3f5283b 1014->1019 1015->1014 1016->1017 1018->1019 1019->1003 1020->1001 1024 3f5274f-3f5276a call 3f53730 1021->1024 1025 3f5274a 1021->1025 1026 3f52881-3f5288d 1022->1026 1027 3f5286f-3f5287f 1022->1027 1023->1012 1033 3f52775-3f5277f 1024->1033 1025->1001 1030 3f5288f-3f52898 1026->1030 1031 3f5289a-3f528a0 1026->1031 1029 3f528a3 1027->1029 1029->1007 1030->1029 1031->1029 1034 3f52781-3f527b0 call 3f53730 1033->1034 1035 3f527b2-3f527c6 call 3f53540 1033->1035 1034->1033 1041 3f527c8 1035->1041 1042 3f527ca-3f527ce 1035->1042 1041->1001 1043 3f527d0-3f527d4 CloseHandle 1042->1043 1044 3f527da-3f527de 1042->1044 1043->1044 1045 3f527e0-3f527eb VirtualFree 1044->1045 1046 3f527ee-3f527f7 1044->1046 1045->1046 1046->996 1046->1001
                                    APIs
                                    • CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 03F526A1
                                    • VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 03F528C7
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184494051.0000000003F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 03F50000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_3f50000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: CreateFileFreeVirtual
                                    • String ID:
                                    • API String ID: 204039940-0
                                    • Opcode ID: e364f936384ad5a75a3e6820b612275e2b186d73597ef444eab7978b091760cf
                                    • Instruction ID: 019d674e3949659f4e493a4813c7b0db537e0518fb7497153e6843014d0ab634
                                    • Opcode Fuzzy Hash: e364f936384ad5a75a3e6820b612275e2b186d73597ef444eab7978b091760cf
                                    • Instruction Fuzzy Hash: 5EA10A75E00209EBDB14CFE4C994BEEB7B5BF48305F248659EA01BB280D7759A41CF94
                                    Function 006539E7 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1114 6539e7-653a57 CreateWindowExW * 2 ShowWindow * 2
                                    APIs
                                    • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00653A15
                                    • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00653A36
                                    • ShowWindow.USER32(00000000,?,?), ref: 00653A4A
                                    • ShowWindow.USER32(00000000,?,?), ref: 00653A53
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: Window$CreateShow
                                    • String ID: AutoIt v3$edit
                                    • API String ID: 1584632944-3779509399
                                    • Opcode ID: 1fe544dac224c871d743ee69ef8dfb7f9ea86c71995cab2d7bc62ea95f868755
                                    • Instruction ID: a46c156c71e14e1e8af801e16832fcb36562fe1292423fd224e34d29fb2aec1f
                                    • Opcode Fuzzy Hash: 1fe544dac224c871d743ee69ef8dfb7f9ea86c71995cab2d7bc62ea95f868755
                                    • Instruction Fuzzy Hash: 4CF03070A012907EEA30171B6C08EA73E7EE7C6F60B01C02AB900A21B0C1B94801CAB4
                                    Function 03F523B0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 139fileCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1115 3f523b0-3f524c6 call 3f50000 call 3f522a0 CreateFileW 1122 3f524cd-3f524dd 1115->1122 1123 3f524c8 1115->1123 1126 3f524e4-3f524fe VirtualAlloc 1122->1126 1127 3f524df 1122->1127 1124 3f5257d-3f52582 1123->1124 1128 3f52500 1126->1128 1129 3f52502-3f52519 ReadFile 1126->1129 1127->1124 1128->1124 1130 3f5251d-3f52557 call 3f522e0 call 3f512a0 1129->1130 1131 3f5251b 1129->1131 1136 3f52573-3f5257b ExitProcess 1130->1136 1137 3f52559-3f5256e call 3f52330 1130->1137 1131->1124 1136->1124 1137->1136
                                    APIs
                                      • Part of subcall function 03F522A0: Sleep.KERNELBASE(000001F4), ref: 03F522B1
                                    • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 03F524BC
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184494051.0000000003F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 03F50000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_3f50000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: CreateFileSleep
                                    • String ID: OAZ1GHANNWDP1
                                    • API String ID: 2694422964-2569379363
                                    • Opcode ID: 25534154ddfcdf321e4cb5da9ce35c01e05c3d832651f3ff8d81e43937de4be2
                                    • Instruction ID: e1c60649a641f10a2e0161ebf354acd916dd6bf31cbe9f6679b1975cbfd2aa3c
                                    • Opcode Fuzzy Hash: 25534154ddfcdf321e4cb5da9ce35c01e05c3d832651f3ff8d81e43937de4be2
                                    • Instruction Fuzzy Hash: 4A518E35D14249EBEF15DBE4C814BEEBB79AF08300F044699E608BB2C0D7B91B45CBA5
                                    Function 0065410D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88windowCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1139 65410d-654123 1140 654200-654204 1139->1140 1141 654129-65413e call 657b76 1139->1141 1144 654144-654164 call 657d2c 1141->1144 1145 68d5dd-68d5ec LoadStringW 1141->1145 1148 68d5f7-68d60f call 657c8e call 657143 1144->1148 1150 65416a-65416e 1144->1150 1145->1148 1157 65417e-6541fb call 673020 call 65463e call 672ffc Shell_NotifyIconW call 655a64 1148->1157 1161 68d615-68d633 call 657e0b call 657143 call 657e0b 1148->1161 1152 654205-65420e call 6581a7 1150->1152 1153 654174-654179 call 657c8e 1150->1153 1152->1157 1153->1157 1157->1140 1161->1157
                                    APIs
                                    • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 0068D5EC
                                      • Part of subcall function 00657D2C: _memmove.LIBCMT ref: 00657D66
                                    • _memset.LIBCMT ref: 0065418D
                                    • _wcscpy.LIBCMT ref: 006541E1
                                    • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 006541F1
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
                                    • String ID: Line:
                                    • API String ID: 3942752672-1585850449
                                    • Opcode ID: b8c5ec26ede90e329cbea311dcfa139b3af7b442f8b06c27cb58006c4cf0b21c
                                    • Instruction ID: 6d4f28add9c2e24d2b5752dc2547271d07dedd7ef2818ccaf1b43bb5358b1620
                                    • Opcode Fuzzy Hash: b8c5ec26ede90e329cbea311dcfa139b3af7b442f8b06c27cb58006c4cf0b21c
                                    • Instruction Fuzzy Hash: 1731E4714083049AD371EB64EC46BDB73EAAF44305F10851EF985921D1DF74968CC79B
                                    Function 0067564D Relevance: 7.7, APIs: 5, Instructions: 163COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
                                    • String ID:
                                    • API String ID: 1559183368-0
                                    • Opcode ID: cbc132a2d90f1fa170c901e77712e707e3c45fd9b9f6dd10e42efcbbdaed9f46
                                    • Instruction ID: 957dd9ba06feb8edd37308a4c584365228a4ded106d319836ac5244d095deee1
                                    • Opcode Fuzzy Hash: cbc132a2d90f1fa170c901e77712e707e3c45fd9b9f6dd10e42efcbbdaed9f46
                                    • Instruction Fuzzy Hash: 8D518530A00B05DBDB289F6988846AE77A7AF41320F64C7ADF82E962D0D7B09D518B45
                                    Function 006569CA Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 260COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00654F3D: LoadLibraryExW.KERNEL32(?,00000000,00000002,?,007162F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00654F6F
                                    • _free.LIBCMT ref: 0068E68C
                                    • _free.LIBCMT ref: 0068E6D3
                                      • Part of subcall function 00656BEC: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00656D0D
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: _free$CurrentDirectoryLibraryLoad
                                    • String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
                                    • API String ID: 2861923089-1757145024
                                    • Opcode ID: dcaabf8e3f0fb5c5bdbc1837ab27867466ea5359108286f4acb891e9f76d455c
                                    • Instruction ID: 495e7bc29fc8241769d4c211f0fbbde0d14902eb54a580ce1abc001291b352c3
                                    • Opcode Fuzzy Hash: dcaabf8e3f0fb5c5bdbc1837ab27867466ea5359108286f4acb891e9f76d455c
                                    • Instruction Fuzzy Hash: E991B071910219EFCF04EFA4C8919EDB7B6FF19310F04456EF816AB291EB31A949CB64
                                    Function 006535B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,006535A1,SwapMouseButtons,00000004,?), ref: 006535D4
                                    • RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,006535A1,SwapMouseButtons,00000004,?,?,?,?,00652754), ref: 006535F5
                                    • RegCloseKey.KERNELBASE(00000000,?,?,006535A1,SwapMouseButtons,00000004,?,?,?,?,00652754), ref: 00653617
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: CloseOpenQueryValue
                                    • String ID: Control Panel\Mouse
                                    • API String ID: 3677997916-824357125
                                    • Opcode ID: e408efd18544ad542937ecbc7c56b75d3567b552332d764e02a19a301bfd28f7
                                    • Instruction ID: c74240182437a8558084735fcd9eb749679408b0506da973935421e6e5d774d0
                                    • Opcode Fuzzy Hash: e408efd18544ad542937ecbc7c56b75d3567b552332d764e02a19a301bfd28f7
                                    • Instruction Fuzzy Hash: 62115A71911228BFDB208F64DC40EEEB7BAEF04B81F00946AF805D7310D2719F549760
                                    Function 03F512A0 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateProcessW.KERNELBASE(?,00000000), ref: 03F51A5B
                                    • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 03F51AF1
                                    • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 03F51B13
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184494051.0000000003F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 03F50000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_3f50000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: Process$ContextCreateMemoryReadThreadWow64
                                    • String ID:
                                    • API String ID: 2438371351-0
                                    • Opcode ID: a5f8eca76df1c4d60a387bf050efe929c827b8bdc82418feca4108ede207e1c1
                                    • Instruction ID: ea169020bf005ff633afeff6d9321441ee3e209f73988e1db59e9d915590b3a0
                                    • Opcode Fuzzy Hash: a5f8eca76df1c4d60a387bf050efe929c827b8bdc82418feca4108ede207e1c1
                                    • Instruction Fuzzy Hash: B9620E34A14258DBEB24CFA4C851BDEB375EF58300F1091A9E60DEB390E7799E81CB59
                                    Function 006B97E5 Relevance: 6.2, APIs: 4, Instructions: 155COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00655045: _fseek.LIBCMT ref: 0065505D
                                      • Part of subcall function 006B99BE: _wcscmp.LIBCMT ref: 006B9AAE
                                      • Part of subcall function 006B99BE: _wcscmp.LIBCMT ref: 006B9AC1
                                    • _free.LIBCMT ref: 006B992C
                                    • _free.LIBCMT ref: 006B9933
                                    • _free.LIBCMT ref: 006B999E
                                      • Part of subcall function 00672F95: RtlFreeHeap.NTDLL(00000000,00000000,?,00679C64), ref: 00672FA9
                                      • Part of subcall function 00672F95: GetLastError.KERNEL32(00000000,?,00679C64), ref: 00672FBB
                                    • _free.LIBCMT ref: 006B99A6
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
                                    • String ID:
                                    • API String ID: 1552873950-0
                                    • Opcode ID: fd18de759458e21508ccb8b902dfc4ac475c3880c7526805842eb646ad61b447
                                    • Instruction ID: 1386bac0f266146730e1d2637af74c408cbc55d776c8e6750fd9fc5d09a56c87
                                    • Opcode Fuzzy Hash: fd18de759458e21508ccb8b902dfc4ac475c3880c7526805842eb646ad61b447
                                    • Instruction Fuzzy Hash: 0D5150F1904218AFDF649F64CC45ADEBB7AEF48300F04449EF649A7241DB755990CF58
                                    Function 0067493A Relevance: 6.1, APIs: 4, Instructions: 136COMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: __flsbuf__flush__getptd_noexit__write_memmove
                                    • String ID:
                                    • API String ID: 2782032738-0
                                    • Opcode ID: 14470a6213cb86a88b8286372661136e60ed3d9327b1e96cf2061ba74b92ecb7
                                    • Instruction ID: d4e4c453d26a741c65a2d759ba31ba526f3421e58b565e874feeeef3ba6a39a0
                                    • Opcode Fuzzy Hash: 14470a6213cb86a88b8286372661136e60ed3d9327b1e96cf2061ba74b92ecb7
                                    • Instruction Fuzzy Hash: 7541C4716406059BDF288EA9C8889AF77ABEF80360B24C16DE95D87784EF70DD418B44
                                    Function 00654DD0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 141COMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: _memmove
                                    • String ID: AU3!P/n$EA06
                                    • API String ID: 4104443479-1756779138
                                    • Opcode ID: 764ee1d5a3093eadb1814092b091fc6e03127ef3468ac286044d535a1e814245
                                    • Instruction ID: bde04d906be7ae9e9de233490f2bf211c76a93492b9466f590d33b6face8a8c9
                                    • Opcode Fuzzy Hash: 764ee1d5a3093eadb1814092b091fc6e03127ef3468ac286044d535a1e814245
                                    • Instruction Fuzzy Hash: C3416C72A041545BCF115B688C677FE7FA7AB4130AF1840E9EC829B282DD218DCD87A1
                                    Function 006573E5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON
                                    Download Yara Rule
                                    APIs
                                    • _memset.LIBCMT ref: 0068EE62
                                    • GetOpenFileNameW.COMDLG32(?), ref: 0068EEAC
                                      • Part of subcall function 006548AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,006548A1,?,?,006537C0,?), ref: 006548CE
                                      • Part of subcall function 006709D5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 006709F4
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: Name$Path$FileFullLongOpen_memset
                                    • String ID: X
                                    • API String ID: 3777226403-3081909835
                                    • Opcode ID: 05f2b057d293ec364ee7d7c9883b6b0beef0b84daa93e56a12fecb554abe0808
                                    • Instruction ID: 93c86dbdceb68fb9bfbb2be8083fdf7f4e5c4b95e4b44e9dcd688bc8488779ea
                                    • Opcode Fuzzy Hash: 05f2b057d293ec364ee7d7c9883b6b0beef0b84daa93e56a12fecb554abe0808
                                    • Instruction Fuzzy Hash: 3B21F6309002589BCB51DF94C8057EE7BFE9F49301F00801AE908E7381DBB8598E8BA5
                                    Function 006B901B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: __fread_nolock_memmove
                                    • String ID: EA06
                                    • API String ID: 1988441806-3962188686
                                    • Opcode ID: 553a7097b83c02264740aab276619f7c96bd908914e6d25f694a2b3faf3ead1b
                                    • Instruction ID: 65933f5ecd242a63be70a0e6722a59dd518005d1f369ef8b61c3be7df30f3936
                                    • Opcode Fuzzy Hash: 553a7097b83c02264740aab276619f7c96bd908914e6d25f694a2b3faf3ead1b
                                    • Instruction Fuzzy Hash: FA01F971804258BFDB28C6A8C856EEE7BF89B11301F00829EF556D2181E5B5A6048B60
                                    Function 006B9B6D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetTempPathW.KERNEL32(00000104,?), ref: 006B9B82
                                    • GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 006B9B99
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: Temp$FileNamePath
                                    • String ID: aut
                                    • API String ID: 3285503233-3010740371
                                    • Opcode ID: e79c1fef3028057310f19152a4551ffa2f02c8e6d17ddd426a25fcaf47062766
                                    • Instruction ID: 5ad5b393f46bf204d4b437fc2ea404f0f847ed8757499e78275e22e8915257ab
                                    • Opcode Fuzzy Hash: e79c1fef3028057310f19152a4551ffa2f02c8e6d17ddd426a25fcaf47062766
                                    • Instruction Fuzzy Hash: C9D05E7994130EBBDB109BD4DC0EFAA776CE704700F0042A2BE55911A1DEB456988B91
                                    Function 006CCDF1 Relevance: 4.9, APIs: 3, Instructions: 392COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 7540d71cec85f8dd4f6492f16a87e52bb06c3c4666b4cf04c7f4478919c85b0a
                                    • Instruction ID: 245523f3fcba95180e502b92461fafe885839720d8f94e81bb887e3b00d330f6
                                    • Opcode Fuzzy Hash: 7540d71cec85f8dd4f6492f16a87e52bb06c3c4666b4cf04c7f4478919c85b0a
                                    • Instruction Fuzzy Hash: EAF13B706083019FCB54DF28C484A6ABBE6FF88314F14892EF89A9B351D735E945CF96
                                    Function 006543DB Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • _memset.LIBCMT ref: 00654401
                                    • Shell_NotifyIconW.SHELL32(00000000,?), ref: 006544A6
                                    • Shell_NotifyIconW.SHELL32(00000001,?), ref: 006544C3
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: IconNotifyShell_$_memset
                                    • String ID:
                                    • API String ID: 1505330794-0
                                    • Opcode ID: d6a7a696883ca38b026073d6bc953522221505e857eaa5cde4c2c6535569278d
                                    • Instruction ID: 4be4800e8d432063508ee6de5cfb405ba32a39e9ff4617a9441b02c956813b7c
                                    • Opcode Fuzzy Hash: d6a7a696883ca38b026073d6bc953522221505e857eaa5cde4c2c6535569278d
                                    • Instruction Fuzzy Hash: 303184705057118FD720DF24D8847DBBBF9FB48309F00496EE99A83381DB756988CB96
                                    Function 0067594C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • __FF_MSGBANNER.LIBCMT ref: 00675963
                                      • Part of subcall function 0067A3AB: __NMSG_WRITE.LIBCMT ref: 0067A3D2
                                      • Part of subcall function 0067A3AB: __NMSG_WRITE.LIBCMT ref: 0067A3DC
                                    • __NMSG_WRITE.LIBCMT ref: 0067596A
                                      • Part of subcall function 0067A408: GetModuleFileNameW.KERNEL32(00000000,007143BA,00000104,?,00000001,00000000), ref: 0067A49A
                                      • Part of subcall function 0067A408: ___crtMessageBoxW.LIBCMT ref: 0067A548
                                      • Part of subcall function 006732DF: ___crtCorExitProcess.LIBCMT ref: 006732E5
                                      • Part of subcall function 006732DF: ExitProcess.KERNEL32 ref: 006732EE
                                      • Part of subcall function 00678D68: __getptd_noexit.LIBCMT ref: 00678D68
                                    • RtlAllocateHeap.NTDLL(016B0000,00000000,00000001,00000000,?,?,?,00671013,?), ref: 0067598F
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
                                    • String ID:
                                    • API String ID: 1372826849-0
                                    • Opcode ID: dbd81505a1b3ae94742cc06c882e5d81b17a6d0d141e19424356c6593066d5e7
                                    • Instruction ID: c0b76635a1a68474188324cd13551c062805a3254117f77d8e1736542bc31e49
                                    • Opcode Fuzzy Hash: dbd81505a1b3ae94742cc06c882e5d81b17a6d0d141e19424356c6593066d5e7
                                    • Instruction Fuzzy Hash: 8D01D231341B55DEE6613B78DC46AAE738B9F41770F10C1AEF60E9B2C1DEB09D418269
                                    Function 006B9B2C Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,006B97D2,?,?,?,?,?,00000004), ref: 006B9B45
                                    • SetFileTime.KERNELBASE(00000000,?,00000000,?,?,006B97D2,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 006B9B5B
                                    • CloseHandle.KERNEL32(00000000,?,006B97D2,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 006B9B62
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: File$CloseCreateHandleTime
                                    • String ID:
                                    • API String ID: 3397143404-0
                                    • Opcode ID: 0fe9c937d7ba24e25e444c8e6da4b3ab0bcea3c823ed8acadf78e0438fd7702e
                                    • Instruction ID: 628093e36946a903a24bac3a47ebd09ee53ec62aad535bcb3cb8265fda50b2de
                                    • Opcode Fuzzy Hash: 0fe9c937d7ba24e25e444c8e6da4b3ab0bcea3c823ed8acadf78e0438fd7702e
                                    • Instruction Fuzzy Hash: 84E08632581224B7D7211B54EC09FDA7B1AAB05761F114121FB15691E087B126119798
                                    Function 006B8F97 Relevance: 4.5, APIs: 3, Instructions: 22COMMON
                                    Download Yara Rule
                                    APIs
                                    • _free.LIBCMT ref: 006B8FA5
                                      • Part of subcall function 00672F95: RtlFreeHeap.NTDLL(00000000,00000000,?,00679C64), ref: 00672FA9
                                      • Part of subcall function 00672F95: GetLastError.KERNEL32(00000000,?,00679C64), ref: 00672FBB
                                    • _free.LIBCMT ref: 006B8FB6
                                    • _free.LIBCMT ref: 006B8FC8
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: _free$ErrorFreeHeapLast
                                    • String ID:
                                    • API String ID: 776569668-0
                                    • Opcode ID: 7ae2d2e3dd28ae231ba4dfbfc9ff98cbdd3434907fe9d12881c55d2a38818b0b
                                    • Instruction ID: f37150dea037411127d58dc65d52c75b2914a06ff8ef9b4f8ae7ae33a8bb1f16
                                    • Opcode Fuzzy Hash: 7ae2d2e3dd28ae231ba4dfbfc9ff98cbdd3434907fe9d12881c55d2a38818b0b
                                    • Instruction Fuzzy Hash: ACE012E16097024ECA64A978AD50AE357FF5F48390718081DF44DDB242DE28E891C628
                                    Function 0065AB23 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 534COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: CALL
                                    • API String ID: 0-4196123274
                                    • Opcode ID: f4e33563162e94fce3ea04df794866749894c7daa606ac21f2e2d697650800e6
                                    • Instruction ID: e07110dfefc41988294a38571d014e02505af07e442635fbdff50f8608bf02bf
                                    • Opcode Fuzzy Hash: f4e33563162e94fce3ea04df794866749894c7daa606ac21f2e2d697650800e6
                                    • Instruction Fuzzy Hash: D5224770508241CFDB64DF54C494B6ABBF2BF85301F148A5DE89A8B362D731ED89CB86
                                    Function 0065492E Relevance: 3.1, APIs: 2, Instructions: 59COMMON
                                    Download Yara Rule
                                    APIs
                                    • IsThemeActive.UXTHEME ref: 00654992
                                      • Part of subcall function 006735AC: __lock.LIBCMT ref: 006735B2
                                      • Part of subcall function 006735AC: DecodePointer.KERNEL32(00000001,?,006549A7,006A81BC), ref: 006735BE
                                      • Part of subcall function 006735AC: EncodePointer.KERNEL32(?,?,006549A7,006A81BC), ref: 006735C9
                                      • Part of subcall function 00654A5B: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00654A73
                                      • Part of subcall function 00654A5B: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00654A88
                                      • Part of subcall function 00653B4C: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00653B7A
                                      • Part of subcall function 00653B4C: IsDebuggerPresent.KERNEL32 ref: 00653B8C
                                      • Part of subcall function 00653B4C: GetFullPathNameW.KERNEL32(00007FFF,?,?,007162F8,007162E0,?,?), ref: 00653BFD
                                      • Part of subcall function 00653B4C: SetCurrentDirectoryW.KERNEL32(?), ref: 00653C81
                                    • SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 006549D2
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: InfoParametersSystem$CurrentDirectoryPointer$ActiveDebuggerDecodeEncodeFullNamePathPresentTheme__lock
                                    • String ID:
                                    • API String ID: 1438897964-0
                                    • Opcode ID: bc7501e175461665c8f5a25d112d71af83f40341357383987904ccc69a700428
                                    • Instruction ID: 604418798e3bde0eff82d3c52b157450b8d28e38970e7970556562ff216ec30c
                                    • Opcode Fuzzy Hash: bc7501e175461665c8f5a25d112d71af83f40341357383987904ccc69a700428
                                    • Instruction Fuzzy Hash: AC118E719043119BC700DF29EC0598AFBF9FB98710F00C51EF845832A1DB749649CBAA
                                    Function 00655DF9 Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000,?,00655981,?,?,?,?), ref: 00655E27
                                    • CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,?,00000000,?,00655981,?,?,?,?), ref: 0068E19C
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: CreateFile
                                    • String ID:
                                    • API String ID: 823142352-0
                                    • Opcode ID: 915685b771fb92092cf294e782856732213023bcb7de3ce4728819af3bcfff48
                                    • Instruction ID: d9a0dc8aca06d7d85d75c9af4bf64489daf7e478de0a78e2f368fd27169be6c6
                                    • Opcode Fuzzy Hash: 915685b771fb92092cf294e782856732213023bcb7de3ce4728819af3bcfff48
                                    • Instruction Fuzzy Hash: 3E01B570244708BEF3241E24CC9FFA63B9DEB01769F108319BEE65A2E0C6B01E498B50
                                    Function 00670FF6 Relevance: 3.0, APIs: 2, Instructions: 44COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0067594C: __FF_MSGBANNER.LIBCMT ref: 00675963
                                      • Part of subcall function 0067594C: __NMSG_WRITE.LIBCMT ref: 0067596A
                                      • Part of subcall function 0067594C: RtlAllocateHeap.NTDLL(016B0000,00000000,00000001,00000000,?,?,?,00671013,?), ref: 0067598F
                                    • std::exception::exception.LIBCMT ref: 0067102C
                                    • __CxxThrowException@8.LIBCMT ref: 00671041
                                      • Part of subcall function 006787DB: RaiseException.KERNEL32(?,?,?,0070BAF8,00000000,?,?,?,?,00671046,?,0070BAF8,?,00000001), ref: 00678830
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
                                    • String ID:
                                    • API String ID: 3902256705-0
                                    • Opcode ID: 6757b34d9b1ace1e4400c822a82821d79e5750e41d5d086891173ef4043e5ba6
                                    • Instruction ID: dfe5d5fec9358f857c468fd79f1a5edb3a6b3c86b1b3621bc2080dfc99f6fbe2
                                    • Opcode Fuzzy Hash: 6757b34d9b1ace1e4400c822a82821d79e5750e41d5d086891173ef4043e5ba6
                                    • Instruction Fuzzy Hash: 92F0F93454035DA6CB20AE58DC159DF7BAF9F01350F20805AF90C96281EFF09E9092A4
                                    Function 0067582D Relevance: 3.0, APIs: 2, Instructions: 42COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: __lock_file_memset
                                    • String ID:
                                    • API String ID: 26237723-0
                                    • Opcode ID: dbe8de72a1888f2fac2663a7b58f30b1bb18cb406e00e8ea7d71972a7a6b129a
                                    • Instruction ID: 6a1c0887ae15c9693b14d38ac61ca50db9448680aeaba489cdff5167664e925f
                                    • Opcode Fuzzy Hash: dbe8de72a1888f2fac2663a7b58f30b1bb18cb406e00e8ea7d71972a7a6b129a
                                    • Instruction Fuzzy Hash: C201D871D00614EBCF51AFA58C054CF7B63AF40360F04C259F81C5B2A1DB718A11DB96
                                    Function 006755D6 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00678D68: __getptd_noexit.LIBCMT ref: 00678D68
                                    • __lock_file.LIBCMT ref: 0067561B
                                      • Part of subcall function 00676E4E: __lock.LIBCMT ref: 00676E71
                                    • __fclose_nolock.LIBCMT ref: 00675626
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: __fclose_nolock__getptd_noexit__lock__lock_file
                                    • String ID:
                                    • API String ID: 2800547568-0
                                    • Opcode ID: 89d9daf45c7e2672f99205a7476c3a07f065601a19d2d4dc02ccf0c78b9651b7
                                    • Instruction ID: 155b071050f614995b221f5e9dc7268eac06eb01aeb1a84f1bebbb643329d98a
                                    • Opcode Fuzzy Hash: 89d9daf45c7e2672f99205a7476c3a07f065601a19d2d4dc02ccf0c78b9651b7
                                    • Instruction Fuzzy Hash: 6FF0F671900A049ED7606B348806B5E76935F40730F54C24DA41EAB1D1CFBC8E018B59
                                    Function 006581C1 Relevance: 2.6, APIs: 2, Instructions: 54COMMON
                                    Download Yara Rule
                                    APIs
                                    • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000001,00000000,00000000,?,?,?,0065558F,?,?,?,?,?), ref: 006581DA
                                    • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000001,00000000,?,?,?,0065558F,?,?,?,?,?), ref: 0065820D
                                      • Part of subcall function 006578AD: _memmove.LIBCMT ref: 006578E9
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: ByteCharMultiWide$_memmove
                                    • String ID:
                                    • API String ID: 3033907384-0
                                    • Opcode ID: 741a4dd2558ab95c8f4f959020be6a58f899f91ff27be6bb76f8e0a7bce96555
                                    • Instruction ID: c1326883e33c279bcf728f0eb2fb42cc4e3953faec88f91fb806c2e2506c0939
                                    • Opcode Fuzzy Hash: 741a4dd2558ab95c8f4f959020be6a58f899f91ff27be6bb76f8e0a7bce96555
                                    • Instruction Fuzzy Hash: 8401AD31201214BFEB246B25ED4AF7B3F6EEB89760F10802AFD06DE190DE209900C6B5
                                    Function 03F5129D Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateProcessW.KERNELBASE(?,00000000), ref: 03F51A5B
                                    • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 03F51AF1
                                    • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 03F51B13
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184494051.0000000003F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 03F50000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_3f50000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: Process$ContextCreateMemoryReadThreadWow64
                                    • String ID:
                                    • API String ID: 2438371351-0
                                    • Opcode ID: 6ff7500a3617197a005732162d507dd4d37460c8dcbf147a4ae2be43d63b6423
                                    • Instruction ID: dd3ed5fb7e35bbd6548d120b62d7b3eb060445695659a4944a2193985554ef31
                                    • Opcode Fuzzy Hash: 6ff7500a3617197a005732162d507dd4d37460c8dcbf147a4ae2be43d63b6423
                                    • Instruction Fuzzy Hash: 2512EF24E24658C6EB24DF64D8507DEB232EF68300F1090E9910DEB7A5E77A5F81CF5A
                                    Function 00662123 Relevance: 1.7, APIs: 1, Instructions: 171COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: b616b586032eaf2204859cd94a9aa2c9a40930d6e2520bd41fcf567e787ad8d1
                                    • Instruction ID: 253d1779de3cc7866f1b14e76af136b530eba3f2ad73a040e2e9916a6f45f47a
                                    • Opcode Fuzzy Hash: b616b586032eaf2204859cd94a9aa2c9a40930d6e2520bd41fcf567e787ad8d1
                                    • Instruction Fuzzy Hash: 5051A334600605EFCF54EB58C9A5EAE77ABAF45310F14806CF906AB392CB34ED05CB59
                                    Function 0065766F Relevance: 1.6, APIs: 1, Instructions: 103COMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: _memmove
                                    • String ID:
                                    • API String ID: 4104443479-0
                                    • Opcode ID: ab6fd76627a5ae7c550f538024095d9708897891a7e1bc3d2fbdd679136dc1ef
                                    • Instruction ID: 2746e326dcefd1b5d83f372f5cd86661d46ea95b2f5e40dc4c5ebd074b3402b2
                                    • Opcode Fuzzy Hash: ab6fd76627a5ae7c550f538024095d9708897891a7e1bc3d2fbdd679136dc1ef
                                    • Instruction Fuzzy Hash: 4031B479208A02DFD7249F1CE090961F7E6FF09311B14C56DED9A8B765EB30E885CB94
                                    Function 00655C4E Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                    Download Yara Rule
                                    APIs
                                    • SetFilePointerEx.KERNELBASE(?,?,00000001,00000000,00000000,?,?,00000000), ref: 00655CF6
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: FilePointer
                                    • String ID:
                                    • API String ID: 973152223-0
                                    • Opcode ID: 7378c75415c1fb844f4fc32667e2c358b1cd3b6cec12bfea7508b213989e74d7
                                    • Instruction ID: 1d10ad036e9cb70991e85a330d06876ace281076e150e59bff512e02f5685422
                                    • Opcode Fuzzy Hash: 7378c75415c1fb844f4fc32667e2c358b1cd3b6cec12bfea7508b213989e74d7
                                    • Instruction Fuzzy Hash: 9B316C31A00B09AFCB18DF6DC498AADB7B2FF48311F148629EC1A93710D731B964DB94
                                    Function 006900D6 Relevance: 1.6, APIs: 1, Instructions: 88COMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: ClearVariant
                                    • String ID:
                                    • API String ID: 1473721057-0
                                    • Opcode ID: d2dd0c5eb1168540004124a725db83f6ae29294bcefe95ed185f2d0cb2d3dfe5
                                    • Instruction ID: 08835de96d9d520eb40dd0c53c8293367574b2884c453077222f853df945e609
                                    • Opcode Fuzzy Hash: d2dd0c5eb1168540004124a725db83f6ae29294bcefe95ed185f2d0cb2d3dfe5
                                    • Instruction Fuzzy Hash: E7413974508341CFDB24DF54C484B5ABBE2BF45318F19899CE8894B762C732EC89CB56
                                    Function 00654F3D Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00654D13: FreeLibrary.KERNEL32(00000000,?), ref: 00654D4D
                                      • Part of subcall function 0067548B: __wfsopen.LIBCMT ref: 00675496
                                    • LoadLibraryExW.KERNEL32(?,00000000,00000002,?,007162F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00654F6F
                                      • Part of subcall function 00654CC8: FreeLibrary.KERNEL32(00000000), ref: 00654D02
                                      • Part of subcall function 00654DD0: _memmove.LIBCMT ref: 00654E1A
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: Library$Free$Load__wfsopen_memmove
                                    • String ID:
                                    • API String ID: 1396898556-0
                                    • Opcode ID: b3e5f8dae3f7ec95c3cde52965e32329eea1c3fa14cbb775abf50c2523c3a00a
                                    • Instruction ID: fd8a0e3c83d1613706f46921439d33de8449bf9dd8c556b886933d342f54f112
                                    • Opcode Fuzzy Hash: b3e5f8dae3f7ec95c3cde52965e32329eea1c3fa14cbb775abf50c2523c3a00a
                                    • Instruction Fuzzy Hash: 82113A31A00305ABCB14FF74CC12FAE73A79F80706F10846DFD42A62C1DE719A899BA4
                                    Function 006901AF Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: ClearVariant
                                    • String ID:
                                    • API String ID: 1473721057-0
                                    • Opcode ID: 262d7ae9f25890d8cfa043800de89a4535f2b59db0e2d03a826c82e3f082167b
                                    • Instruction ID: d304b7cee983c03ea9a02ee9f041ac8af915a779ec4b6ba026a7c984955425f0
                                    • Opcode Fuzzy Hash: 262d7ae9f25890d8cfa043800de89a4535f2b59db0e2d03a826c82e3f082167b
                                    • Instruction Fuzzy Hash: 462153B4908341CFCB24DF54C445B5ABBE2BF88304F048A6CF88A4B721D731E849CB62
                                    Function 00655D20 Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • ReadFile.KERNELBASE(?,?,00010000,?,00000000,00000000,?,00010000,?,00655807,00000000,00010000,00000000,00000000,00000000,00000000), ref: 00655D76
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: FileRead
                                    • String ID:
                                    • API String ID: 2738559852-0
                                    • Opcode ID: 7eaf1c21f220819cd8c25ef7c7883ecb49b2a5268264fc0d77fd11462a92c0d3
                                    • Instruction ID: ce7bfd1404fd80310b2fc8c1df880a320a1a0a2b2e5158b2286460aa7091c213
                                    • Opcode Fuzzy Hash: 7eaf1c21f220819cd8c25ef7c7883ecb49b2a5268264fc0d77fd11462a92c0d3
                                    • Instruction Fuzzy Hash: AC113A32200B019FD3308F15C898B62B7F6EF45751F14CA2EE8AB86A50D771E949CB64
                                    Function 00657F41 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: _memmove
                                    • String ID:
                                    • API String ID: 4104443479-0
                                    • Opcode ID: c56c3b4cee92743fd843ba2fcf40f434112ab0d27706c117a31bb8eb393c03f0
                                    • Instruction ID: ea67fd9149bbfc14a12c948eaafa8f7a36a6d5c4d2109ee6991e2d2431fc59a8
                                    • Opcode Fuzzy Hash: c56c3b4cee92743fd843ba2fcf40f434112ab0d27706c117a31bb8eb393c03f0
                                    • Instruction Fuzzy Hash: 4501D672204701AED7209F38DC02F67BB99AB447A0F10852EF95ACA291EA31E5448B64
                                    Function 00674A93 Relevance: 1.5, APIs: 1, Instructions: 36COMMON
                                    Download Yara Rule
                                    APIs
                                    • __lock_file.LIBCMT ref: 00674AD6
                                      • Part of subcall function 00678D68: __getptd_noexit.LIBCMT ref: 00678D68
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: __getptd_noexit__lock_file
                                    • String ID:
                                    • API String ID: 2597487223-0
                                    • Opcode ID: 7773a10b07b263adebe169d0d3685542bdf4b8bbcb5a2bea4c8ba6b652ce0d4f
                                    • Instruction ID: 31516f83fc4fdbd5b6be0ca1998c0046bbe87db9157fd2b194c6446f9dbdcb86
                                    • Opcode Fuzzy Hash: 7773a10b07b263adebe169d0d3685542bdf4b8bbcb5a2bea4c8ba6b652ce0d4f
                                    • Instruction Fuzzy Hash: E3F081719402099BDFA1AF64880A3DE36A2AF00725F14C618B42C9B1D5DF788E51DF59
                                    Function 00654FAA Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                    Download Yara Rule
                                    APIs
                                    • FreeLibrary.KERNEL32(?,?,007162F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00654FDE
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: FreeLibrary
                                    • String ID:
                                    • API String ID: 3664257935-0
                                    • Opcode ID: bb718c5dccae89d51dc35288ddf380ee9a6564a7b627b2fc80df9e1ce1a77b20
                                    • Instruction ID: 3df429fddd1335733c0f1f3c33e9d6b6641898032136ce34306f0a352d5ef7ee
                                    • Opcode Fuzzy Hash: bb718c5dccae89d51dc35288ddf380ee9a6564a7b627b2fc80df9e1ce1a77b20
                                    • Instruction Fuzzy Hash: 4CF03071505711CFC7349F68D494852BBE2BF4432A7208ABEE9D782610CB719888DF50
                                    Function 006709D5 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 006709F4
                                      • Part of subcall function 00657D2C: _memmove.LIBCMT ref: 00657D66
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: LongNamePath_memmove
                                    • String ID:
                                    • API String ID: 2514874351-0
                                    • Opcode ID: 74273d05ef19e981e76f921b0462071fca89e541a0b4c186d6fb231921a83678
                                    • Instruction ID: 55c90d0f68438f96659c7cf18db68e8c96a4dbd9c7b97c2f3b3d6b942cab9476
                                    • Opcode Fuzzy Hash: 74273d05ef19e981e76f921b0462071fca89e541a0b4c186d6fb231921a83678
                                    • Instruction Fuzzy Hash: 88E0CD36D0522C57C720E6989C05FFA77EEDF89791F0402B6FC0CD7244E9A09D818694
                                    Function 006B9129 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: __fread_nolock
                                    • String ID:
                                    • API String ID: 2638373210-0
                                    • Opcode ID: 7603a7e23398706fbe611478ecf9e3358d47b441acc83f726054c373298f7434
                                    • Instruction ID: 32895b0b4e9b72da8e735b5072ae8056efb51ba59dbee2cd9678a94d5e107100
                                    • Opcode Fuzzy Hash: 7603a7e23398706fbe611478ecf9e3358d47b441acc83f726054c373298f7434
                                    • Instruction Fuzzy Hash: C5E092B0104B009FD7348A28D8107E373E1AB06315F00085DF3AB83341EB6378819759
                                    Function 00655DAE Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                    Download Yara Rule
                                    APIs
                                    • SetFilePointerEx.KERNELBASE(?,00000000,00000000,?,00000001,?,?,?,0068E16B,?,?,00000000), ref: 00655DBF
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: FilePointer
                                    • String ID:
                                    • API String ID: 973152223-0
                                    • Opcode ID: c6ac195b14ec81b066d1accb97d6907b0b92a6d926caa5929ca9f59192f8dab9
                                    • Instruction ID: 62be7f704cae78d717af59a5219fc28651c71528bb53a3a82481e17ddfeb7fcd
                                    • Opcode Fuzzy Hash: c6ac195b14ec81b066d1accb97d6907b0b92a6d926caa5929ca9f59192f8dab9
                                    • Instruction Fuzzy Hash: B2D0C77464020CBFE710DB80DC46FA9777DD745710F100195FD0456290D6B27D508795
                                    Function 0067548B Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: __wfsopen
                                    • String ID:
                                    • API String ID: 197181222-0
                                    • Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                                    • Instruction ID: 321a79a54f7919ba00aacef25d12b1e139d6da22fabb6bb7f6ce743d6346f3ca
                                    • Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                                    • Instruction Fuzzy Hash: 86B0927684020C77DE412E92EC02A593B5A9B40778F808060FB0C18162E6B3A6A09689
                                    Function 006BD2E6 Relevance: 1.4, APIs: 1, Instructions: 198COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetLastError.KERNEL32(00000002,00000000), ref: 006BD46A
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: ErrorLast
                                    • String ID:
                                    • API String ID: 1452528299-0
                                    • Opcode ID: 6952274f3925b3c42ccfe819eac49fd06fd0451b1508bffdcb670bb788da717c
                                    • Instruction ID: 86b7d707ce2d8befd6cde6679167e6362b202fda7c59bf558219fea0cd1aae9b
                                    • Opcode Fuzzy Hash: 6952274f3925b3c42ccfe819eac49fd06fd0451b1508bffdcb670bb788da717c
                                    • Instruction Fuzzy Hash: EF718574604301CFC754EF28D491AAEB7E6AF88315F04496DF8968B3A2DB30ED49CB56
                                    Function 00670E48 Relevance: 1.3, APIs: 1, Instructions: 94memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: AllocVirtual
                                    • String ID:
                                    • API String ID: 4275171209-0
                                    • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                    • Instruction ID: ad835fcbb81e157fe909107c5d3cf64b3826c639d02283417919081c84ef1d8c
                                    • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                    • Instruction Fuzzy Hash: 3631B371A00105DFE718DF58D4809A9F7A6FF59300B64CAA5E809CB751D731EDC1CBA0
                                    Function 03F5229C Relevance: 1.3, APIs: 1, Instructions: 21sleepCOMMON
                                    Download Yara Rule
                                    APIs
                                    • Sleep.KERNELBASE(000001F4), ref: 03F522B1
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184494051.0000000003F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 03F50000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_3f50000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: Sleep
                                    • String ID:
                                    • API String ID: 3472027048-0
                                    • Opcode ID: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
                                    • Instruction ID: fe1a9a7545d4da04f21ae56a16e65ba951f9a22dfb2188836960f87a9860b151
                                    • Opcode Fuzzy Hash: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
                                    • Instruction Fuzzy Hash: 1CE0BF7594010EFFDB00EFA8D5496DE7BB4EF04311F1006A1FD05E7680DB309E548A62
                                    Function 03F522A0 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON
                                    Download Yara Rule
                                    APIs
                                    • Sleep.KERNELBASE(000001F4), ref: 03F522B1
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184494051.0000000003F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 03F50000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_3f50000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: Sleep
                                    • String ID:
                                    • API String ID: 3472027048-0
                                    • Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                    • Instruction ID: e29a6803a99c0b89f5e53cfd64a985e9d8e13feac59a11ac48b1573fd9c69ee4
                                    • Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                    • Instruction Fuzzy Hash: 0BE0E67594010EEFDB00EFB8D54969E7FB4EF04301F1006A1FD05E2280D6309D508A72

                                    Non-executed Functions

                                    Function 006DCDAC Relevance: 75.9, APIs: 40, Strings: 3, Instructions: 637windowkeyboardCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00652612: GetWindowLongW.USER32(?,000000EB), ref: 00652623
                                    • DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 006DCE50
                                    • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 006DCE91
                                    • GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 006DCED6
                                    • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 006DCF00
                                    • SendMessageW.USER32 ref: 006DCF29
                                    • _wcsncpy.LIBCMT ref: 006DCFA1
                                    • GetKeyState.USER32(00000011), ref: 006DCFC2
                                    • GetKeyState.USER32(00000009), ref: 006DCFCF
                                    • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 006DCFE5
                                    • GetKeyState.USER32(00000010), ref: 006DCFEF
                                    • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 006DD018
                                    • SendMessageW.USER32 ref: 006DD03F
                                    • SendMessageW.USER32(?,00001030,?,006DB602), ref: 006DD145
                                    • ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 006DD15B
                                    • ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 006DD16E
                                    • SetCapture.USER32(?), ref: 006DD177
                                    • ClientToScreen.USER32(?,?), ref: 006DD1DC
                                    • ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 006DD1E9
                                    • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 006DD203
                                    • ReleaseCapture.USER32 ref: 006DD20E
                                    • GetCursorPos.USER32(?), ref: 006DD248
                                    • ScreenToClient.USER32(?,?), ref: 006DD255
                                    • SendMessageW.USER32(?,00001012,00000000,?), ref: 006DD2B1
                                    • SendMessageW.USER32 ref: 006DD2DF
                                    • SendMessageW.USER32(?,00001111,00000000,?), ref: 006DD31C
                                    • SendMessageW.USER32 ref: 006DD34B
                                    • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 006DD36C
                                    • SendMessageW.USER32(?,0000110B,00000009,?), ref: 006DD37B
                                    • GetCursorPos.USER32(?), ref: 006DD39B
                                    • ScreenToClient.USER32(?,?), ref: 006DD3A8
                                    • GetParent.USER32(?), ref: 006DD3C8
                                    • SendMessageW.USER32(?,00001012,00000000,?), ref: 006DD431
                                    • SendMessageW.USER32 ref: 006DD462
                                    • ClientToScreen.USER32(?,?), ref: 006DD4C0
                                    • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 006DD4F0
                                    • SendMessageW.USER32(?,00001111,00000000,?), ref: 006DD51A
                                    • SendMessageW.USER32 ref: 006DD53D
                                    • ClientToScreen.USER32(?,?), ref: 006DD58F
                                    • TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 006DD5C3
                                      • Part of subcall function 006525DB: GetWindowLongW.USER32(?,000000EB), ref: 006525EC
                                    • GetWindowLongW.USER32(?,000000F0), ref: 006DD65F
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
                                    • String ID: @GUI_DRAGID$F$prq
                                    • API String ID: 3977979337-1873520690
                                    • Opcode ID: 80a05411f3e018bae47caddedee2214ec6c82ab30c546a0df7aeae8e49be0405
                                    • Instruction ID: 5dd3c0e93e18b64b08883b9c5b04cd48e1addbd9fb3580dfeef1f1ccaead3dec
                                    • Opcode Fuzzy Hash: 80a05411f3e018bae47caddedee2214ec6c82ab30c546a0df7aeae8e49be0405
                                    • Instruction Fuzzy Hash: 6042AC70A09246AFC721DF28C844EAABBE6FF49324F14451EF696873A0C731D845CF92
                                    Function 006D804A Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 571windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SendMessageW.USER32(?,00000400,00000000,00000000), ref: 006D873F
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: MessageSend
                                    • String ID: %d/%02d/%02d
                                    • API String ID: 3850602802-328681919
                                    • Opcode ID: 7cd4b7fef30618fa764ab25304c7c045d53f6fd7d0f9550d03a001b65d0f6a75
                                    • Instruction ID: 692265eefef6b30f7636085cd901136219cf29ef093e4e11f10a74b90dfab276
                                    • Opcode Fuzzy Hash: 7cd4b7fef30618fa764ab25304c7c045d53f6fd7d0f9550d03a001b65d0f6a75
                                    • Instruction Fuzzy Hash: 6B12A071901244AFEB258F28CC49FAE7BBAEB89710F14412AF916DB3E1DF749941CB50
                                    Function 0066710E Relevance: 52.3, APIs: 19, Strings: 8, Instructions: 5093COMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: _memmove$_memset
                                    • String ID: 0wp$DEFINE$Oaf$Q\E$[:<:]]$[:>:]]$\b(?<=\w)$\b(?=\w)
                                    • API String ID: 1357608183-1062756600
                                    • Opcode ID: 9420ef145c8bfde2b98e4e4e22cd63602180d619a2e320e9163c29c337528809
                                    • Instruction ID: 7b13a47a6ecf6309277341a8554330e2b7524dfc1ee82f41c633000624e0ae13
                                    • Opcode Fuzzy Hash: 9420ef145c8bfde2b98e4e4e22cd63602180d619a2e320e9163c29c337528809
                                    • Instruction Fuzzy Hash: D1939071A402169FDB24DF58C891BEDB7B2FF49314F24816AE945AB381E7709E82CF50
                                    Function 00654A35 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetForegroundWindow.USER32(00000000,?), ref: 00654A3D
                                    • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0068DA8E
                                    • IsIconic.USER32(?), ref: 0068DA97
                                    • ShowWindow.USER32(?,00000009), ref: 0068DAA4
                                    • SetForegroundWindow.USER32(?), ref: 0068DAAE
                                    • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0068DAC4
                                    • GetCurrentThreadId.KERNEL32 ref: 0068DACB
                                    • GetWindowThreadProcessId.USER32(?,00000000), ref: 0068DAD7
                                    • AttachThreadInput.USER32(?,00000000,00000001), ref: 0068DAE8
                                    • AttachThreadInput.USER32(?,00000000,00000001), ref: 0068DAF0
                                    • AttachThreadInput.USER32(00000000,?,00000001), ref: 0068DAF8
                                    • SetForegroundWindow.USER32(?), ref: 0068DAFB
                                    • MapVirtualKeyW.USER32(00000012,00000000), ref: 0068DB10
                                    • keybd_event.USER32(00000012,00000000), ref: 0068DB1B
                                    • MapVirtualKeyW.USER32(00000012,00000000), ref: 0068DB25
                                    • keybd_event.USER32(00000012,00000000), ref: 0068DB2A
                                    • MapVirtualKeyW.USER32(00000012,00000000), ref: 0068DB33
                                    • keybd_event.USER32(00000012,00000000), ref: 0068DB38
                                    • MapVirtualKeyW.USER32(00000012,00000000), ref: 0068DB42
                                    • keybd_event.USER32(00000012,00000000), ref: 0068DB47
                                    • SetForegroundWindow.USER32(?), ref: 0068DB4A
                                    • AttachThreadInput.USER32(?,?,00000000), ref: 0068DB71
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
                                    • String ID: Shell_TrayWnd
                                    • API String ID: 4125248594-2988720461
                                    • Opcode ID: a283da95ec28ec56eb217c26d8884192a0a22a3b97bbf14cded096752fb23d14
                                    • Instruction ID: b55a9e9fd99ba559debae89b5921ce54df1aa38e11636252c72e2141d8c450e0
                                    • Opcode Fuzzy Hash: a283da95ec28ec56eb217c26d8884192a0a22a3b97bbf14cded096752fb23d14
                                    • Instruction Fuzzy Hash: 2F316571E81318BBEB216F61AC49FBF3F6EEB44B50F154166FA05E61D0C6B05D01ABA0
                                    Function 006A8858 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 224COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 006A8CC3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 006A8D0D
                                      • Part of subcall function 006A8CC3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 006A8D3A
                                      • Part of subcall function 006A8CC3: GetLastError.KERNEL32 ref: 006A8D47
                                    • _memset.LIBCMT ref: 006A889B
                                    • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 006A88ED
                                    • CloseHandle.KERNEL32(?), ref: 006A88FE
                                    • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 006A8915
                                    • GetProcessWindowStation.USER32 ref: 006A892E
                                    • SetProcessWindowStation.USER32(00000000), ref: 006A8938
                                    • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 006A8952
                                      • Part of subcall function 006A8713: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,006A8851), ref: 006A8728
                                      • Part of subcall function 006A8713: CloseHandle.KERNEL32(?,?,006A8851), ref: 006A873A
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
                                    • String ID: $default$winsta0
                                    • API String ID: 2063423040-1027155976
                                    • Opcode ID: 4954de4236c6eb269557076af4c6ddfdc74bdb2c6cc5f4aff94446d7cd71a844
                                    • Instruction ID: b920d5347288497bab326a064d5a6168ff8bf9aa1b02b22be418b54f624bc248
                                    • Opcode Fuzzy Hash: 4954de4236c6eb269557076af4c6ddfdc74bdb2c6cc5f4aff94446d7cd71a844
                                    • Instruction Fuzzy Hash: 1E816A71901249AFDF11EFA4DC45AEE7BBAEF05304F08412AFA11A7261DB318E14DF60
                                    Function 006C425A Relevance: 30.2, APIs: 20, Instructions: 167clipboardCOMMON
                                    Download Yara Rule
                                    APIs
                                    • OpenClipboard.USER32(006DF910), ref: 006C4284
                                    • IsClipboardFormatAvailable.USER32(0000000D), ref: 006C4292
                                    • GetClipboardData.USER32(0000000D), ref: 006C429A
                                    • CloseClipboard.USER32 ref: 006C42A6
                                    • GlobalLock.KERNEL32(00000000), ref: 006C42C2
                                    • CloseClipboard.USER32 ref: 006C42CC
                                    • GlobalUnlock.KERNEL32(00000000), ref: 006C42E1
                                    • IsClipboardFormatAvailable.USER32(00000001), ref: 006C42EE
                                    • GetClipboardData.USER32(00000001), ref: 006C42F6
                                    • GlobalLock.KERNEL32(00000000), ref: 006C4303
                                    • GlobalUnlock.KERNEL32(00000000), ref: 006C4337
                                    • CloseClipboard.USER32 ref: 006C4447
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: Clipboard$Global$Close$AvailableDataFormatLockUnlock$Open
                                    • String ID:
                                    • API String ID: 3222323430-0
                                    • Opcode ID: 5f2d01b91d4651d9e7f666dfaadc375b79a02ebc219bfeace2d6be406317f502
                                    • Instruction ID: 3f991b01cb5e75f89ede2d0902f5c25b21c506a533c492a71db952c8913d42b7
                                    • Opcode Fuzzy Hash: 5f2d01b91d4651d9e7f666dfaadc375b79a02ebc219bfeace2d6be406317f502
                                    • Instruction Fuzzy Hash: 5751AF31604301ABD311EF64EC96FBE77AAEF84B01F10452EF956D22A1DF70DA058B66
                                    Function 006BC9C7 Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • FindFirstFileW.KERNEL32(?,?), ref: 006BC9F8
                                    • FindClose.KERNEL32(00000000), ref: 006BCA4C
                                    • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 006BCA71
                                    • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 006BCA88
                                    • FileTimeToSystemTime.KERNEL32(?,?), ref: 006BCAAF
                                    • __swprintf.LIBCMT ref: 006BCAFB
                                    • __swprintf.LIBCMT ref: 006BCB3E
                                      • Part of subcall function 00657F41: _memmove.LIBCMT ref: 00657F82
                                    • __swprintf.LIBCMT ref: 006BCB92
                                      • Part of subcall function 006738D8: __woutput_l.LIBCMT ref: 00673931
                                    • __swprintf.LIBCMT ref: 006BCBE0
                                      • Part of subcall function 006738D8: __flsbuf.LIBCMT ref: 00673953
                                      • Part of subcall function 006738D8: __flsbuf.LIBCMT ref: 0067396B
                                    • __swprintf.LIBCMT ref: 006BCC2F
                                    • __swprintf.LIBCMT ref: 006BCC7E
                                    • __swprintf.LIBCMT ref: 006BCCCD
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
                                    • String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
                                    • API String ID: 3953360268-2428617273
                                    • Opcode ID: ea7ac5eef09625c59264929dd79bb3345da12f0e3261e9a5dc66bca3357463c4
                                    • Instruction ID: afd0cc2581702cffdfca282c97d9fb2b4191ac98e6adfca84ed04d8d04bada46
                                    • Opcode Fuzzy Hash: ea7ac5eef09625c59264929dd79bb3345da12f0e3261e9a5dc66bca3357463c4
                                    • Instruction Fuzzy Hash: 4EA13EB1418305ABC750EB64CC85DAFB7EEEF94701F40492EB986C7191EB34DA48CB66
                                    Function 006BF200 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • FindFirstFileW.KERNEL32(?,?,76228FB0,?,00000000), ref: 006BF221
                                    • _wcscmp.LIBCMT ref: 006BF236
                                    • _wcscmp.LIBCMT ref: 006BF24D
                                    • GetFileAttributesW.KERNEL32(?), ref: 006BF25F
                                    • SetFileAttributesW.KERNEL32(?,?), ref: 006BF279
                                    • FindNextFileW.KERNEL32(00000000,?), ref: 006BF291
                                    • FindClose.KERNEL32(00000000), ref: 006BF29C
                                    • FindFirstFileW.KERNEL32(*.*,?), ref: 006BF2B8
                                    • _wcscmp.LIBCMT ref: 006BF2DF
                                    • _wcscmp.LIBCMT ref: 006BF2F6
                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 006BF308
                                    • SetCurrentDirectoryW.KERNEL32(0070A5A0), ref: 006BF326
                                    • FindNextFileW.KERNEL32(00000000,00000010), ref: 006BF330
                                    • FindClose.KERNEL32(00000000), ref: 006BF33D
                                    • FindClose.KERNEL32(00000000), ref: 006BF34F
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
                                    • String ID: *.*
                                    • API String ID: 1803514871-438819550
                                    • Opcode ID: 92e04e2b6bcb6dd6dd9ea3f9cb06fcb852f41694d440d21993c2b285803c3b1c
                                    • Instruction ID: 26f6bf7489e4284300cc8037b63686a126e5eb8bd6a8252076efaa81a7417322
                                    • Opcode Fuzzy Hash: 92e04e2b6bcb6dd6dd9ea3f9cb06fcb852f41694d440d21993c2b285803c3b1c
                                    • Instruction Fuzzy Hash: 673104B69012196ADB10DBF4DC59ADE73EEAF08320F144276E805D32A0EB31DF85CB94
                                    Function 006D0AE2 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 006D0BDE
                                    • RegCreateKeyExW.ADVAPI32(?,?,00000000,006DF910,00000000,?,00000000,?,?), ref: 006D0C4C
                                    • RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 006D0C94
                                    • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 006D0D1D
                                    • RegCloseKey.ADVAPI32(?), ref: 006D103D
                                    • RegCloseKey.ADVAPI32(00000000), ref: 006D104A
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: Close$ConnectCreateRegistryValue
                                    • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                                    • API String ID: 536824911-966354055
                                    • Opcode ID: 6a4df29d36aebc423424b0e7400170bdb3349cd2365e5a8ba58db5adeffbdfc9
                                    • Instruction ID: d5fc94a7c98e752a9e079bf06f2786b5dee8491971e61f33398b71e6c7fe7af4
                                    • Opcode Fuzzy Hash: 6a4df29d36aebc423424b0e7400170bdb3349cd2365e5a8ba58db5adeffbdfc9
                                    • Instruction Fuzzy Hash: D10249756006119FCB54EF24C891E2AB7E6FF89714F08885DF88A9B362CB30ED45CB95
                                    Function 006BF35D Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • FindFirstFileW.KERNEL32(?,?,76228FB0,?,00000000), ref: 006BF37E
                                    • _wcscmp.LIBCMT ref: 006BF393
                                    • _wcscmp.LIBCMT ref: 006BF3AA
                                      • Part of subcall function 006B45C1: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 006B45DC
                                    • FindNextFileW.KERNEL32(00000000,?), ref: 006BF3D9
                                    • FindClose.KERNEL32(00000000), ref: 006BF3E4
                                    • FindFirstFileW.KERNEL32(*.*,?), ref: 006BF400
                                    • _wcscmp.LIBCMT ref: 006BF427
                                    • _wcscmp.LIBCMT ref: 006BF43E
                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 006BF450
                                    • SetCurrentDirectoryW.KERNEL32(0070A5A0), ref: 006BF46E
                                    • FindNextFileW.KERNEL32(00000000,00000010), ref: 006BF478
                                    • FindClose.KERNEL32(00000000), ref: 006BF485
                                    • FindClose.KERNEL32(00000000), ref: 006BF497
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
                                    • String ID: *.*
                                    • API String ID: 1824444939-438819550
                                    • Opcode ID: fc394cadaeea2e643385839068b2520764819dc3907d9238ab9002feee4a4353
                                    • Instruction ID: 591f46cd1910632e6870844b98df67154a17a46df3ea8a9ebb47a9eaddfe3dec
                                    • Opcode Fuzzy Hash: fc394cadaeea2e643385839068b2520764819dc3907d9238ab9002feee4a4353
                                    • Instruction Fuzzy Hash: FD31F8B15012196FCB109BA4EC88ADE77EE9F09320F144276E844E32F1DB74DE84CBA4
                                    Function 006A81F7 Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 006A874A: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 006A8766
                                      • Part of subcall function 006A874A: GetLastError.KERNEL32(?,006A822A,?,?,?), ref: 006A8770
                                      • Part of subcall function 006A874A: GetProcessHeap.KERNEL32(00000008,?,?,006A822A,?,?,?), ref: 006A877F
                                      • Part of subcall function 006A874A: HeapAlloc.KERNEL32(00000000,?,006A822A,?,?,?), ref: 006A8786
                                      • Part of subcall function 006A874A: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 006A879D
                                      • Part of subcall function 006A87E7: GetProcessHeap.KERNEL32(00000008,006A8240,00000000,00000000,?,006A8240,?), ref: 006A87F3
                                      • Part of subcall function 006A87E7: HeapAlloc.KERNEL32(00000000,?,006A8240,?), ref: 006A87FA
                                      • Part of subcall function 006A87E7: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,006A8240,?), ref: 006A880B
                                    • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 006A825B
                                    • _memset.LIBCMT ref: 006A8270
                                    • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 006A828F
                                    • GetLengthSid.ADVAPI32(?), ref: 006A82A0
                                    • GetAce.ADVAPI32(?,00000000,?), ref: 006A82DD
                                    • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 006A82F9
                                    • GetLengthSid.ADVAPI32(?), ref: 006A8316
                                    • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 006A8325
                                    • HeapAlloc.KERNEL32(00000000), ref: 006A832C
                                    • GetLengthSid.ADVAPI32(?,00000008,?), ref: 006A834D
                                    • CopySid.ADVAPI32(00000000), ref: 006A8354
                                    • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 006A8385
                                    • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 006A83AB
                                    • SetUserObjectSecurity.USER32(?,00000004,?), ref: 006A83BF
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
                                    • String ID:
                                    • API String ID: 3996160137-0
                                    • Opcode ID: c9d545ab376c6441de67295b10255f350c5bf58704d1a6ba7f85fb494426de50
                                    • Instruction ID: fdb2eeb81a96d0821cd97704f7f984dfd5355e8feb0608d648d1d3c16bba8389
                                    • Opcode Fuzzy Hash: c9d545ab376c6441de67295b10255f350c5bf58704d1a6ba7f85fb494426de50
                                    • Instruction Fuzzy Hash: FC613A71900219AFDF00AFA5DC44AEEBBBAFF05700F14816AF816A7291DB319E05CF60
                                    Function 00666843 Relevance: 20.9, Strings: 16, Instructions: 883COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$Oaf$PJo$UCP)$UTF)$UTF16)
                                    • API String ID: 0-1612524099
                                    • Opcode ID: 58f6a21ad785a08f0fed2478ab9986839c63778f7a71e47f011b9e4c69628c07
                                    • Instruction ID: 4f026a1ed7a89accdccaa0a55d392d8a380fc1cc74e8c2eea80ea41f681f2f4e
                                    • Opcode Fuzzy Hash: 58f6a21ad785a08f0fed2478ab9986839c63778f7a71e47f011b9e4c69628c07
                                    • Instruction Fuzzy Hash: FF725D75E002199BDB14DF58D8907EEB7B6EF49310F14816AE949EB380EB749E81CF90
                                    Function 006D0665 Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 006D10A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,006D0038,?,?), ref: 006D10BC
                                    • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 006D0737
                                      • Part of subcall function 00659997: __itow.LIBCMT ref: 006599C2
                                      • Part of subcall function 00659997: __swprintf.LIBCMT ref: 00659A0C
                                    • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 006D07D6
                                    • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 006D086E
                                    • RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 006D0AAD
                                    • RegCloseKey.ADVAPI32(00000000), ref: 006D0ABA
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
                                    • String ID:
                                    • API String ID: 1240663315-0
                                    • Opcode ID: a8403a00abe3a7c5eca5c06ee1462e0d0c68c7b3d90c0831da696231d651d286
                                    • Instruction ID: 0704258843eea4dcac85baa8325ba2fa3e22bfe83bfb25492cfbe244e49bb0e0
                                    • Opcode Fuzzy Hash: a8403a00abe3a7c5eca5c06ee1462e0d0c68c7b3d90c0831da696231d651d286
                                    • Instruction Fuzzy Hash: 71E15F31604300AFDB14DF25C895E6ABBE6EF89714F08856EF84ADB362DA30ED05CB51
                                    Function 006B0219 Relevance: 16.6, APIs: 11, Instructions: 120keyboardCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetKeyboardState.USER32(?), ref: 006B0241
                                    • GetAsyncKeyState.USER32(000000A0), ref: 006B02C2
                                    • GetKeyState.USER32(000000A0), ref: 006B02DD
                                    • GetAsyncKeyState.USER32(000000A1), ref: 006B02F7
                                    • GetKeyState.USER32(000000A1), ref: 006B030C
                                    • GetAsyncKeyState.USER32(00000011), ref: 006B0324
                                    • GetKeyState.USER32(00000011), ref: 006B0336
                                    • GetAsyncKeyState.USER32(00000012), ref: 006B034E
                                    • GetKeyState.USER32(00000012), ref: 006B0360
                                    • GetAsyncKeyState.USER32(0000005B), ref: 006B0378
                                    • GetKeyState.USER32(0000005B), ref: 006B038A
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: State$Async$Keyboard
                                    • String ID:
                                    • API String ID: 541375521-0
                                    • Opcode ID: b45ba52c8559e618da68c6c719bd7854756fd1bb66681a4ac11d91aa2cec7d1f
                                    • Instruction ID: f4639f180b6847cb0e1475a4f41e9c91845379d89c0fde47fe41a0f580140129
                                    • Opcode Fuzzy Hash: b45ba52c8559e618da68c6c719bd7854756fd1bb66681a4ac11d91aa2cec7d1f
                                    • Instruction Fuzzy Hash: DC41ABB49047CA6EFF715B64940C3EBBEE26F11340F18419ED5C6463C2DBA45AC88792
                                    Function 006C4458 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                                    • String ID:
                                    • API String ID: 1737998785-0
                                    • Opcode ID: d37d4b588731a476a03685584f7af7be53a7f6723d2ceaf7ed581c29feb3909d
                                    • Instruction ID: ea8af9368054f62717b6464c52b2b869a265a3c9fbf182ef8b012486a9a8813c
                                    • Opcode Fuzzy Hash: d37d4b588731a476a03685584f7af7be53a7f6723d2ceaf7ed581c29feb3909d
                                    • Instruction Fuzzy Hash: 54218B356012109FDB10AF64EC19F6A7BAAEF44721F14C02AF947DB2A1CB34ED01CB58
                                    Function 006B3A2B Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 006548AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,006548A1,?,?,006537C0,?), ref: 006548CE
                                      • Part of subcall function 006B4CD3: GetFileAttributesW.KERNEL32(?,006B3947), ref: 006B4CD4
                                    • FindFirstFileW.KERNEL32(?,?), ref: 006B3ADF
                                    • DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 006B3B87
                                    • MoveFileW.KERNEL32(?,?), ref: 006B3B9A
                                    • DeleteFileW.KERNEL32(?,?,?,?,?), ref: 006B3BB7
                                    • FindNextFileW.KERNEL32(00000000,00000010), ref: 006B3BD9
                                    • FindClose.KERNEL32(00000000,?,?,?,?), ref: 006B3BF5
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
                                    • String ID: \*.*
                                    • API String ID: 4002782344-1173974218
                                    • Opcode ID: f03c2c359182f43f202f0934f309db082095e031167bd2b9c9371d26c065e4cc
                                    • Instruction ID: 89cf10c30e7ba0203bcb84c1f355946b7dfba09e26e5e24203f51802938ab55b
                                    • Opcode Fuzzy Hash: f03c2c359182f43f202f0934f309db082095e031167bd2b9c9371d26c065e4cc
                                    • Instruction Fuzzy Hash: DC51B371D0121C9ACF45EBA0DD928EDB77AAF14301F2441A9E80277292DF306F4DCB94
                                    Function 00664140 Relevance: 13.4, APIs: 1, Strings: 6, Instructions: 1132COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: ERCP$Oaf$VUUU$VUUU$VUUU$VUUU
                                    • API String ID: 0-2934378390
                                    • Opcode ID: 44271da2577b85faa07b7a76f3e1d7568694d9b24b9e4909bffe2ba43cb172fb
                                    • Instruction ID: 5002b519ad7ab7863c0ab13c4de6bdbab1d91c6aacdc8b92b424d6c8740ecf37
                                    • Opcode Fuzzy Hash: 44271da2577b85faa07b7a76f3e1d7568694d9b24b9e4909bffe2ba43cb172fb
                                    • Instruction Fuzzy Hash: 82A26D70E0421ACBDF24CF58C9907EDB7B6BF55314F2481AAD856A7780EB349E85CB90
                                    Function 006BF65E Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00657F41: _memmove.LIBCMT ref: 00657F82
                                    • FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 006BF6AB
                                    • Sleep.KERNEL32(0000000A), ref: 006BF6DB
                                    • _wcscmp.LIBCMT ref: 006BF6EF
                                    • _wcscmp.LIBCMT ref: 006BF70A
                                    • FindNextFileW.KERNEL32(?,?), ref: 006BF7A8
                                    • FindClose.KERNEL32(00000000), ref: 006BF7BE
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
                                    • String ID: *.*
                                    • API String ID: 713712311-438819550
                                    • Opcode ID: 630150ad5c13e16a5d829702b427affa6d8ec95ab6e4506a8c1075a0bd6f9f33
                                    • Instruction ID: 16643223383fd675e1ced1e97a3b15dff9567def6af2646386c140000c924454
                                    • Opcode Fuzzy Hash: 630150ad5c13e16a5d829702b427affa6d8ec95ab6e4506a8c1075a0bd6f9f33
                                    • Instruction Fuzzy Hash: 5D41B8B190021AAFCF50DF64DC45AEEBBB6FF05310F1445BAE815A32A1EB309E84CB50
                                    Function 006658C0 Relevance: 11.0, APIs: 7, Instructions: 532COMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: _memmove
                                    • String ID:
                                    • API String ID: 4104443479-0
                                    • Opcode ID: 3ebf52544662d2541c8a5bb419b459163715a4bbc36c63bdae9e9688d6ce7934
                                    • Instruction ID: 3e0f6d21bd09ed4b719fd2040bf5a578757f634174398876e0bc561e41272547
                                    • Opcode Fuzzy Hash: 3ebf52544662d2541c8a5bb419b459163715a4bbc36c63bdae9e9688d6ce7934
                                    • Instruction Fuzzy Hash: 17126970A00609DFDF14DFA4D992AEEB7B6FF48300F108669E806E7251EB35AD15CB64
                                    Function 00665680 Relevance: 11.0, APIs: 5, Strings: 1, Instructions: 516COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00670FF6: std::exception::exception.LIBCMT ref: 0067102C
                                      • Part of subcall function 00670FF6: __CxxThrowException@8.LIBCMT ref: 00671041
                                    • _memmove.LIBCMT ref: 006A062F
                                    • _memmove.LIBCMT ref: 006A0744
                                    • _memmove.LIBCMT ref: 006A07EB
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: _memmove$Exception@8Throwstd::exception::exception
                                    • String ID: yZf
                                    • API String ID: 1300846289-1088748414
                                    • Opcode ID: 8e5531afe923e1dfee09fea4bb80e88343f5cea470d4e0cc2116c6260f7c788f
                                    • Instruction ID: 3b43d6bc567d03a47f90946e3411afeeae57b8ad61e8fc82758c0b84993106f5
                                    • Opcode Fuzzy Hash: 8e5531afe923e1dfee09fea4bb80e88343f5cea470d4e0cc2116c6260f7c788f
                                    • Instruction Fuzzy Hash: 5E02AEB0A00205DBDF04DF64D982AAEBBB6EF45300F14806DE80ADB255EB35EE55CF95
                                    Function 006B545F Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 006A8CC3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 006A8D0D
                                      • Part of subcall function 006A8CC3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 006A8D3A
                                      • Part of subcall function 006A8CC3: GetLastError.KERNEL32 ref: 006A8D47
                                    • ExitWindowsEx.USER32(?,00000000), ref: 006B549B
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
                                    • String ID: $@$SeShutdownPrivilege
                                    • API String ID: 2234035333-194228
                                    • Opcode ID: 935b54c962b41b210da82e1000f0e616bd87ac4bc3eb2baa03320deac0cfa09b
                                    • Instruction ID: 6f1ab5d45998a5ead6659af57abe2492944b705d868d9a22d5c038f91170da71
                                    • Opcode Fuzzy Hash: 935b54c962b41b210da82e1000f0e616bd87ac4bc3eb2baa03320deac0cfa09b
                                    • Instruction Fuzzy Hash: 02012FF1A95B116AE7686378AC4ABFA72DAAB01352F240535FD07D22D2DA901CC187A4
                                    Function 00663190 Relevance: 9.3, APIs: 4, Strings: 1, Instructions: 587COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: __itow__swprintf
                                    • String ID: Oaf
                                    • API String ID: 674341424-1555074404
                                    • Opcode ID: d29f9f010a0efe474c1353347649bc4b0b38009f8fc8b75984fd3672bd54ea5a
                                    • Instruction ID: 67796402350f97119046eed032c8c6296b223a903ef7b6b363fb2c851ac7205f
                                    • Opcode Fuzzy Hash: d29f9f010a0efe474c1353347649bc4b0b38009f8fc8b75984fd3672bd54ea5a
                                    • Instruction Fuzzy Hash: E522AB716183119FCB64DF24C891BABB7EAAF84300F14491DF89A97391DB30EE05CB96
                                    Function 006C6596 Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON
                                    Download Yara Rule
                                    APIs
                                    • socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 006C65EF
                                    • WSAGetLastError.WSOCK32(00000000), ref: 006C65FE
                                    • bind.WSOCK32(00000000,?,00000010), ref: 006C661A
                                    • listen.WSOCK32(00000000,00000005), ref: 006C6629
                                    • WSAGetLastError.WSOCK32(00000000), ref: 006C6643
                                    • closesocket.WSOCK32(00000000,00000000), ref: 006C6657
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: ErrorLast$bindclosesocketlistensocket
                                    • String ID:
                                    • API String ID: 1279440585-0
                                    • Opcode ID: e7367dfbc6c2f870ce6ce20c8e9ebdd583080c484e622a0e2f84b730c981f07f
                                    • Instruction ID: 198ae87ad5b515483955de078cc0382ad824feb3fab2c3cba74c650013d2bdf7
                                    • Opcode Fuzzy Hash: e7367dfbc6c2f870ce6ce20c8e9ebdd583080c484e622a0e2f84b730c981f07f
                                    • Instruction Fuzzy Hash: 7E218D306002049FCB10EF25D845FBEB7AAEF45320F14815EF956A7391CB70AD059B6A
                                    Function 00651287 Relevance: 7.9, APIs: 5, Instructions: 379COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00652612: GetWindowLongW.USER32(?,000000EB), ref: 00652623
                                    • DefDlgProcW.USER32(?,?,?,?,?), ref: 006519FA
                                    • GetSysColor.USER32(0000000F), ref: 00651A4E
                                    • SetBkColor.GDI32(?,00000000), ref: 00651A61
                                      • Part of subcall function 00651290: DefDlgProcW.USER32(?,00000020,?), ref: 006512D8
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: ColorProc$LongWindow
                                    • String ID:
                                    • API String ID: 3744519093-0
                                    • Opcode ID: 954e57980a316bddaef14471b182a82ee2a0c55dc232c97e343983df778eaa7f
                                    • Instruction ID: e28afea6caf27c5363cb8b2a656bb6ab68df21747e10165963f847fe442359b4
                                    • Opcode Fuzzy Hash: 954e57980a316bddaef14471b182a82ee2a0c55dc232c97e343983df778eaa7f
                                    • Instruction Fuzzy Hash: 4EA12574106589BAD72AAB289C55FFB259FDB43353F14421AFC02DA3D1CE248D0AD3B9
                                    Function 006C6A5A Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 006C80A0: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 006C80CB
                                    • socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 006C6AB1
                                    • WSAGetLastError.WSOCK32(00000000), ref: 006C6ADA
                                    • bind.WSOCK32(00000000,?,00000010), ref: 006C6B13
                                    • WSAGetLastError.WSOCK32(00000000), ref: 006C6B20
                                    • closesocket.WSOCK32(00000000,00000000), ref: 006C6B34
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: ErrorLast$bindclosesocketinet_addrsocket
                                    • String ID:
                                    • API String ID: 99427753-0
                                    • Opcode ID: 9d9e777ccaf4ab9711e4c942c2d25b817164d74aa42932f242d822cc95dce26b
                                    • Instruction ID: 9e5b37ed32431ba199740ad44d67451257072389aa40aa0a4f1c3f427ca03782
                                    • Opcode Fuzzy Hash: 9d9e777ccaf4ab9711e4c942c2d25b817164d74aa42932f242d822cc95dce26b
                                    • Instruction Fuzzy Hash: 9941B175B00214AFEB50AF64DC86F7E77AADB44710F04805DFE1AAB3C2CA709D058BA5
                                    Function 006D55FD Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: Window$EnabledForegroundIconicVisibleZoomed
                                    • String ID:
                                    • API String ID: 292994002-0
                                    • Opcode ID: e6abfd8734c26bd3d76f0e1143741ede97b5c1e2d79fcd4fd415b5e525bba8a1
                                    • Instruction ID: 5de73ef303e4b8dfc896a59ca824237242cb65d23efefcd06470538dcd6d12d1
                                    • Opcode Fuzzy Hash: e6abfd8734c26bd3d76f0e1143741ede97b5c1e2d79fcd4fd415b5e525bba8a1
                                    • Instruction Fuzzy Hash: DA11C431B01A506FE7211F26DC44A6F7B9BEF95721F44402AF807D7761CB70D9028AA9
                                    Function 006BC602 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CoInitialize.OLE32(00000000), ref: 006BC69D
                                    • CoCreateInstance.OLE32(006E2D6C,00000000,00000001,006E2BDC,?), ref: 006BC6B5
                                      • Part of subcall function 00657F41: _memmove.LIBCMT ref: 00657F82
                                    • CoUninitialize.OLE32 ref: 006BC922
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: CreateInitializeInstanceUninitialize_memmove
                                    • String ID: .lnk
                                    • API String ID: 2683427295-24824748
                                    • Opcode ID: 2289af0f12bb5660172ffe4342e8ec1d8fc65c7e46105d53bc97a3e49e9cf64f
                                    • Instruction ID: d44f6e78114689172e52482fd43423a34cf8888d4e7d729e06675f335262b036
                                    • Opcode Fuzzy Hash: 2289af0f12bb5660172ffe4342e8ec1d8fc65c7e46105d53bc97a3e49e9cf64f
                                    • Instruction Fuzzy Hash: 00A14A71104301AFD740EF64C891EABB7EAEF94305F00491CF596971A2DB70EA49CB66
                                    Function 006CC304 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMON
                                    Download Yara Rule
                                    APIs
                                    • LoadLibraryA.KERNEL32(kernel32.dll,?,00691D88,?), ref: 006CC312
                                    • GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 006CC324
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: AddressLibraryLoadProc
                                    • String ID: GetSystemWow64DirectoryW$kernel32.dll
                                    • API String ID: 2574300362-1816364905
                                    • Opcode ID: 23d8eb36be596d8f8466b223e40677f37f32a364fde17e2b74455593b654e642
                                    • Instruction ID: c544b44984a1b200d116fd35bd378978731ffbae8c15d92910d565032722b73b
                                    • Opcode Fuzzy Hash: 23d8eb36be596d8f8466b223e40677f37f32a364fde17e2b74455593b654e642
                                    • Instruction Fuzzy Hash: 4AE08C70A00303CFCB204F25E818F9676D6EB08324B80843EE89EC2350E774D881CBA0
                                    Function 006CF121 Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateToolhelp32Snapshot.KERNEL32 ref: 006CF151
                                    • Process32FirstW.KERNEL32(00000000,?), ref: 006CF15F
                                      • Part of subcall function 00657F41: _memmove.LIBCMT ref: 00657F82
                                    • Process32NextW.KERNEL32(00000000,?), ref: 006CF21F
                                    • CloseHandle.KERNEL32(00000000,?,?,?), ref: 006CF22E
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
                                    • String ID:
                                    • API String ID: 2576544623-0
                                    • Opcode ID: 8c41e1b4a669d4abdd9bd76549372ceab4a49ad0521eee08c8b8f60b56e5e050
                                    • Instruction ID: 8e5a3c2a5072d34f8f1d0ed2ca58a11e2a4db81d394f5225a709c2d84ae08852
                                    • Opcode Fuzzy Hash: 8c41e1b4a669d4abdd9bd76549372ceab4a49ad0521eee08c8b8f60b56e5e050
                                    • Instruction Fuzzy Hash: 15517F71504310AFD350EF24DC85E6BB7EAFF98710F14492DF89697291EB70AA08CB96
                                    Function 006AEB07 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 561stringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • lstrlenW.KERNEL32(?,?,?,00000000), ref: 006AEB19
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: lstrlen
                                    • String ID: ($|
                                    • API String ID: 1659193697-1631851259
                                    • Opcode ID: fe7758441c15c2f57217f5f0ba37b19d2434554264c7fa9a335c415e7773910a
                                    • Instruction ID: bd626e54c28226316c0c3e731a53bca83e344b7122fb24ac79df3f178ae55f41
                                    • Opcode Fuzzy Hash: fe7758441c15c2f57217f5f0ba37b19d2434554264c7fa9a335c415e7773910a
                                    • Instruction Fuzzy Hash: 5C323575A006059FD728DF19C481AAAB7F1FF48320B15C56EE89ACB3A1E770E941CF54
                                    Function 006C25E2 Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,006C1AFE,00000000), ref: 006C26D5
                                    • InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 006C270C
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: Internet$AvailableDataFileQueryRead
                                    • String ID:
                                    • API String ID: 599397726-0
                                    • Opcode ID: 0d9f92e2369b4c431b4184c62811567bf9cdddea6bc7b6035c4b130ce8e4e0fd
                                    • Instruction ID: 0ed4ccb2572c346b3db4ecc957a624ceb6e27298cae69da4ea6b62364764a065
                                    • Opcode Fuzzy Hash: 0d9f92e2369b4c431b4184c62811567bf9cdddea6bc7b6035c4b130ce8e4e0fd
                                    • Instruction Fuzzy Hash: 6A41A27590020ABFEB209B95DCD5FFBB7BEEB40714F10406EFE05A6240EA719E419A64
                                    Function 006BB59E Relevance: 4.6, APIs: 3, Instructions: 73COMMON
                                    Download Yara Rule
                                    APIs
                                    • SetErrorMode.KERNEL32(00000001), ref: 006BB5AE
                                    • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 006BB608
                                    • SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 006BB655
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: ErrorMode$DiskFreeSpace
                                    • String ID:
                                    • API String ID: 1682464887-0
                                    • Opcode ID: 6787c6c784f9667111aeb81ab949a357c25341cb3cb15e877a8d9324baeecfd1
                                    • Instruction ID: 668573e6a80179df4bbe339b5a8fa87d272bccf8c744003b23a9133bcc15e784
                                    • Opcode Fuzzy Hash: 6787c6c784f9667111aeb81ab949a357c25341cb3cb15e877a8d9324baeecfd1
                                    • Instruction Fuzzy Hash: D2216275A00118EFCB00EF65DC84EEDBBB9FF48311F1480A9E906AB351DB319955CB55
                                    Function 006A8CC3 Relevance: 4.6, APIs: 3, Instructions: 67COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00670FF6: std::exception::exception.LIBCMT ref: 0067102C
                                      • Part of subcall function 00670FF6: __CxxThrowException@8.LIBCMT ref: 00671041
                                    • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 006A8D0D
                                    • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 006A8D3A
                                    • GetLastError.KERNEL32 ref: 006A8D47
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
                                    • String ID:
                                    • API String ID: 1922334811-0
                                    • Opcode ID: 3e9ea79cc6eee138c71a6f689ce5a84cc024f367f625e003760af12f2a43b7ed
                                    • Instruction ID: c50dad843cafb3a000f0ff8911ffeca39b08f6f295727ac32ba3d533f826a867
                                    • Opcode Fuzzy Hash: 3e9ea79cc6eee138c71a6f689ce5a84cc024f367f625e003760af12f2a43b7ed
                                    • Instruction Fuzzy Hash: 9411BFB1814208AFE728AF54DC85D6BB7FEEF04710B20852EF84683241EB30BC408E60
                                    Function 006B4021 Relevance: 4.6, APIs: 3, Instructions: 61fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 006B404B
                                    • DeviceIoControl.KERNEL32(00000000,002D1400,00000007,0000000C,?,0000000C,?,00000000), ref: 006B4088
                                    • CloseHandle.KERNEL32(00000000,?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 006B4091
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: CloseControlCreateDeviceFileHandle
                                    • String ID:
                                    • API String ID: 33631002-0
                                    • Opcode ID: 7d419d4684633c6f2b902ffd2fe2ee435f2b29b0874657393b59ec18ecaa261f
                                    • Instruction ID: 99395850684fd2dcc935868a22da925fe25843303af2e963772fbd67aa0a7330
                                    • Opcode Fuzzy Hash: 7d419d4684633c6f2b902ffd2fe2ee435f2b29b0874657393b59ec18ecaa261f
                                    • Instruction Fuzzy Hash: 961170B1D01228BEE7109BECDC44FFBBBBDEB08710F004656BA05E7291C6745A4587A1
                                    Function 006B4C03 Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 006B4C2C
                                    • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 006B4C43
                                    • FreeSid.ADVAPI32(?), ref: 006B4C53
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: AllocateCheckFreeInitializeMembershipToken
                                    • String ID:
                                    • API String ID: 3429775523-0
                                    • Opcode ID: 8cf72e1ded6df46f9ba779ed8265550c91f7bf0d1ead5dcace1145785ab7d5b2
                                    • Instruction ID: da73ced628cd9a5bd3f5a7f71cf69480206756aad0a6ead882ec1653a38b1d21
                                    • Opcode Fuzzy Hash: 8cf72e1ded6df46f9ba779ed8265550c91f7bf0d1ead5dcace1145785ab7d5b2
                                    • Instruction Fuzzy Hash: 21F03C75D11208BBDB04DFE09C99ABDBBB9EB08201F404469A502E2281D6705A448B50
                                    Function 006B8B13 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 68COMMON
                                    Download Yara Rule
                                    APIs
                                    • __time64.LIBCMT ref: 006B8B25
                                      • Part of subcall function 0067543A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,006B91F8,00000000,?,?,?,?,006B93A9,00000000,?), ref: 00675443
                                      • Part of subcall function 0067543A: __aulldiv.LIBCMT ref: 00675463
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: Time$FileSystem__aulldiv__time64
                                    • String ID: 0uq
                                    • API String ID: 2893107130-2925588635
                                    • Opcode ID: f5209424c5378d33a02b4afc1aa240aace4ab630ac7bfc38c51dc8d189f06eb7
                                    • Instruction ID: 9defc71a360d2d2f6f3f7999dc37d99b744deb600f158580a5d7ff8e7ca211c4
                                    • Opcode Fuzzy Hash: f5209424c5378d33a02b4afc1aa240aace4ab630ac7bfc38c51dc8d189f06eb7
                                    • Instruction Fuzzy Hash: BE21A2726255108FC729CF39D841A92B3E6EBA5311B28CE6CD0E5CB2D0CA74B945CB94
                                    Function 0065E060 Relevance: 3.5, APIs: 2, Instructions: 539COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 666c2cbd6a169e7b0000a48ae9aab8fd0628edf82572bc50391e050c5ce22bef
                                    • Instruction ID: 826b81f0be31409053bc0239d31bf35c3a0ba4eebe4146808e875414f48fc83c
                                    • Opcode Fuzzy Hash: 666c2cbd6a169e7b0000a48ae9aab8fd0628edf82572bc50391e050c5ce22bef
                                    • Instruction Fuzzy Hash: D9228E74A00216CFDF28DF58C480AAEB7F6FF04301F148569EC569B351E776AA89CB91
                                    Function 006BC93C Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • FindFirstFileW.KERNEL32(?,?), ref: 006BC966
                                    • FindClose.KERNEL32(00000000), ref: 006BC996
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: Find$CloseFileFirst
                                    • String ID:
                                    • API String ID: 2295610775-0
                                    • Opcode ID: 92da115f916a9013062e66e93164925c1666e019e9a535027c4d5ad98739d8b2
                                    • Instruction ID: 5c795576bffacddee040c9a3fe6f05b678fbf1e37cfd12425736ed1feff663cf
                                    • Opcode Fuzzy Hash: 92da115f916a9013062e66e93164925c1666e019e9a535027c4d5ad98739d8b2
                                    • Instruction Fuzzy Hash: 6D11C4726002009FDB10EF29C845A6AF7EAFF84321F04851EF8AAD7391DB70AD04CB95
                                    Function 006BA2D5 Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,006C977D,?,006DFB84,?), ref: 006BA302
                                    • FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,006C977D,?,006DFB84,?), ref: 006BA314
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: ErrorFormatLastMessage
                                    • String ID:
                                    • API String ID: 3479602957-0
                                    • Opcode ID: e0cd10bd69ec9275c20b37c5e32359eb88a43f8ecbf25cd081986ae447202f4f
                                    • Instruction ID: cb7096b2b461c0d7dd637d46cbf870a0390b76993fb0d5e5a1dd91895a0ec1bc
                                    • Opcode Fuzzy Hash: e0cd10bd69ec9275c20b37c5e32359eb88a43f8ecbf25cd081986ae447202f4f
                                    • Instruction Fuzzy Hash: 4FF0823554522DABDB20AFA4CC48FEA776EBF09761F00426AB909D6181D6309944CBE1
                                    Function 006A8713 Relevance: 3.0, APIs: 2, Instructions: 22COMMON
                                    Download Yara Rule
                                    APIs
                                    • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,006A8851), ref: 006A8728
                                    • CloseHandle.KERNEL32(?,?,006A8851), ref: 006A873A
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: AdjustCloseHandlePrivilegesToken
                                    • String ID:
                                    • API String ID: 81990902-0
                                    • Opcode ID: 0fdc9ae6caff283b1fb7ef33f247f5cea284d1426f974e07ec49c5d64bd7b1c3
                                    • Instruction ID: 6405c4088aa8b43e37d5de1f89b5b656aea784a47dde21cb8e86b2698d7f1092
                                    • Opcode Fuzzy Hash: 0fdc9ae6caff283b1fb7ef33f247f5cea284d1426f974e07ec49c5d64bd7b1c3
                                    • Instruction Fuzzy Hash: 19E0B676011610EEE7652B64EC09D77BBEAEB05350725C82EF49A85470DB62ACD0DB50
                                    Function 0067A395 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • SetUnhandledExceptionFilter.KERNEL32(00000000,?,00678F97,?,?,?,00000001), ref: 0067A39A
                                    • UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 0067A3A3
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: ExceptionFilterUnhandled
                                    • String ID:
                                    • API String ID: 3192549508-0
                                    • Opcode ID: 4e4dc6553db30eb5a39efbba84e3bd979809a93da6eddfa2a36a4b719be33350
                                    • Instruction ID: a56d2f2bf35eee2812ecab3a921bb16622b54cce86ecaa3eb58277901477a0f3
                                    • Opcode Fuzzy Hash: 4e4dc6553db30eb5a39efbba84e3bd979809a93da6eddfa2a36a4b719be33350
                                    • Instruction Fuzzy Hash: E7B09231455208ABCB002B95EC09B883F6AEB44AA2F429022F60E84060CF6254508AD1
                                    Function 0067F419 Relevance: 2.1, APIs: 1, Instructions: 645COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: c9f8b30af45c62f0f5d61847eeef1aecfe7bc98884121b7fe4bd6194632acff2
                                    • Instruction ID: 279f0ec82574dcbfb6ca764dfd839ebd47ba479345ae73ba0470797f7010836d
                                    • Opcode Fuzzy Hash: c9f8b30af45c62f0f5d61847eeef1aecfe7bc98884121b7fe4bd6194632acff2
                                    • Instruction Fuzzy Hash: 4332F721D69F414DD7239A34D872336A24AAFB73D4F15E737F819B9AA6EF29C4834100
                                    Function 0068267E Relevance: 1.8, APIs: 1, Instructions: 294COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 6fdf5d3bf64598fdffaf8162dcedb5b2c2ae489d37a3a1330d511170de2189d9
                                    • Instruction ID: df7b4a5ee5fb5c693b8c1cc44888c1063ebd7ce1b98177d0c8f82a150132e48b
                                    • Opcode Fuzzy Hash: 6fdf5d3bf64598fdffaf8162dcedb5b2c2ae489d37a3a1330d511170de2189d9
                                    • Instruction Fuzzy Hash: 25B10230D2AF814DD32396398871336B69DAFBB2C5F52E71BFC1678D62EB2195834241
                                    Function 006C41FD Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON
                                    Download Yara Rule
                                    APIs
                                    • BlockInput.USER32(00000001), ref: 006C4218
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: BlockInput
                                    • String ID:
                                    • API String ID: 3456056419-0
                                    • Opcode ID: dc256feb6b510950eee5680db1f29ba355f5c895d7e134560ec98e7df6d3e77d
                                    • Instruction ID: 019e3565370d84114d1cf30463083419a5411d2a84cc39452fef9d54672a311c
                                    • Opcode Fuzzy Hash: dc256feb6b510950eee5680db1f29ba355f5c895d7e134560ec98e7df6d3e77d
                                    • Instruction Fuzzy Hash: 9FE04F312402149FC710EF5AD845E9AF7EAEF94761F00802AFC4AC7352DA75ED458BA0
                                    Function 006B4EF5 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                    Download Yara Rule
                                    APIs
                                    • mouse_event.USER32(00000004,00000000,00000000,00000000,00000000), ref: 006B4F18
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: mouse_event
                                    • String ID:
                                    • API String ID: 2434400541-0
                                    • Opcode ID: 41139644021ebf1e935ad4ad63f1b710d665969cff5bd1ae5244760ea95d6c1a
                                    • Instruction ID: 43af598aaecb17ab1ec31e92d9e04cbedd5280f38b447047b29e1cb65348c539
                                    • Opcode Fuzzy Hash: 41139644021ebf1e935ad4ad63f1b710d665969cff5bd1ae5244760ea95d6c1a
                                    • Instruction Fuzzy Hash: 91D09EF456461579FD184F20AC1FFF6130FE3D0791F9459897202976C39CE5A8D1A235
                                    Function 006A8C93 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                    Download Yara Rule
                                    APIs
                                    • LogonUserW.ADVAPI32(?,00000001,?,?,00000000,006A88D1), ref: 006A8CB3
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: LogonUser
                                    • String ID:
                                    • API String ID: 1244722697-0
                                    • Opcode ID: ea9ff579df30263cceb23f0a4615e97e57410770e43769733ace04ba67fe2dde
                                    • Instruction ID: 18e9a6d304c3c2378e32407b3a82ab543a13499a195027a6d8f3d7b10c41c67c
                                    • Opcode Fuzzy Hash: ea9ff579df30263cceb23f0a4615e97e57410770e43769733ace04ba67fe2dde
                                    • Instruction Fuzzy Hash: 22D09E3226450EABEF019FA4DD05EBE3B6AEB04B01F408511FE16D61A1C775D935AB60
                                    Function 00692230 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetUserNameW.ADVAPI32(?,?), ref: 00692242
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: NameUser
                                    • String ID:
                                    • API String ID: 2645101109-0
                                    • Opcode ID: 96ddeafe7dd5e47a47826983c9fbf8dc50a96ee6c1c0a4b0b6e8e78ce9594a6a
                                    • Instruction ID: 43143bdcfabcee8f05546a72411f922afe3dbf1cbe8949e168b82eeea8ca0852
                                    • Opcode Fuzzy Hash: 96ddeafe7dd5e47a47826983c9fbf8dc50a96ee6c1c0a4b0b6e8e78ce9594a6a
                                    • Instruction Fuzzy Hash: 99C048F1C0110AEBDB05DBA0DA98DEEB7BEAB08314F2040A6A102F2100E7749B448A71
                                    Function 0067A364 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                    Download Yara Rule
                                    APIs
                                    • SetUnhandledExceptionFilter.KERNEL32(?), ref: 0067A36A
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: ExceptionFilterUnhandled
                                    • String ID:
                                    • API String ID: 3192549508-0
                                    • Opcode ID: 7f8642122c5412819d434bc11e6b7155b612cb1b2cf1f240f27910128a85c00c
                                    • Instruction ID: 5a25bd8b95388497204cc55ae1577e614ddf8e814b5708a76a623ee28e9d0870
                                    • Opcode Fuzzy Hash: 7f8642122c5412819d434bc11e6b7155b612cb1b2cf1f240f27910128a85c00c
                                    • Instruction Fuzzy Hash: A9A0243000010CF7CF001F45FC044447F5DD7001D07014031F40D40031CF33541045C0
                                    Function 00668A0E Relevance: .6, Instructions: 608COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 1f830bfb78104a99eb37cd5f9e771e7eb1fc7736eb585c781c06d71eb7f942cb
                                    • Instruction ID: bf7047d232f6729fe4d078efe7f852091dd435761b80dd0ebf3baf8a2d3b644d
                                    • Opcode Fuzzy Hash: 1f830bfb78104a99eb37cd5f9e771e7eb1fc7736eb585c781c06d71eb7f942cb
                                    • Instruction Fuzzy Hash: B822F530905616CFDF28DB38C4946BD77A3EB42304F68866AD8439B792DB349D82CB61
                                    Function 00672405 Relevance: .3, Instructions: 345COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                                    • Instruction ID: 0fd1e358f9af722d1d8fe744d1158b774459a7b4c6b2ddb15cecc371ad10df5d
                                    • Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                                    • Instruction Fuzzy Hash: A5C195322050930ADF2D463DD43507EBAE25AA37B131A875EE4BBCF6C5EF14D564D620
                                    Function 0067283A Relevance: .3, Instructions: 341COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                                    • Instruction ID: 24747cf4b818010c2ef98c5b5f316d0c727620e1e94bf98fd094cd04665d51e8
                                    • Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                                    • Instruction Fuzzy Hash: A5C1B53220519309DF6D4A3E843507EBBE25BA37B131A476EE4BADF6C4EF24D524D620
                                    Function 03F535F0 Relevance: .1, Instructions: 92COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184494051.0000000003F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 03F50000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_3f50000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
                                    • Instruction ID: 7374593bd1358e6ef409683f975250cf330f55a708b4c9aca6969895b6f7db82
                                    • Opcode Fuzzy Hash: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
                                    • Instruction Fuzzy Hash: C741A271D1051CEBCF48CFADC991AAEBBF2AF88201F548299D516AB345D730AB41DB90
                                    Function 03F534E0 Relevance: .0, Instructions: 35COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184494051.0000000003F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 03F50000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_3f50000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
                                    • Instruction ID: 1631b006610f92239c92e2cbf6f0278f8c4287add96568dd82c6a6c929c76261
                                    • Opcode Fuzzy Hash: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
                                    • Instruction Fuzzy Hash: 4E019279E11209EFCB45DF98C5909AEFBB5FB48350F24859AED09A7701D730AE41DB80
                                    Function 03F53480 Relevance: .0, Instructions: 35COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184494051.0000000003F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 03F50000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_3f50000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
                                    • Instruction ID: 21e2c9b372d5f5e49590a46367bf153675d7d76f9f0a34a7bebe815a44ae3288
                                    • Opcode Fuzzy Hash: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
                                    • Instruction Fuzzy Hash: EA018078A00209EFCB45DF98C5909AEF7B5FB48250B2485DAED09A7701D730AE41DB80
                                    Function 03F51E70 Relevance: .0, Instructions: 6COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2184494051.0000000003F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 03F50000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_3f50000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
                                    • Instruction ID: 2052e7d0eb43af8a57a5c2d707c06396f1b84aee57587abda472ed480d51124b
                                    • Opcode Fuzzy Hash: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
                                    • Instruction Fuzzy Hash: 1AB012310527488BC2118B89E008B1073ECA308E04F1000B0D40C07B01827874008D48
                                    Function 006C7B1B Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 491filecommemoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • DeleteObject.GDI32(00000000), ref: 006C7B70
                                    • DeleteObject.GDI32(00000000), ref: 006C7B82
                                    • DestroyWindow.USER32 ref: 006C7B90
                                    • GetDesktopWindow.USER32 ref: 006C7BAA
                                    • GetWindowRect.USER32(00000000), ref: 006C7BB1
                                    • SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 006C7CF2
                                    • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 006C7D02
                                    • CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 006C7D4A
                                    • GetClientRect.USER32(00000000,?), ref: 006C7D56
                                    • CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 006C7D90
                                    • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 006C7DB2
                                    • GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 006C7DC5
                                    • GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 006C7DD0
                                    • GlobalLock.KERNEL32(00000000), ref: 006C7DD9
                                    • ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 006C7DE8
                                    • GlobalUnlock.KERNEL32(00000000), ref: 006C7DF1
                                    • CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 006C7DF8
                                    • GlobalFree.KERNEL32(00000000), ref: 006C7E03
                                    • CreateStreamOnHGlobal.OLE32(00000000,00000001,88C00000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 006C7E15
                                    • OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,006E2CAC,00000000), ref: 006C7E2B
                                    • GlobalFree.KERNEL32(00000000), ref: 006C7E3B
                                    • CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 006C7E61
                                    • SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 006C7E80
                                    • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 006C7EA2
                                    • ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 006C808F
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
                                    • String ID: $AutoIt v3$DISPLAY$static
                                    • API String ID: 2211948467-2373415609
                                    • Opcode ID: 12e74ccd730d018d310ee0143405494b5c8a7fc749ff0571ea5fe62f322ee418
                                    • Instruction ID: 0de0ef4ea4dfdbb9eb8e55bc9a0e157ccc71c13f86fa9c451173b8e4d4ed98ec
                                    • Opcode Fuzzy Hash: 12e74ccd730d018d310ee0143405494b5c8a7fc749ff0571ea5fe62f322ee418
                                    • Instruction Fuzzy Hash: F7025C71900119EFDB14DF68DC89EAE7BBAFB48310F14815DF916AB2A1CB74AD01CB64
                                    Function 006D37F3 Relevance: 51.1, APIs: 6, Strings: 23, Instructions: 365windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CharUpperBuffW.USER32(?,?,006DF910), ref: 006D38AF
                                    • IsWindowVisible.USER32(?), ref: 006D38D3
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: BuffCharUpperVisibleWindow
                                    • String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
                                    • API String ID: 4105515805-45149045
                                    • Opcode ID: 3f594fc05808b278b17aab4884f1ebd317ed519d977216533f8c69645352b57b
                                    • Instruction ID: b87ce7d0460504067565c13931f714b3616587a3178fcc420779a0a400d923e1
                                    • Opcode Fuzzy Hash: 3f594fc05808b278b17aab4884f1ebd317ed519d977216533f8c69645352b57b
                                    • Instruction Fuzzy Hash: D9D18130614315DBCB54EF10C451AAAB7E3AF54344F14846EB8865B3E2CB31EF0ACB66
                                    Function 006DA849 Relevance: 49.8, APIs: 33, Instructions: 274COMMON
                                    Download Yara Rule
                                    APIs
                                    • SetTextColor.GDI32(?,00000000), ref: 006DA89F
                                    • GetSysColorBrush.USER32(0000000F), ref: 006DA8D0
                                    • GetSysColor.USER32(0000000F), ref: 006DA8DC
                                    • SetBkColor.GDI32(?,000000FF), ref: 006DA8F6
                                    • SelectObject.GDI32(?,?), ref: 006DA905
                                    • InflateRect.USER32(?,000000FF,000000FF), ref: 006DA930
                                    • GetSysColor.USER32(00000010), ref: 006DA938
                                    • CreateSolidBrush.GDI32(00000000), ref: 006DA93F
                                    • FrameRect.USER32(?,?,00000000), ref: 006DA94E
                                    • DeleteObject.GDI32(00000000), ref: 006DA955
                                    • InflateRect.USER32(?,000000FE,000000FE), ref: 006DA9A0
                                    • FillRect.USER32(?,?,?), ref: 006DA9D2
                                    • GetWindowLongW.USER32(?,000000F0), ref: 006DA9FD
                                      • Part of subcall function 006DAB60: GetSysColor.USER32(00000012), ref: 006DAB99
                                      • Part of subcall function 006DAB60: SetTextColor.GDI32(?,?), ref: 006DAB9D
                                      • Part of subcall function 006DAB60: GetSysColorBrush.USER32(0000000F), ref: 006DABB3
                                      • Part of subcall function 006DAB60: GetSysColor.USER32(0000000F), ref: 006DABBE
                                      • Part of subcall function 006DAB60: GetSysColor.USER32(00000011), ref: 006DABDB
                                      • Part of subcall function 006DAB60: CreatePen.GDI32(00000000,00000001,00743C00), ref: 006DABE9
                                      • Part of subcall function 006DAB60: SelectObject.GDI32(?,00000000), ref: 006DABFA
                                      • Part of subcall function 006DAB60: SetBkColor.GDI32(?,00000000), ref: 006DAC03
                                      • Part of subcall function 006DAB60: SelectObject.GDI32(?,?), ref: 006DAC10
                                      • Part of subcall function 006DAB60: InflateRect.USER32(?,000000FF,000000FF), ref: 006DAC2F
                                      • Part of subcall function 006DAB60: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 006DAC46
                                      • Part of subcall function 006DAB60: GetWindowLongW.USER32(00000000,000000F0), ref: 006DAC5B
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
                                    • String ID:
                                    • API String ID: 4124339563-0
                                    • Opcode ID: 10d6af0fee5155378ffc4c5258d7780676a9750c8dc19338e0656617ddf6a25c
                                    • Instruction ID: e4e640ba67d3197e179eb4d38421402c800be60956b91378d22c1e997cbdb210
                                    • Opcode Fuzzy Hash: 10d6af0fee5155378ffc4c5258d7780676a9750c8dc19338e0656617ddf6a25c
                                    • Instruction Fuzzy Hash: 75A1A371809301AFD7109F64DC08E5B7BAAFF88321F145B2AF952962E0D735D945CB52
                                    Function 006C77BE Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • DestroyWindow.USER32(00000000), ref: 006C77F1
                                    • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 006C78B0
                                    • SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 006C78EE
                                    • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 006C7900
                                    • CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 006C7946
                                    • GetClientRect.USER32(00000000,?), ref: 006C7952
                                    • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 006C7996
                                    • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 006C79A5
                                    • GetStockObject.GDI32(00000011), ref: 006C79B5
                                    • SelectObject.GDI32(00000000,00000000), ref: 006C79B9
                                    • GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 006C79C9
                                    • GetDeviceCaps.GDI32(00000000,0000005A), ref: 006C79D2
                                    • DeleteDC.GDI32(00000000), ref: 006C79DB
                                    • CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 006C7A07
                                    • SendMessageW.USER32(00000030,00000000,00000001), ref: 006C7A1E
                                    • CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 006C7A59
                                    • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 006C7A6D
                                    • SendMessageW.USER32(00000404,00000001,00000000), ref: 006C7A7E
                                    • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 006C7AAE
                                    • GetStockObject.GDI32(00000011), ref: 006C7AB9
                                    • SendMessageW.USER32(00000030,00000000,?,50000000), ref: 006C7AC4
                                    • ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 006C7ACE
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
                                    • String ID: AutoIt v3$DISPLAY$msctls_progress32$static
                                    • API String ID: 2910397461-517079104
                                    • Opcode ID: afa7fb8ba34f0f47517689703c3625598ff51920d440461615955a439a837ba5
                                    • Instruction ID: 17767a799c6830c428b946acc4f5dbe986e4793b0158ff5c801e04b913a10dd1
                                    • Opcode Fuzzy Hash: afa7fb8ba34f0f47517689703c3625598ff51920d440461615955a439a837ba5
                                    • Instruction Fuzzy Hash: A7A19371A41215BFEB14DBA8DC4AFEE7BBAEB44710F048119FA15A72E0D774AD00CB64
                                    Function 006BAF7B Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON
                                    Download Yara Rule
                                    APIs
                                    • SetErrorMode.KERNEL32(00000001), ref: 006BAF89
                                    • GetDriveTypeW.KERNEL32(?,006DFAC0,?,\\.\,006DF910), ref: 006BB066
                                    • SetErrorMode.KERNEL32(00000000,006DFAC0,?,\\.\,006DF910), ref: 006BB1C4
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: ErrorMode$DriveType
                                    • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
                                    • API String ID: 2907320926-4222207086
                                    • Opcode ID: 4aff4ece2fcdd935409d53b853eb29e38a14ca33bb24a5950123bcbeafa652f3
                                    • Instruction ID: 819c819179c410b5c7a4d52e212091e0343d4cb69e939158c613430ca977392a
                                    • Opcode Fuzzy Hash: 4aff4ece2fcdd935409d53b853eb29e38a14ca33bb24a5950123bcbeafa652f3
                                    • Instruction Fuzzy Hash: 2051A4F0684305EBCB10EB18C9529FD73F3AB54341F24A119E44AA72D2C7B99D87DB52
                                    Function 00656A3C Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 275COMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: __wcsnicmp
                                    • String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
                                    • API String ID: 1038674560-86951937
                                    • Opcode ID: adf3c5ba5a12d66b32aae4a587de6ba889942360bbd0e2df67a77e762af51e5a
                                    • Instruction ID: dab05a5e9689974be4cb3ee9c14ea593c94d04fda2d315836abba58a5677028e
                                    • Opcode Fuzzy Hash: adf3c5ba5a12d66b32aae4a587de6ba889942360bbd0e2df67a77e762af51e5a
                                    • Instruction Fuzzy Hash: 1D8127B0A00355BBCB20BB24CC93FAE776BAF15301F448129FD45AB282EB61DA59D355
                                    Function 006DAB60 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetSysColor.USER32(00000012), ref: 006DAB99
                                    • SetTextColor.GDI32(?,?), ref: 006DAB9D
                                    • GetSysColorBrush.USER32(0000000F), ref: 006DABB3
                                    • GetSysColor.USER32(0000000F), ref: 006DABBE
                                    • CreateSolidBrush.GDI32(?), ref: 006DABC3
                                    • GetSysColor.USER32(00000011), ref: 006DABDB
                                    • CreatePen.GDI32(00000000,00000001,00743C00), ref: 006DABE9
                                    • SelectObject.GDI32(?,00000000), ref: 006DABFA
                                    • SetBkColor.GDI32(?,00000000), ref: 006DAC03
                                    • SelectObject.GDI32(?,?), ref: 006DAC10
                                    • InflateRect.USER32(?,000000FF,000000FF), ref: 006DAC2F
                                    • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 006DAC46
                                    • GetWindowLongW.USER32(00000000,000000F0), ref: 006DAC5B
                                    • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 006DACA7
                                    • GetWindowTextW.USER32(00000000,00000000,00000001), ref: 006DACCE
                                    • InflateRect.USER32(?,000000FD,000000FD), ref: 006DACEC
                                    • DrawFocusRect.USER32(?,?), ref: 006DACF7
                                    • GetSysColor.USER32(00000011), ref: 006DAD05
                                    • SetTextColor.GDI32(?,00000000), ref: 006DAD0D
                                    • DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 006DAD21
                                    • SelectObject.GDI32(?,006DA869), ref: 006DAD38
                                    • DeleteObject.GDI32(?), ref: 006DAD43
                                    • SelectObject.GDI32(?,?), ref: 006DAD49
                                    • DeleteObject.GDI32(?), ref: 006DAD4E
                                    • SetTextColor.GDI32(?,?), ref: 006DAD54
                                    • SetBkColor.GDI32(?,?), ref: 006DAD5E
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                                    • String ID:
                                    • API String ID: 1996641542-0
                                    • Opcode ID: 37355083b629db9e7ff8f169ea8b4323f474737882a6a649ee372870986643cc
                                    • Instruction ID: 2d6d7b8363d8eb81812a8d549b510ad3fc9055a9a13fcd7cbacaacda37087531
                                    • Opcode Fuzzy Hash: 37355083b629db9e7ff8f169ea8b4323f474737882a6a649ee372870986643cc
                                    • Instruction Fuzzy Hash: 2A615E71D01218EFDF119FA4DC48EAE7BBAEB08320F148126F916AB2A1D7759D40DB90
                                    Function 006D8C44 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 401windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 006D8D34
                                    • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 006D8D45
                                    • CharNextW.USER32(0000014E), ref: 006D8D74
                                    • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 006D8DB5
                                    • SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 006D8DCB
                                    • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 006D8DDC
                                    • SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 006D8DF9
                                    • SetWindowTextW.USER32(?,0000014E), ref: 006D8E45
                                    • SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 006D8E5B
                                    • SendMessageW.USER32(?,00001002,00000000,?), ref: 006D8E8C
                                    • _memset.LIBCMT ref: 006D8EB1
                                    • SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 006D8EFA
                                    • _memset.LIBCMT ref: 006D8F59
                                    • SendMessageW.USER32(?,00001053,000000FF,?), ref: 006D8F83
                                    • SendMessageW.USER32(?,00001074,?,00000001), ref: 006D8FDB
                                    • SendMessageW.USER32(?,0000133D,?,?), ref: 006D9088
                                    • InvalidateRect.USER32(?,00000000,00000001), ref: 006D90AA
                                    • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 006D90F4
                                    • SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 006D9121
                                    • DrawMenuBar.USER32(?), ref: 006D9130
                                    • SetWindowTextW.USER32(?,0000014E), ref: 006D9158
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
                                    • String ID: 0
                                    • API String ID: 1073566785-4108050209
                                    • Opcode ID: f801ac021a15212dd68e1c6202c0c09baad30f1e97355094c7141454cdee645e
                                    • Instruction ID: 0cf68ad6a15807188ffc3bd0f4e9bc10fcceccec7086217a1a4b5846b5ad783e
                                    • Opcode Fuzzy Hash: f801ac021a15212dd68e1c6202c0c09baad30f1e97355094c7141454cdee645e
                                    • Instruction Fuzzy Hash: EAE16F70D01219AEDB209F64CC88AEE7B7AEF05710F10815AF9169B3D1DB749A81DF60
                                    Function 006D4B16 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetCursorPos.USER32(?), ref: 006D4C51
                                    • GetDesktopWindow.USER32 ref: 006D4C66
                                    • GetWindowRect.USER32(00000000), ref: 006D4C6D
                                    • GetWindowLongW.USER32(?,000000F0), ref: 006D4CCF
                                    • DestroyWindow.USER32(?), ref: 006D4CFB
                                    • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 006D4D24
                                    • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 006D4D42
                                    • SendMessageW.USER32(?,00000439,00000000,00000030), ref: 006D4D68
                                    • SendMessageW.USER32(?,00000421,?,?), ref: 006D4D7D
                                    • SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 006D4D90
                                    • IsWindowVisible.USER32(?), ref: 006D4DB0
                                    • SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 006D4DCB
                                    • SendMessageW.USER32(?,00000411,00000001,00000030), ref: 006D4DDF
                                    • GetWindowRect.USER32(?,?), ref: 006D4DF7
                                    • MonitorFromPoint.USER32(?,?,00000002), ref: 006D4E1D
                                    • GetMonitorInfoW.USER32(00000000,?), ref: 006D4E37
                                    • CopyRect.USER32(?,?), ref: 006D4E4E
                                    • SendMessageW.USER32(?,00000412,00000000), ref: 006D4EB9
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
                                    • String ID: ($0$tooltips_class32
                                    • API String ID: 698492251-4156429822
                                    • Opcode ID: 51eeea6f448c1219de97e8b3e027f5d7f0705ed41b40110771533bc0f52167aa
                                    • Instruction ID: a2335055d38dcf2aecc2f3024dde6194252c7d38ad60bcae4bf686651098e9e0
                                    • Opcode Fuzzy Hash: 51eeea6f448c1219de97e8b3e027f5d7f0705ed41b40110771533bc0f52167aa
                                    • Instruction Fuzzy Hash: EFB15A71A05340AFDB44DF24C845B6ABBE6BF84314F00891EF9999B3A1DB71EC05CB95
                                    Function 006B46D6 Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 179COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetFileVersionInfoSizeW.VERSION(?,?), ref: 006B46E8
                                    • GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 006B470E
                                    • _wcscpy.LIBCMT ref: 006B473C
                                    • _wcscmp.LIBCMT ref: 006B4747
                                    • _wcscat.LIBCMT ref: 006B475D
                                    • _wcsstr.LIBCMT ref: 006B4768
                                    • VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 006B4784
                                    • _wcscat.LIBCMT ref: 006B47CD
                                    • _wcscat.LIBCMT ref: 006B47D4
                                    • _wcsncpy.LIBCMT ref: 006B47FF
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: _wcscat$FileInfoVersion$QuerySizeValue_wcscmp_wcscpy_wcsncpy_wcsstr
                                    • String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
                                    • API String ID: 699586101-1459072770
                                    • Opcode ID: fa8e35dce1799a3a2adb66d8c1f3f2287440d7f7bec20196b7d0e0c5d560f4f3
                                    • Instruction ID: 6fd29ac1a70590d622dabf0763e85af306e6052ddf2a95c59f963a586a199a56
                                    • Opcode Fuzzy Hash: fa8e35dce1799a3a2adb66d8c1f3f2287440d7f7bec20196b7d0e0c5d560f4f3
                                    • Instruction Fuzzy Hash: 564117B1A00215BAD710A7749C42EFF77BEDF41710F04416EF909A6283EF34AA4197A9
                                    Function 006527D9 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 286windowtimeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 006528BC
                                    • GetSystemMetrics.USER32(00000007), ref: 006528C4
                                    • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 006528EF
                                    • GetSystemMetrics.USER32(00000008), ref: 006528F7
                                    • GetSystemMetrics.USER32(00000004), ref: 0065291C
                                    • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00652939
                                    • AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00652949
                                    • CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 0065297C
                                    • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00652990
                                    • GetClientRect.USER32(00000000,000000FF), ref: 006529AE
                                    • GetStockObject.GDI32(00000011), ref: 006529CA
                                    • SendMessageW.USER32(00000000,00000030,00000000), ref: 006529D5
                                      • Part of subcall function 00652344: GetCursorPos.USER32(?), ref: 00652357
                                      • Part of subcall function 00652344: ScreenToClient.USER32(007167B0,?), ref: 00652374
                                      • Part of subcall function 00652344: GetAsyncKeyState.USER32(00000001), ref: 00652399
                                      • Part of subcall function 00652344: GetAsyncKeyState.USER32(00000002), ref: 006523A7
                                    • SetTimer.USER32(00000000,00000000,00000028,00651256), ref: 006529FC
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                                    • String ID: AutoIt v3 GUI
                                    • API String ID: 1458621304-248962490
                                    • Opcode ID: c5d0f7b366a92a5ac1f493cf79d8b8ae71fa64b97168c08722dae3c8f37b3ad8
                                    • Instruction ID: bb0a6846b3f16f7ffc7403b01894f91058f1fb19239a789f1be93b8eb048c997
                                    • Opcode Fuzzy Hash: c5d0f7b366a92a5ac1f493cf79d8b8ae71fa64b97168c08722dae3c8f37b3ad8
                                    • Instruction Fuzzy Hash: 75B16D71A0020AEFDB14DFA8DC55BEE7BB6FB08311F108229FA16A62D0DB74D945CB54
                                    Function 006D4069 Relevance: 28.3, APIs: 3, Strings: 13, Instructions: 283windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CharUpperBuffW.USER32(?,?), ref: 006D40F6
                                    • SendMessageW.USER32(?,00001032,00000000,00000000), ref: 006D41B6
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: BuffCharMessageSendUpper
                                    • String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
                                    • API String ID: 3974292440-719923060
                                    • Opcode ID: bcd364c92a926a01e56477df169ff49366aa5da23db2f06fb58ce95639537881
                                    • Instruction ID: 3f047c2a32fca083b2bc124acf35e01e09beaeb0d01bf4ee7087c8e80681e56b
                                    • Opcode Fuzzy Hash: bcd364c92a926a01e56477df169ff49366aa5da23db2f06fb58ce95639537881
                                    • Instruction Fuzzy Hash: 57A18F30614301DBCB54EF24C851A6AB3E7AF85314F14896DB89A9B7D2DF30ED0ACB65
                                    Function 006C52F0 Relevance: 27.1, APIs: 18, Instructions: 124COMMON
                                    Download Yara Rule
                                    APIs
                                    • LoadCursorW.USER32(00000000,00007F89), ref: 006C5309
                                    • LoadCursorW.USER32(00000000,00007F8A), ref: 006C5314
                                    • LoadCursorW.USER32(00000000,00007F00), ref: 006C531F
                                    • LoadCursorW.USER32(00000000,00007F03), ref: 006C532A
                                    • LoadCursorW.USER32(00000000,00007F8B), ref: 006C5335
                                    • LoadCursorW.USER32(00000000,00007F01), ref: 006C5340
                                    • LoadCursorW.USER32(00000000,00007F81), ref: 006C534B
                                    • LoadCursorW.USER32(00000000,00007F88), ref: 006C5356
                                    • LoadCursorW.USER32(00000000,00007F80), ref: 006C5361
                                    • LoadCursorW.USER32(00000000,00007F86), ref: 006C536C
                                    • LoadCursorW.USER32(00000000,00007F83), ref: 006C5377
                                    • LoadCursorW.USER32(00000000,00007F85), ref: 006C5382
                                    • LoadCursorW.USER32(00000000,00007F82), ref: 006C538D
                                    • LoadCursorW.USER32(00000000,00007F84), ref: 006C5398
                                    • LoadCursorW.USER32(00000000,00007F04), ref: 006C53A3
                                    • LoadCursorW.USER32(00000000,00007F02), ref: 006C53AE
                                    • GetCursorInfo.USER32(?), ref: 006C53BE
                                    • GetLastError.KERNEL32(00000001,00000000), ref: 006C53E9
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: Cursor$Load$ErrorInfoLast
                                    • String ID:
                                    • API String ID: 3215588206-0
                                    • Opcode ID: cb861079d6f4e7388c9010d3cca8d011eda11db6271efbb30b1f60fa58041c78
                                    • Instruction ID: 776b55ef65e3e53df467acc0af35c5f96eae51f5f016c7828152c4128a450b75
                                    • Opcode Fuzzy Hash: cb861079d6f4e7388c9010d3cca8d011eda11db6271efbb30b1f60fa58041c78
                                    • Instruction Fuzzy Hash: 0C418470E043196ADB109FBA8C49D6FFFF9EF51B10B10452FE50AE7290DAB8A441CE61
                                    Function 006AAA64 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetClassNameW.USER32(?,?,00000100), ref: 006AAAA5
                                    • __swprintf.LIBCMT ref: 006AAB46
                                    • _wcscmp.LIBCMT ref: 006AAB59
                                    • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 006AABAE
                                    • _wcscmp.LIBCMT ref: 006AABEA
                                    • GetClassNameW.USER32(?,?,00000400), ref: 006AAC21
                                    • GetDlgCtrlID.USER32(?), ref: 006AAC73
                                    • GetWindowRect.USER32(?,?), ref: 006AACA9
                                    • GetParent.USER32(?), ref: 006AACC7
                                    • ScreenToClient.USER32(00000000), ref: 006AACCE
                                    • GetClassNameW.USER32(?,?,00000100), ref: 006AAD48
                                    • _wcscmp.LIBCMT ref: 006AAD5C
                                    • GetWindowTextW.USER32(?,?,00000400), ref: 006AAD82
                                    • _wcscmp.LIBCMT ref: 006AAD96
                                      • Part of subcall function 0067386C: _iswctype.LIBCMT ref: 00673874
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
                                    • String ID: %s%u
                                    • API String ID: 3744389584-679674701
                                    • Opcode ID: 4ab030c1172cb07ab49f94a8edf8329c1b10380341d5397bd15f7d36f6544988
                                    • Instruction ID: d1207824b86c077531e082b3f3ee812a8770e92b689141c9544252d0f87691da
                                    • Opcode Fuzzy Hash: 4ab030c1172cb07ab49f94a8edf8329c1b10380341d5397bd15f7d36f6544988
                                    • Instruction Fuzzy Hash: 0DA1B171604306ABD714EFA4C884BEAB7EAFF05315F00852EF99A92691D730ED45CF92
                                    Function 006AB397 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetClassNameW.USER32(00000008,?,00000400), ref: 006AB3DB
                                    • _wcscmp.LIBCMT ref: 006AB3EC
                                    • GetWindowTextW.USER32(00000001,?,00000400), ref: 006AB414
                                    • CharUpperBuffW.USER32(?,00000000), ref: 006AB431
                                    • _wcscmp.LIBCMT ref: 006AB44F
                                    • _wcsstr.LIBCMT ref: 006AB460
                                    • GetClassNameW.USER32(00000018,?,00000400), ref: 006AB498
                                    • _wcscmp.LIBCMT ref: 006AB4A8
                                    • GetWindowTextW.USER32(00000002,?,00000400), ref: 006AB4CF
                                    • GetClassNameW.USER32(00000018,?,00000400), ref: 006AB518
                                    • _wcscmp.LIBCMT ref: 006AB528
                                    • GetClassNameW.USER32(00000010,?,00000400), ref: 006AB550
                                    • GetWindowRect.USER32(00000004,?), ref: 006AB5B9
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
                                    • String ID: @$ThumbnailClass
                                    • API String ID: 1788623398-1539354611
                                    • Opcode ID: 07d77fb6b4c1d4a70fc11d49f38f617db85552dc496df522c2f9656eeaae6d8a
                                    • Instruction ID: 7aba9761298b337f3d90df91745c85073aa57f303adadf95e93275b72c5b01d9
                                    • Opcode Fuzzy Hash: 07d77fb6b4c1d4a70fc11d49f38f617db85552dc496df522c2f9656eeaae6d8a
                                    • Instruction Fuzzy Hash: 8B819D710042059BDB04EF10D885FAABBEAEF45314F04A56EFD898A297DB34DD49CFA1
                                    Function 006DC8EE Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 181windowfileCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00652612: GetWindowLongW.USER32(?,000000EB), ref: 00652623
                                    • DragQueryPoint.SHELL32(?,?), ref: 006DC917
                                      • Part of subcall function 006DADF1: ClientToScreen.USER32(?,?), ref: 006DAE1A
                                      • Part of subcall function 006DADF1: GetWindowRect.USER32(?,?), ref: 006DAE90
                                      • Part of subcall function 006DADF1: PtInRect.USER32(?,?,006DC304), ref: 006DAEA0
                                    • SendMessageW.USER32(?,000000B0,?,?), ref: 006DC980
                                    • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 006DC98B
                                    • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 006DC9AE
                                    • _wcscat.LIBCMT ref: 006DC9DE
                                    • SendMessageW.USER32(?,000000C2,00000001,?), ref: 006DC9F5
                                    • SendMessageW.USER32(?,000000B0,?,?), ref: 006DCA0E
                                    • SendMessageW.USER32(?,000000B1,?,?), ref: 006DCA25
                                    • SendMessageW.USER32(?,000000B1,?,?), ref: 006DCA47
                                    • DragFinish.SHELL32(?), ref: 006DCA4E
                                    • DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 006DCB41
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
                                    • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$prq
                                    • API String ID: 169749273-4109042146
                                    • Opcode ID: 06b9352272302aa80136e40311a1e31340e01be7985999d95c609dcd6493d980
                                    • Instruction ID: fa7f0d7806a282c5b4a8b61cf1eef20b6aa28eccf848ab30a027ce1eac2f44cd
                                    • Opcode Fuzzy Hash: 06b9352272302aa80136e40311a1e31340e01be7985999d95c609dcd6493d980
                                    • Instruction Fuzzy Hash: 87615B71508301AFC701DF64DC85D9FBBFAEF89710F004A2EF592962A1DB709A49CB66
                                    Function 006AB1E0 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: __wcsnicmp
                                    • String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
                                    • API String ID: 1038674560-1810252412
                                    • Opcode ID: 87f5430dd593bcc69f4c9832b55b7cba659763724d958d8ff024e57b1a930ee3
                                    • Instruction ID: feddef4f8cb6dc9b7a30f4ede1bbe1149f37b8e537f6ed3fd8ebf214e045c5e0
                                    • Opcode Fuzzy Hash: 87f5430dd593bcc69f4c9832b55b7cba659763724d958d8ff024e57b1a930ee3
                                    • Instruction Fuzzy Hash: CF319E71904205E6DB50FA60DD43FEE77A69F21751F600229B901711D3EF566F08C999
                                    Function 006AC4C1 Relevance: 25.7, APIs: 17, Instructions: 169windowtimeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • LoadIconW.USER32(00000063), ref: 006AC4D4
                                    • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 006AC4E6
                                    • SetWindowTextW.USER32(?,?), ref: 006AC4FD
                                    • GetDlgItem.USER32(?,000003EA), ref: 006AC512
                                    • SetWindowTextW.USER32(00000000,?), ref: 006AC518
                                    • GetDlgItem.USER32(?,000003E9), ref: 006AC528
                                    • SetWindowTextW.USER32(00000000,?), ref: 006AC52E
                                    • SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 006AC54F
                                    • SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 006AC569
                                    • GetWindowRect.USER32(?,?), ref: 006AC572
                                    • SetWindowTextW.USER32(?,?), ref: 006AC5DD
                                    • GetDesktopWindow.USER32 ref: 006AC5E3
                                    • GetWindowRect.USER32(00000000), ref: 006AC5EA
                                    • MoveWindow.USER32(?,?,?,?,00000000,00000000), ref: 006AC636
                                    • GetClientRect.USER32(?,?), ref: 006AC643
                                    • PostMessageW.USER32(?,00000005,00000000,00000000), ref: 006AC668
                                    • SetTimer.USER32(?,0000040A,00000000,00000000), ref: 006AC693
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
                                    • String ID:
                                    • API String ID: 3869813825-0
                                    • Opcode ID: 5652f0fdce8100717e583226d8b45bd9bd513571e39768cb023fa32c2b6e029e
                                    • Instruction ID: d9ee03ca9ccc312faccddeb4b843a7f3945bf3b53ec6fad14fb1ca0b1254b05f
                                    • Opcode Fuzzy Hash: 5652f0fdce8100717e583226d8b45bd9bd513571e39768cb023fa32c2b6e029e
                                    • Instruction Fuzzy Hash: AA514C70900709AFDB20EFA8DD85BAEBBF6FF04715F004529E686A26A0D774E914CF50
                                    Function 006DA428 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • _memset.LIBCMT ref: 006DA4C8
                                    • DestroyWindow.USER32(?,?), ref: 006DA542
                                      • Part of subcall function 00657D2C: _memmove.LIBCMT ref: 00657D66
                                    • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 006DA5BC
                                    • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 006DA5DE
                                    • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 006DA5F1
                                    • DestroyWindow.USER32(00000000), ref: 006DA613
                                    • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00650000,00000000), ref: 006DA64A
                                    • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 006DA663
                                    • GetDesktopWindow.USER32 ref: 006DA67C
                                    • GetWindowRect.USER32(00000000), ref: 006DA683
                                    • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 006DA69B
                                    • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 006DA6B3
                                      • Part of subcall function 006525DB: GetWindowLongW.USER32(?,000000EB), ref: 006525EC
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
                                    • String ID: 0$tooltips_class32
                                    • API String ID: 1297703922-3619404913
                                    • Opcode ID: 09a82718b3d8ab6cff1d93debf66112b922e397c6030dc53e97c81d7828b44a2
                                    • Instruction ID: 97455ba9359c799947d4495cd405abd053bd506cf743809de26c09c5b76c1e89
                                    • Opcode Fuzzy Hash: 09a82718b3d8ab6cff1d93debf66112b922e397c6030dc53e97c81d7828b44a2
                                    • Instruction Fuzzy Hash: 99719C71944245EFD720CF68CC45FA677E6EB88304F088A2EF985873A0D775E906CB16
                                    Function 006D4619 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CharUpperBuffW.USER32(?,?), ref: 006D46AB
                                    • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 006D46F6
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: BuffCharMessageSendUpper
                                    • String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
                                    • API String ID: 3974292440-4258414348
                                    • Opcode ID: c5a2b55ccd14b6d458f2116681b9f4027cbfb347de4f2abdff40ba1defad9db8
                                    • Instruction ID: 736fe5c90680beeb47fa3c521221aa1eb0cefef5d9a6744ef8ff087f18dfabca
                                    • Opcode Fuzzy Hash: c5a2b55ccd14b6d458f2116681b9f4027cbfb347de4f2abdff40ba1defad9db8
                                    • Instruction Fuzzy Hash: A5917B34604301DFCB54EF20C851A6AB7A3AF95354F04886EF8965B7A2CF35ED0ACB95
                                    Function 006DBAB8 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 197windowlibraryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 006DBB6E
                                    • LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,006D9431), ref: 006DBBCA
                                    • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 006DBC03
                                    • LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 006DBC46
                                    • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 006DBC7D
                                    • FreeLibrary.KERNEL32(?), ref: 006DBC89
                                    • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 006DBC99
                                    • DestroyIcon.USER32(?,?,?,?,?,006D9431), ref: 006DBCA8
                                    • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 006DBCC5
                                    • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 006DBCD1
                                      • Part of subcall function 0067313D: __wcsicmp_l.LIBCMT ref: 006731C6
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
                                    • String ID: .dll$.exe$.icl
                                    • API String ID: 1212759294-1154884017
                                    • Opcode ID: b195d082939941d17c9fcca6e4e76dccbefac8426e98435f41922f3c42ab0b84
                                    • Instruction ID: 908de9ff7d5c59f6345c529e86d977482ca9a35d189ffda7a1964aeedfb1490f
                                    • Opcode Fuzzy Hash: b195d082939941d17c9fcca6e4e76dccbefac8426e98435f41922f3c42ab0b84
                                    • Instruction Fuzzy Hash: D161BE71A00219FAEB14DF64CC45FFA77AAFB08711F10911AF815D62D1DBB4AA80CBA0
                                    Function 006BA0B5 Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 156COMMON
                                    Download Yara Rule
                                    APIs
                                    • LoadStringW.USER32(00000066,?,00000FFF,006DFB78), ref: 006BA0FC
                                      • Part of subcall function 00657F41: _memmove.LIBCMT ref: 00657F82
                                    • LoadStringW.USER32(?,?,00000FFF,?), ref: 006BA11E
                                    • __swprintf.LIBCMT ref: 006BA177
                                    • __swprintf.LIBCMT ref: 006BA190
                                    • _wprintf.LIBCMT ref: 006BA246
                                    • _wprintf.LIBCMT ref: 006BA264
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: LoadString__swprintf_wprintf$_memmove
                                    • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR$%n
                                    • API String ID: 311963372-3486102242
                                    • Opcode ID: 7c9260ba97a3be70cd54deaab51cdb3d951bd7e49c628429acc1cac673a661b0
                                    • Instruction ID: 5065d54c3198ff42beebbff972541c76b539dd8b0e3a3a4bb5c89786f4868642
                                    • Opcode Fuzzy Hash: 7c9260ba97a3be70cd54deaab51cdb3d951bd7e49c628429acc1cac673a661b0
                                    • Instruction Fuzzy Hash: C751D371800209BBCF55EBE0DD86EEEB77AAF04301F104169F905721A1EB356F88DB55
                                    Function 006BA5BD Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00659997: __itow.LIBCMT ref: 006599C2
                                      • Part of subcall function 00659997: __swprintf.LIBCMT ref: 00659A0C
                                    • CharLowerBuffW.USER32(?,?), ref: 006BA636
                                    • GetDriveTypeW.KERNEL32 ref: 006BA683
                                    • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 006BA6CB
                                    • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 006BA702
                                    • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 006BA730
                                      • Part of subcall function 00657D2C: _memmove.LIBCMT ref: 00657D66
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
                                    • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
                                    • API String ID: 2698844021-4113822522
                                    • Opcode ID: a923370485a0ba044834a7a53c0836b43075b0c4673058ba76ee8f553bdc4165
                                    • Instruction ID: 57f2174a1974b91acdb40c968e6ccf208db4e84535d9c4ff10fcd9f640a9c8df
                                    • Opcode Fuzzy Hash: a923370485a0ba044834a7a53c0836b43075b0c4673058ba76ee8f553bdc4165
                                    • Instruction Fuzzy Hash: 33515BB51083049FC740EF20D8918AAB7F6FF84718F04896DF896572A1DB31EE0ACB52
                                    Function 006BA45A Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 006BA47A
                                    • __swprintf.LIBCMT ref: 006BA49C
                                    • CreateDirectoryW.KERNEL32(?,00000000), ref: 006BA4D9
                                    • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 006BA4FE
                                    • _memset.LIBCMT ref: 006BA51D
                                    • _wcsncpy.LIBCMT ref: 006BA559
                                    • DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 006BA58E
                                    • CloseHandle.KERNEL32(00000000), ref: 006BA599
                                    • RemoveDirectoryW.KERNEL32(?), ref: 006BA5A2
                                    • CloseHandle.KERNEL32(00000000), ref: 006BA5AC
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
                                    • String ID: :$\$\??\%s
                                    • API String ID: 2733774712-3457252023
                                    • Opcode ID: 1e7119c2dbd67ddad4249bd158936bd9bc309c5451d7fcd37b196ea45c15cdac
                                    • Instruction ID: 14d3250fd45fb7470b315bf70f2492fc01fad782480c332cebae08f573b642e0
                                    • Opcode Fuzzy Hash: 1e7119c2dbd67ddad4249bd158936bd9bc309c5451d7fcd37b196ea45c15cdac
                                    • Instruction Fuzzy Hash: 4131C3B2900119ABDB21DFA0DC48FEB33BEEF88701F1041B6F909D2260E77097848B65
                                    Function 006BDB04 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON
                                    Download Yara Rule
                                    APIs
                                    • __wsplitpath.LIBCMT ref: 006BDC7B
                                    • _wcscat.LIBCMT ref: 006BDC93
                                    • _wcscat.LIBCMT ref: 006BDCA5
                                    • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 006BDCBA
                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 006BDCCE
                                    • GetFileAttributesW.KERNEL32(?), ref: 006BDCE6
                                    • SetFileAttributesW.KERNEL32(?,00000000), ref: 006BDD00
                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 006BDD12
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
                                    • String ID: *.*
                                    • API String ID: 34673085-438819550
                                    • Opcode ID: df4ba5cae5187c4770bea8c653505845acd15784ef650fb615447a06f8ebcf76
                                    • Instruction ID: f34f855f79d052ec5967bb01d3bb90ae77583259a75293af0bca4cbac0a39163
                                    • Opcode Fuzzy Hash: df4ba5cae5187c4770bea8c653505845acd15784ef650fb615447a06f8ebcf76
                                    • Instruction Fuzzy Hash: 7C8181F55042419FCB64DF24C8459EAB7EABF88350F19882EF88ACB251F734D985CB52
                                    Function 006DC49C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00652612: GetWindowLongW.USER32(?,000000EB), ref: 00652623
                                    • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 006DC4EC
                                    • GetFocus.USER32 ref: 006DC4FC
                                    • GetDlgCtrlID.USER32(00000000), ref: 006DC507
                                    • _memset.LIBCMT ref: 006DC632
                                    • GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 006DC65D
                                    • GetMenuItemCount.USER32(?), ref: 006DC67D
                                    • GetMenuItemID.USER32(?,00000000), ref: 006DC690
                                    • GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 006DC6C4
                                    • GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 006DC70C
                                    • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 006DC744
                                    • DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 006DC779
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
                                    • String ID: 0
                                    • API String ID: 1296962147-4108050209
                                    • Opcode ID: 334488e19ee4765fb68c8022aa621429878377097582d2016aff0acfdfd26d0a
                                    • Instruction ID: 895e8a1fbe874dcf3bb55e783ed3a0de78fe408b515a0169414cda3a69d433b3
                                    • Opcode Fuzzy Hash: 334488e19ee4765fb68c8022aa621429878377097582d2016aff0acfdfd26d0a
                                    • Instruction Fuzzy Hash: 7B816E70A083469FD710CF14D984AABBBEAFB88324F10452EF99597391D730E905DFA2
                                    Function 006A83F4 Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 006A874A: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 006A8766
                                      • Part of subcall function 006A874A: GetLastError.KERNEL32(?,006A822A,?,?,?), ref: 006A8770
                                      • Part of subcall function 006A874A: GetProcessHeap.KERNEL32(00000008,?,?,006A822A,?,?,?), ref: 006A877F
                                      • Part of subcall function 006A874A: HeapAlloc.KERNEL32(00000000,?,006A822A,?,?,?), ref: 006A8786
                                      • Part of subcall function 006A874A: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 006A879D
                                      • Part of subcall function 006A87E7: GetProcessHeap.KERNEL32(00000008,006A8240,00000000,00000000,?,006A8240,?), ref: 006A87F3
                                      • Part of subcall function 006A87E7: HeapAlloc.KERNEL32(00000000,?,006A8240,?), ref: 006A87FA
                                      • Part of subcall function 006A87E7: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,006A8240,?), ref: 006A880B
                                    • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 006A8458
                                    • _memset.LIBCMT ref: 006A846D
                                    • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 006A848C
                                    • GetLengthSid.ADVAPI32(?), ref: 006A849D
                                    • GetAce.ADVAPI32(?,00000000,?), ref: 006A84DA
                                    • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 006A84F6
                                    • GetLengthSid.ADVAPI32(?), ref: 006A8513
                                    • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 006A8522
                                    • HeapAlloc.KERNEL32(00000000), ref: 006A8529
                                    • GetLengthSid.ADVAPI32(?,00000008,?), ref: 006A854A
                                    • CopySid.ADVAPI32(00000000), ref: 006A8551
                                    • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 006A8582
                                    • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 006A85A8
                                    • SetUserObjectSecurity.USER32(?,00000004,?), ref: 006A85BC
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
                                    • String ID:
                                    • API String ID: 3996160137-0
                                    • Opcode ID: 49142e0410ece62f34013bc835ecd100de6af0c8e146b7ca28cbb7b2ed5889b9
                                    • Instruction ID: 1af1a71d08fe7d67b522f8d25b4f48b74bb46f30495ce3b312ce739b60bc9e8a
                                    • Opcode Fuzzy Hash: 49142e0410ece62f34013bc835ecd100de6af0c8e146b7ca28cbb7b2ed5889b9
                                    • Instruction Fuzzy Hash: 6F611871D00209AFDF54AFA4DC45AEEBBBAFF05300B14816AF915A7291DB31AE15CF60
                                    Function 006C762D Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetDC.USER32(00000000), ref: 006C76A2
                                    • CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 006C76AE
                                    • CreateCompatibleDC.GDI32(?), ref: 006C76BA
                                    • SelectObject.GDI32(00000000,?), ref: 006C76C7
                                    • StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 006C771B
                                    • GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 006C7757
                                    • GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 006C777B
                                    • SelectObject.GDI32(00000006,?), ref: 006C7783
                                    • DeleteObject.GDI32(?), ref: 006C778C
                                    • DeleteDC.GDI32(00000006), ref: 006C7793
                                    • ReleaseDC.USER32(00000000,?), ref: 006C779E
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
                                    • String ID: (
                                    • API String ID: 2598888154-3887548279
                                    • Opcode ID: 023aefa6f9277d55cf8c2f3d7565ca9d6c30a18a736a129d53ed5026410aa0f4
                                    • Instruction ID: a00835183f98fe43f1542320e15bc714438a13af78aede1009786236810a289f
                                    • Opcode Fuzzy Hash: 023aefa6f9277d55cf8c2f3d7565ca9d6c30a18a736a129d53ed5026410aa0f4
                                    • Instruction Fuzzy Hash: 48512875904209EFCB15CFA9CC85EAEBBBAEF48710F14852EF95A97210D731A941CF60
                                    Function 00656BEC Relevance: 19.7, APIs: 4, Strings: 7, Instructions: 478COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00670B9B: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00656C6C,?,00008000), ref: 00670BB7
                                      • Part of subcall function 006548AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,006548A1,?,?,006537C0,?), ref: 006548CE
                                    • SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00656D0D
                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 00656E5A
                                      • Part of subcall function 006559CD: _wcscpy.LIBCMT ref: 00655A05
                                      • Part of subcall function 0067387D: _iswctype.LIBCMT ref: 00673885
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
                                    • String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
                                    • API String ID: 537147316-1018226102
                                    • Opcode ID: 2a5b919911ebfe161f369b31fa926aade33c3cbb7987baf6e334acb65357f29c
                                    • Instruction ID: eaec2d17347046b81cf353f456690f4cc53cd71a1e3b4e9fb2c5bf7027b7f69f
                                    • Opcode Fuzzy Hash: 2a5b919911ebfe161f369b31fa926aade33c3cbb7987baf6e334acb65357f29c
                                    • Instruction Fuzzy Hash: 4F02CE71108341DFC764EF24C891AAFBBE6BF99314F044A1DF88A972A1DB31D949CB46
                                    Function 006545DF Relevance: 19.7, APIs: 13, Instructions: 215windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • _memset.LIBCMT ref: 006545F9
                                    • GetMenuItemCount.USER32(00716890), ref: 0068D7CD
                                    • GetMenuItemCount.USER32(00716890), ref: 0068D87D
                                    • GetCursorPos.USER32(?), ref: 0068D8C1
                                    • SetForegroundWindow.USER32(00000000), ref: 0068D8CA
                                    • TrackPopupMenuEx.USER32(00716890,00000000,?,00000000,00000000,00000000), ref: 0068D8DD
                                    • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 0068D8E9
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow_memset
                                    • String ID:
                                    • API String ID: 2751501086-0
                                    • Opcode ID: a1664a9d3f5f228c4b95fa4d54293ed5fd5e0c4089681f267dfec5a8878cd61a
                                    • Instruction ID: 0dd5c4b48dddb1a14162d2d252ded3e22123d9b980b09d35de8d39efb6e6c312
                                    • Opcode Fuzzy Hash: a1664a9d3f5f228c4b95fa4d54293ed5fd5e0c4089681f267dfec5a8878cd61a
                                    • Instruction Fuzzy Hash: 3B71F570A45205BFEB20AF24DC45FEABF67FF05368F244216F915A62E0CBB15850DBA4
                                    Function 006C8BC0 Relevance: 19.6, APIs: 10, Strings: 1, Instructions: 324fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • VariantInit.OLEAUT32(?), ref: 006C8BEC
                                    • CoInitialize.OLE32(00000000), ref: 006C8C19
                                    • CoUninitialize.OLE32 ref: 006C8C23
                                    • GetRunningObjectTable.OLE32(00000000,?), ref: 006C8D23
                                    • SetErrorMode.KERNEL32(00000001,00000029), ref: 006C8E50
                                    • CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,006E2C0C), ref: 006C8E84
                                    • CoGetObject.OLE32(?,00000000,006E2C0C,?), ref: 006C8EA7
                                    • SetErrorMode.KERNEL32(00000000), ref: 006C8EBA
                                    • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 006C8F3A
                                    • VariantClear.OLEAUT32(?), ref: 006C8F4A
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
                                    • String ID: ,,n
                                    • API String ID: 2395222682-1563246951
                                    • Opcode ID: 7f9b0927ab45f508cbdef82d0076505295d57b24ab28e1174816c73d8285173e
                                    • Instruction ID: 55a1cbf14737b29862ae20493ea569b7be83d89893c77dca1485c958923d5c77
                                    • Opcode Fuzzy Hash: 7f9b0927ab45f508cbdef82d0076505295d57b24ab28e1174816c73d8285173e
                                    • Instruction Fuzzy Hash: 51C124B1604305AFD710DF24C884E6AB7EAFF89748F10496DF98A9B251DB31ED05CB52
                                    Function 006D10A5 Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON
                                    Download Yara Rule
                                    APIs
                                    • CharUpperBuffW.USER32(?,?,?,?,?,?,?,006D0038,?,?), ref: 006D10BC
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: BuffCharUpper
                                    • String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
                                    • API String ID: 3964851224-909552448
                                    • Opcode ID: 96a55894fac28868666c25b394255074fb0e99416f29c7dd47bd32abe43fce21
                                    • Instruction ID: 2f837458081811ee9f5ea2f5b34d5e99a9f88443f8246bcab5ca07fec1451a43
                                    • Opcode Fuzzy Hash: 96a55894fac28868666c25b394255074fb0e99416f29c7dd47bd32abe43fce21
                                    • Instruction Fuzzy Hash: 2A417E3094024EDBDF20EF90DC91AEA3766BF16300F108569FC955B391DB71AA5ACB60
                                    Function 006B5569 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00657D2C: _memmove.LIBCMT ref: 00657D66
                                      • Part of subcall function 00657A84: _memmove.LIBCMT ref: 00657B0D
                                    • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 006B55D2
                                    • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 006B55E8
                                    • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 006B55F9
                                    • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 006B560B
                                    • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 006B561C
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: SendString$_memmove
                                    • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                                    • API String ID: 2279737902-1007645807
                                    • Opcode ID: 6296cb55380254f1009370b9cc9c9eec6bdeee3ce05975a129ea68f727401528
                                    • Instruction ID: d6916f7ed1a6dcb79cbb152216fd2477196040f72a28c396d5abb2c790139a71
                                    • Opcode Fuzzy Hash: 6296cb55380254f1009370b9cc9c9eec6bdeee3ce05975a129ea68f727401528
                                    • Instruction Fuzzy Hash: 1C11C4B0950269B9D720F771DC4ADFFBBBDEF95B00F400569B802A20D1EEA40D49C6A1
                                    Function 006B48F3 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
                                    • String ID: 0.0.0.0
                                    • API String ID: 208665112-3771769585
                                    • Opcode ID: a9432cf46539da9effaa448428799bc087d86fcf7bde290527a2eb57bdbeaeaf
                                    • Instruction ID: dfec8729ed1f24f2bb37d6fcb6d32009b069d1d20e320f5d95f0838cbbeb76d4
                                    • Opcode Fuzzy Hash: a9432cf46539da9effaa448428799bc087d86fcf7bde290527a2eb57bdbeaeaf
                                    • Instruction Fuzzy Hash: 3E11D271D04115ABCB24BB24AC0AEDB77BE9F01710F0481BAF40996192EF749AC19B65
                                    Function 006B5217 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • timeGetTime.WINMM ref: 006B521C
                                      • Part of subcall function 00670719: timeGetTime.WINMM(?,7694B400,00660FF9), ref: 0067071D
                                    • Sleep.KERNEL32(0000000A), ref: 006B5248
                                    • EnumThreadWindows.USER32(?,Function_000651CA,00000000), ref: 006B526C
                                    • FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 006B528E
                                    • SetActiveWindow.USER32 ref: 006B52AD
                                    • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 006B52BB
                                    • SendMessageW.USER32(00000010,00000000,00000000), ref: 006B52DA
                                    • Sleep.KERNEL32(000000FA), ref: 006B52E5
                                    • IsWindow.USER32 ref: 006B52F1
                                    • EndDialog.USER32(00000000), ref: 006B5302
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
                                    • String ID: BUTTON
                                    • API String ID: 1194449130-3405671355
                                    • Opcode ID: 8eebc02c4be021340ab96b806878c8e22db23ad266910254794c0a19f3105e05
                                    • Instruction ID: d2f9bd38ff08356dd1f195d5c6d8b45fa0c1bcd7a4867faca789249b38497b29
                                    • Opcode Fuzzy Hash: 8eebc02c4be021340ab96b806878c8e22db23ad266910254794c0a19f3105e05
                                    • Instruction Fuzzy Hash: A321A4B0606704AFE7045B24ED88BE53BABEB55346F04A439F103812F1DB759D90C725
                                    Function 006BD7F8 Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00659997: __itow.LIBCMT ref: 006599C2
                                      • Part of subcall function 00659997: __swprintf.LIBCMT ref: 00659A0C
                                    • CoInitialize.OLE32(00000000), ref: 006BD855
                                    • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 006BD8E8
                                    • SHGetDesktopFolder.SHELL32(?), ref: 006BD8FC
                                    • CoCreateInstance.OLE32(006E2D7C,00000000,00000001,0070A89C,?), ref: 006BD948
                                    • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 006BD9B7
                                    • CoTaskMemFree.OLE32(?,?), ref: 006BDA0F
                                    • _memset.LIBCMT ref: 006BDA4C
                                    • SHBrowseForFolderW.SHELL32(?), ref: 006BDA88
                                    • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 006BDAAB
                                    • CoTaskMemFree.OLE32(00000000), ref: 006BDAB2
                                    • CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 006BDAE9
                                    • CoUninitialize.OLE32(00000001,00000000), ref: 006BDAEB
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
                                    • String ID:
                                    • API String ID: 1246142700-0
                                    • Opcode ID: c733d203a4e86a88c5baee379b4084718ee3184b75adf6c69e98bb240d79870f
                                    • Instruction ID: a130e54ae52127fbae10333da0528fdc1a77422ae52bf669748b4517dc24994d
                                    • Opcode Fuzzy Hash: c733d203a4e86a88c5baee379b4084718ee3184b75adf6c69e98bb240d79870f
                                    • Instruction Fuzzy Hash: 29B1FB75A00109AFDB44DF64C888DAEBBFAEF48315F148469F90AEB251DB30ED45CB54
                                    Function 006B052C Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetKeyboardState.USER32(?), ref: 006B05A7
                                    • SetKeyboardState.USER32(?), ref: 006B0612
                                    • GetAsyncKeyState.USER32(000000A0), ref: 006B0632
                                    • GetKeyState.USER32(000000A0), ref: 006B0649
                                    • GetAsyncKeyState.USER32(000000A1), ref: 006B0678
                                    • GetKeyState.USER32(000000A1), ref: 006B0689
                                    • GetAsyncKeyState.USER32(00000011), ref: 006B06B5
                                    • GetKeyState.USER32(00000011), ref: 006B06C3
                                    • GetAsyncKeyState.USER32(00000012), ref: 006B06EC
                                    • GetKeyState.USER32(00000012), ref: 006B06FA
                                    • GetAsyncKeyState.USER32(0000005B), ref: 006B0723
                                    • GetKeyState.USER32(0000005B), ref: 006B0731
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: State$Async$Keyboard
                                    • String ID:
                                    • API String ID: 541375521-0
                                    • Opcode ID: 1f825c6c13f3afed44a47d434fd66c067a877f8b84a4f9abb5a89193243c6233
                                    • Instruction ID: 8aee886cb4c00391c62ed16504bc901ecc9c63df7bf392f3e24c8d3ca64e80ad
                                    • Opcode Fuzzy Hash: 1f825c6c13f3afed44a47d434fd66c067a877f8b84a4f9abb5a89193243c6233
                                    • Instruction Fuzzy Hash: 56511CA0A0478429FB34DBB085547EBBFB69F02380F08459ED5C25A6C3EA54ABCCCB55
                                    Function 006AC72A Relevance: 18.2, APIs: 12, Instructions: 174COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetDlgItem.USER32(?,00000001), ref: 006AC746
                                    • GetWindowRect.USER32(00000000,?), ref: 006AC758
                                    • MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 006AC7B6
                                    • GetDlgItem.USER32(?,00000002), ref: 006AC7C1
                                    • GetWindowRect.USER32(00000000,?), ref: 006AC7D3
                                    • MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 006AC827
                                    • GetDlgItem.USER32(?,000003E9), ref: 006AC835
                                    • GetWindowRect.USER32(00000000,?), ref: 006AC846
                                    • MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 006AC889
                                    • GetDlgItem.USER32(?,000003EA), ref: 006AC897
                                    • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 006AC8B4
                                    • InvalidateRect.USER32(?,00000000,00000001), ref: 006AC8C1
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: Window$ItemMoveRect$Invalidate
                                    • String ID:
                                    • API String ID: 3096461208-0
                                    • Opcode ID: 7733a91f4127e4cb35e512958f1146ffa0680889bc104b44641406c6355cf91a
                                    • Instruction ID: ea993fe04d7010a548c4e522fa4f45c276ea0cbb5fec8b01a93e6eb53ce36b2b
                                    • Opcode Fuzzy Hash: 7733a91f4127e4cb35e512958f1146ffa0680889bc104b44641406c6355cf91a
                                    • Instruction Fuzzy Hash: 3B513E71B00205ABDB18DFA9DD99AAEBBBAFB89310F14812DF516D6290DB70DD008B50
                                    Function 0065201B Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00651B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00652036,?,00000000,?,?,?,?,006516CB,00000000,?), ref: 00651B9A
                                    • DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 006520D3
                                    • KillTimer.USER32(-00000001,?,?,?,?,006516CB,00000000,?,?,00651AE2,?,?), ref: 0065216E
                                    • DestroyAcceleratorTable.USER32(00000000), ref: 0068BEF6
                                    • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,006516CB,00000000,?,?,00651AE2,?,?), ref: 0068BF27
                                    • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,006516CB,00000000,?,?,00651AE2,?,?), ref: 0068BF3E
                                    • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,006516CB,00000000,?,?,00651AE2,?,?), ref: 0068BF5A
                                    • DeleteObject.GDI32(00000000), ref: 0068BF6C
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
                                    • String ID:
                                    • API String ID: 641708696-0
                                    • Opcode ID: b208a7c6bfb42f5ef09fd0a0b6939628f545ac75ff4add3f449cb30a3d045550
                                    • Instruction ID: ff3e3a79845ceccad4a7a42357245e8cc3f1ca0b352e89427f93ba78f64ba714
                                    • Opcode Fuzzy Hash: b208a7c6bfb42f5ef09fd0a0b6939628f545ac75ff4add3f449cb30a3d045550
                                    • Instruction Fuzzy Hash: C661AC30502611DFCB35AF18DD58BAAB7F3FB41312F10952DEA4287AA0C775A895CF54
                                    Function 006521A5 Relevance: 18.1, APIs: 12, Instructions: 132COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 006525DB: GetWindowLongW.USER32(?,000000EB), ref: 006525EC
                                    • GetSysColor.USER32(0000000F), ref: 006521D3
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: ColorLongWindow
                                    • String ID:
                                    • API String ID: 259745315-0
                                    • Opcode ID: 6ae509c2ff3d26f520213af71422ae30d8ba29501e78f1641dbb14c37e013d49
                                    • Instruction ID: 5c1f5b92a026d0cc55974e48d19ded296b49bc8a6a0b7850c9231871ad896072
                                    • Opcode Fuzzy Hash: 6ae509c2ff3d26f520213af71422ae30d8ba29501e78f1641dbb14c37e013d49
                                    • Instruction Fuzzy Hash: ED41B1355011419ADB215F28EC98BF93B67EB07332F184366FD668A2E2C7318E46DB21
                                    Function 006BAB12 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183COMMON
                                    Download Yara Rule
                                    APIs
                                    • CharLowerBuffW.USER32(?,?,006DF910), ref: 006BAB76
                                    • GetDriveTypeW.KERNEL32(00000061,0070A620,00000061), ref: 006BAC40
                                    • _wcscpy.LIBCMT ref: 006BAC6A
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: BuffCharDriveLowerType_wcscpy
                                    • String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
                                    • API String ID: 2820617543-1000479233
                                    • Opcode ID: 7f958b15a1df28f13fa75c59617b516197dcf76598d05794d32971ff282c2692
                                    • Instruction ID: 564e36250ebee3548fdf486add16bcd1d8249e614b1135af32bc6c3626a57eaf
                                    • Opcode Fuzzy Hash: 7f958b15a1df28f13fa75c59617b516197dcf76598d05794d32971ff282c2692
                                    • Instruction Fuzzy Hash: 3E519C70108301DBC760EF54C891AAAB7E7EF80301F14892DF896572A2DB319D8ACB63
                                    Function 006DC27C Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 149windowCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00652612: GetWindowLongW.USER32(?,000000EB), ref: 00652623
                                      • Part of subcall function 00652344: GetCursorPos.USER32(?), ref: 00652357
                                      • Part of subcall function 00652344: ScreenToClient.USER32(007167B0,?), ref: 00652374
                                      • Part of subcall function 00652344: GetAsyncKeyState.USER32(00000001), ref: 00652399
                                      • Part of subcall function 00652344: GetAsyncKeyState.USER32(00000002), ref: 006523A7
                                    • ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?), ref: 006DC2E4
                                    • ImageList_EndDrag.COMCTL32 ref: 006DC2EA
                                    • ReleaseCapture.USER32 ref: 006DC2F0
                                    • SetWindowTextW.USER32(?,00000000), ref: 006DC39A
                                    • SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 006DC3AD
                                    • DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?), ref: 006DC48F
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
                                    • String ID: @GUI_DRAGFILE$@GUI_DROPID$prq$prq
                                    • API String ID: 1924731296-770718762
                                    • Opcode ID: 0f012f7be23615ff40efc2ed34293f8525bb4e8fc99fe463525a036d5fec443a
                                    • Instruction ID: d72eff42643b02a41c96f2046b4ca83dd38f037a39d2a90e849c9a926d970da6
                                    • Opcode Fuzzy Hash: 0f012f7be23615ff40efc2ed34293f8525bb4e8fc99fe463525a036d5fec443a
                                    • Instruction Fuzzy Hash: 33518E70A04305AFD704DF28CC55FAA7BF6EB88310F00852EF9968B2E1DB759949CB56
                                    Function 00659997 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: __i64tow__itow__swprintf
                                    • String ID: %.15g$0x%p$False$True
                                    • API String ID: 421087845-2263619337
                                    • Opcode ID: c0584c145074396144fc04eb66d3c7844a0a429074d0bbc9734acbcf121d3baa
                                    • Instruction ID: 892e2c48c00f70a03a6e8337007b62dcf759622f31d99410aef87aee7b7371a4
                                    • Opcode Fuzzy Hash: c0584c145074396144fc04eb66d3c7844a0a429074d0bbc9734acbcf121d3baa
                                    • Instruction Fuzzy Hash: 3C410371614205EBEF24EF38D842EBA73EAEB44300F24456EE949D7281EA719946DB21
                                    Function 006D73C1 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • _memset.LIBCMT ref: 006D73D9
                                    • CreateMenu.USER32 ref: 006D73F4
                                    • SetMenu.USER32(?,00000000), ref: 006D7403
                                    • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 006D7490
                                    • IsMenu.USER32(?), ref: 006D74A6
                                    • CreatePopupMenu.USER32 ref: 006D74B0
                                    • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 006D74DD
                                    • DrawMenuBar.USER32 ref: 006D74E5
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
                                    • String ID: 0$F
                                    • API String ID: 176399719-3044882817
                                    • Opcode ID: dd05f47f8b108fc6ae664be13860206a6e8acbf7b39dc92724c36af6d2fbaf13
                                    • Instruction ID: 08ed89cdfe3f0ea571f3e717f66b901cfe17aee58dbc491a2e2d770e1b76d96b
                                    • Opcode Fuzzy Hash: dd05f47f8b108fc6ae664be13860206a6e8acbf7b39dc92724c36af6d2fbaf13
                                    • Instruction Fuzzy Hash: 8F415874A05205EFDB21DF68E884ADABBF6FF59300F14402AFD5697360E730A910CB51
                                    Function 006D772A Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 006D77CD
                                    • CreateCompatibleDC.GDI32(00000000), ref: 006D77D4
                                    • SendMessageW.USER32(?,00000173,00000000,00000000), ref: 006D77E7
                                    • SelectObject.GDI32(00000000,00000000), ref: 006D77EF
                                    • GetPixel.GDI32(00000000,00000000,00000000), ref: 006D77FA
                                    • DeleteDC.GDI32(00000000), ref: 006D7803
                                    • GetWindowLongW.USER32(?,000000EC), ref: 006D780D
                                    • SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 006D7821
                                    • DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 006D782D
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
                                    • String ID: static
                                    • API String ID: 2559357485-2160076837
                                    • Opcode ID: f20030b62e8ebdf877097643b2084e908720873cd71358c61efaf0ad18f48fd0
                                    • Instruction ID: 0002ab595441554f3bf3935b0b61da8bef4a2d9226a2d9fc723efcda3b04df98
                                    • Opcode Fuzzy Hash: f20030b62e8ebdf877097643b2084e908720873cd71358c61efaf0ad18f48fd0
                                    • Instruction Fuzzy Hash: 8D319C32905215BBDF119FA5DC09FDA3B6AFF09321F114226FA16E62E0D731D821DBA4
                                    Function 00677040 Relevance: 16.8, APIs: 11, Instructions: 258COMMON
                                    Download Yara Rule
                                    APIs
                                    • _memset.LIBCMT ref: 0067707B
                                      • Part of subcall function 00678D68: __getptd_noexit.LIBCMT ref: 00678D68
                                    • __gmtime64_s.LIBCMT ref: 00677114
                                    • __gmtime64_s.LIBCMT ref: 0067714A
                                    • __gmtime64_s.LIBCMT ref: 00677167
                                    • __allrem.LIBCMT ref: 006771BD
                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 006771D9
                                    • __allrem.LIBCMT ref: 006771F0
                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0067720E
                                    • __allrem.LIBCMT ref: 00677225
                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00677243
                                    • __invoke_watson.LIBCMT ref: 006772B4
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
                                    • String ID:
                                    • API String ID: 384356119-0
                                    • Opcode ID: 85949ae18b549cd2d12431497598bef6b028e5a4746e3945652a320069ef6a5a
                                    • Instruction ID: 99e0702c119f0158cd29e4034a09036167ca2336c8e8461ca4f41d3cda1eddb9
                                    • Opcode Fuzzy Hash: 85949ae18b549cd2d12431497598bef6b028e5a4746e3945652a320069ef6a5a
                                    • Instruction Fuzzy Hash: CA71B8B1A04717ABD714AE79CC41B9AB3A6AF14720F14C23EF528E7781FB70DA408794
                                    Function 006B2A16 Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON
                                    Download Yara Rule
                                    APIs
                                    • _memset.LIBCMT ref: 006B2A31
                                    • GetMenuItemInfoW.USER32(00716890,000000FF,00000000,00000030), ref: 006B2A92
                                    • SetMenuItemInfoW.USER32(00716890,00000004,00000000,00000030), ref: 006B2AC8
                                    • Sleep.KERNEL32(000001F4), ref: 006B2ADA
                                    • GetMenuItemCount.USER32(?), ref: 006B2B1E
                                    • GetMenuItemID.USER32(?,00000000), ref: 006B2B3A
                                    • GetMenuItemID.USER32(?,-00000001), ref: 006B2B64
                                    • GetMenuItemID.USER32(?,?), ref: 006B2BA9
                                    • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 006B2BEF
                                    • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 006B2C03
                                    • SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 006B2C24
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: ItemMenu$Info$CheckCountRadioSleep_memset
                                    • String ID:
                                    • API String ID: 4176008265-0
                                    • Opcode ID: 38b7bb8e86c83fd3967bb2dc14e9c6f1f16a78f888963651dc325674ab7aa8ef
                                    • Instruction ID: 7864dd82e496eef03fe68647ae10b7000c6cdd412b8ba8e09536538b0702b3a3
                                    • Opcode Fuzzy Hash: 38b7bb8e86c83fd3967bb2dc14e9c6f1f16a78f888963651dc325674ab7aa8ef
                                    • Instruction Fuzzy Hash: 63619DF090024AAFDB21CF64DCA89FE7BFAFB41308F144559E84297251DB35AD85DB21
                                    Function 006D7192 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 006D7214
                                    • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 006D7217
                                    • GetWindowLongW.USER32(?,000000F0), ref: 006D723B
                                    • _memset.LIBCMT ref: 006D724C
                                    • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 006D725E
                                    • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 006D72D6
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: MessageSend$LongWindow_memset
                                    • String ID:
                                    • API String ID: 830647256-0
                                    • Opcode ID: 88959039907cbe8d39a67bd4f887bc1b3a710923049ada3a5ec16ec07eb05fb9
                                    • Instruction ID: 681c0f6118329406f50d3c4d4ba5f2ae4ad16ae7d6ab2991af71358f50036386
                                    • Opcode Fuzzy Hash: 88959039907cbe8d39a67bd4f887bc1b3a710923049ada3a5ec16ec07eb05fb9
                                    • Instruction Fuzzy Hash: 8D617B71900248AFDB10DFA8CC81EEE77F9AB09710F14415AFA14A73A1D774AA45DB64
                                    Function 006A710E Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 006A7135
                                    • SafeArrayAllocData.OLEAUT32(?), ref: 006A718E
                                    • VariantInit.OLEAUT32(?), ref: 006A71A0
                                    • SafeArrayAccessData.OLEAUT32(?,?), ref: 006A71C0
                                    • VariantCopy.OLEAUT32(?,?), ref: 006A7213
                                    • SafeArrayUnaccessData.OLEAUT32(?), ref: 006A7227
                                    • VariantClear.OLEAUT32(?), ref: 006A723C
                                    • SafeArrayDestroyData.OLEAUT32(?), ref: 006A7249
                                    • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 006A7252
                                    • VariantClear.OLEAUT32(?), ref: 006A7264
                                    • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 006A726F
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                                    • String ID:
                                    • API String ID: 2706829360-0
                                    • Opcode ID: 6161c3c96f24fc0b6dd0c638b15b43d0e6b74f2c802268665c83e764f5bc91c4
                                    • Instruction ID: 4585f4ff4ccbf7f12169ef38e5b05eb48c5fe0c49c1e6a2121061ade55097278
                                    • Opcode Fuzzy Hash: 6161c3c96f24fc0b6dd0c638b15b43d0e6b74f2c802268665c83e764f5bc91c4
                                    • Instruction Fuzzy Hash: 9A413F35D00119AFCB00EF64DC44AAEBBFAEF49354F008069F916A7261CB30AE45CFA0
                                    Function 006C86D0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00659997: __itow.LIBCMT ref: 006599C2
                                      • Part of subcall function 00659997: __swprintf.LIBCMT ref: 00659A0C
                                    • CoInitialize.OLE32 ref: 006C8718
                                    • CoUninitialize.OLE32 ref: 006C8723
                                    • CoCreateInstance.OLE32(?,00000000,00000017,006E2BEC,?), ref: 006C8783
                                    • IIDFromString.OLE32(?,?), ref: 006C87F6
                                    • VariantInit.OLEAUT32(?), ref: 006C8890
                                    • VariantClear.OLEAUT32(?), ref: 006C88F1
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
                                    • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                                    • API String ID: 834269672-1287834457
                                    • Opcode ID: bcf47154c5d2645c548863f6640f21b023b6c5d6ac7d40987fd364b1fbc60818
                                    • Instruction ID: 76ed77cdeea3d94e1f3bf582dc4c5c5976385d482ef87cac31c7b0e64fcbce8b
                                    • Opcode Fuzzy Hash: bcf47154c5d2645c548863f6640f21b023b6c5d6ac7d40987fd364b1fbc60818
                                    • Instruction Fuzzy Hash: D8619B70609301AFD720DF24C848F6AB7EAEF45714F14481EF9869B291DB30ED48CBA6
                                    Function 006C5A45 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • WSAStartup.WSOCK32(00000101,?), ref: 006C5AA6
                                    • inet_addr.WSOCK32(?,?,?), ref: 006C5AEB
                                    • gethostbyname.WSOCK32(?), ref: 006C5AF7
                                    • IcmpCreateFile.IPHLPAPI ref: 006C5B05
                                    • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 006C5B75
                                    • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 006C5B8B
                                    • IcmpCloseHandle.IPHLPAPI(00000000), ref: 006C5C00
                                    • WSACleanup.WSOCK32 ref: 006C5C06
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
                                    • String ID: Ping
                                    • API String ID: 1028309954-2246546115
                                    • Opcode ID: 6e94a32cb76c8d3c3439eb414863f876c8eadbc624af8545568059ebe0989113
                                    • Instruction ID: bf1495e85959b4c0aecf6a1aa572a8b31df194631614c68b5768917c4adfa4a4
                                    • Opcode Fuzzy Hash: 6e94a32cb76c8d3c3439eb414863f876c8eadbc624af8545568059ebe0989113
                                    • Instruction Fuzzy Hash: 01514A316047009FDB10AF24CC59F6ABBE6EB44710F14892EF956DB2A1DB70FD448B56
                                    Function 006BB72E Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON
                                    Download Yara Rule
                                    APIs
                                    • SetErrorMode.KERNEL32(00000001), ref: 006BB73B
                                    • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 006BB7B1
                                    • GetLastError.KERNEL32 ref: 006BB7BB
                                    • SetErrorMode.KERNEL32(00000000,READY), ref: 006BB828
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: Error$Mode$DiskFreeLastSpace
                                    • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                                    • API String ID: 4194297153-14809454
                                    • Opcode ID: 0edfeab9b047e1caf6d33e032b4272d0f966f660b9a3ab1518cb947fa1df07d8
                                    • Instruction ID: b57efade4df294ef75f9a41bfca16793f65deb3f1c5fe4f9be14932c983a2152
                                    • Opcode Fuzzy Hash: 0edfeab9b047e1caf6d33e032b4272d0f966f660b9a3ab1518cb947fa1df07d8
                                    • Instruction Fuzzy Hash: 193192B5A00209EFDB00EF64D885EFE77BAEF44700F14912AE902D72D1DBB19986CB51
                                    Function 006A9471 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00657F41: _memmove.LIBCMT ref: 00657F82
                                      • Part of subcall function 006AB0C4: GetClassNameW.USER32(?,?,000000FF), ref: 006AB0E7
                                    • SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 006A94F6
                                    • GetDlgCtrlID.USER32 ref: 006A9501
                                    • GetParent.USER32 ref: 006A951D
                                    • SendMessageW.USER32(00000000,?,00000111,?), ref: 006A9520
                                    • GetDlgCtrlID.USER32(?), ref: 006A9529
                                    • GetParent.USER32(?), ref: 006A9545
                                    • SendMessageW.USER32(00000000,?,?,00000111), ref: 006A9548
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: MessageSend$CtrlParent$ClassName_memmove
                                    • String ID: ComboBox$ListBox
                                    • API String ID: 1536045017-1403004172
                                    • Opcode ID: c0fb557514299e29f5546f082c86c5c69e6ce168a633c63f9d756c9f299d27da
                                    • Instruction ID: cb71e634e8484ba0144a634de43897471c167c92740b6c4ff02d2e1c88bf97c8
                                    • Opcode Fuzzy Hash: c0fb557514299e29f5546f082c86c5c69e6ce168a633c63f9d756c9f299d27da
                                    • Instruction Fuzzy Hash: D821B070D00204ABCF05AB64CC85DFEBBB6EF4A300F10412AB962972E2DB7599199E20
                                    Function 006A955C Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00657F41: _memmove.LIBCMT ref: 00657F82
                                      • Part of subcall function 006AB0C4: GetClassNameW.USER32(?,?,000000FF), ref: 006AB0E7
                                    • SendMessageW.USER32(?,00000186,00000002,00000000), ref: 006A95DF
                                    • GetDlgCtrlID.USER32 ref: 006A95EA
                                    • GetParent.USER32 ref: 006A9606
                                    • SendMessageW.USER32(00000000,?,00000111,?), ref: 006A9609
                                    • GetDlgCtrlID.USER32(?), ref: 006A9612
                                    • GetParent.USER32(?), ref: 006A962E
                                    • SendMessageW.USER32(00000000,?,?,00000111), ref: 006A9631
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: MessageSend$CtrlParent$ClassName_memmove
                                    • String ID: ComboBox$ListBox
                                    • API String ID: 1536045017-1403004172
                                    • Opcode ID: 2ecfaffa896eda6b2f92e7c0e2ead6daaf550b166fe5229202c21d0a92ef6c1a
                                    • Instruction ID: eafd99dcb16754c1b95e9eb7dcaec6bf0a37c18a5d66d1c778efbe274a240e3d
                                    • Opcode Fuzzy Hash: 2ecfaffa896eda6b2f92e7c0e2ead6daaf550b166fe5229202c21d0a92ef6c1a
                                    • Instruction Fuzzy Hash: 9C21B374D00204BBDF01AB74CC85EFEBBBAEF4A300F10511AB952972E2DB7599199E20
                                    Function 006A9645 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 72windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetParent.USER32 ref: 006A9651
                                    • GetClassNameW.USER32(00000000,?,00000100), ref: 006A9666
                                    • _wcscmp.LIBCMT ref: 006A9678
                                    • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 006A96F3
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: ClassMessageNameParentSend_wcscmp
                                    • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                                    • API String ID: 1704125052-3381328864
                                    • Opcode ID: d8d9fa09bc0a0aac4c31a0366b1ee6cbbf2a22db595812ab0669ad54d83777e7
                                    • Instruction ID: 3ea6b9fad8b6a62872c09ebb3b37af5360e3065ac9bfd1576157691ec6a27b31
                                    • Opcode Fuzzy Hash: d8d9fa09bc0a0aac4c31a0366b1ee6cbbf2a22db595812ab0669ad54d83777e7
                                    • Instruction Fuzzy Hash: 3F1106B7248317BAFB013631DC06DE677DE8F06760B30512AFA05A51D2FEA2AD115D68
                                    Function 006B4189 Relevance: 15.1, APIs: 10, Instructions: 108windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • __swprintf.LIBCMT ref: 006B419D
                                    • __swprintf.LIBCMT ref: 006B41AA
                                      • Part of subcall function 006738D8: __woutput_l.LIBCMT ref: 00673931
                                    • FindResourceW.KERNEL32(?,?,0000000E), ref: 006B41D4
                                    • LoadResource.KERNEL32(?,00000000), ref: 006B41E0
                                    • LockResource.KERNEL32(00000000), ref: 006B41ED
                                    • FindResourceW.KERNEL32(?,?,00000003), ref: 006B420D
                                    • LoadResource.KERNEL32(?,00000000), ref: 006B421F
                                    • SizeofResource.KERNEL32(?,00000000), ref: 006B422E
                                    • LockResource.KERNEL32(?), ref: 006B423A
                                    • CreateIconFromResourceEx.USER32(?,?,00000001,00030000,00000000,00000000,00000000), ref: 006B429B
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: Resource$FindLoadLock__swprintf$CreateFromIconSizeof__woutput_l
                                    • String ID:
                                    • API String ID: 1433390588-0
                                    • Opcode ID: d910c5b03e4793e084084e638a9af0672aa4aa448ede2649e58dc072517a7a49
                                    • Instruction ID: 142c92857cb3ed36e2fbac92eaf0915e85ddfe534322764e5656f27d6ee2a999
                                    • Opcode Fuzzy Hash: d910c5b03e4793e084084e638a9af0672aa4aa448ede2649e58dc072517a7a49
                                    • Instruction Fuzzy Hash: 4B3175B190521AABDB119FA0DC44EFF7BAEEF04301F048525F906D6251DB34DB91D7A4
                                    Function 006C9428 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 263COMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: Variant$ClearInit$_memset
                                    • String ID: ,,n$Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
                                    • API String ID: 2862541840-2400968246
                                    • Opcode ID: a4e41288aecd89662c62263b037464fe4618bcd51de019771d4046a5a7a6fd81
                                    • Instruction ID: 78160d8121300dda3b412b31ff0e1bcf0b28bea425002b0e47226c2181ec835c
                                    • Opcode Fuzzy Hash: a4e41288aecd89662c62263b037464fe4618bcd51de019771d4046a5a7a6fd81
                                    • Instruction Fuzzy Hash: DB916A71A00219ABDF24DFA6C848FAEBBBAEF45710F10855DF519AB280D7709945CFA0
                                    Function 006AA693 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON
                                    Download Yara Rule
                                    APIs
                                    • EnumChildWindows.USER32(?,006AAA64), ref: 006AA9A2
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: ChildEnumWindows
                                    • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
                                    • API String ID: 3555792229-1603158881
                                    • Opcode ID: b8860ae03fe31e8e09a2507529407a30ef1fcecf855c606a6f992d721d71634e
                                    • Instruction ID: b0b89d87d4f1f8b6689e0dbbb3bc85d70e05f2d5cec9cae6bac5025feb1a4501
                                    • Opcode Fuzzy Hash: b8860ae03fe31e8e09a2507529407a30ef1fcecf855c606a6f992d721d71634e
                                    • Instruction Fuzzy Hash: 2F918730900606DBDB58EFA0C441BEAF7B6BF05304F10812ED99AA7251DF306D5ADFA5
                                    Function 00652E26 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SetWindowLongW.USER32(?,000000EB), ref: 00652EAE
                                      • Part of subcall function 00651DB3: GetClientRect.USER32(?,?), ref: 00651DDC
                                      • Part of subcall function 00651DB3: GetWindowRect.USER32(?,?), ref: 00651E1D
                                      • Part of subcall function 00651DB3: ScreenToClient.USER32(?,?), ref: 00651E45
                                    • GetDC.USER32 ref: 0068CF82
                                    • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 0068CF95
                                    • SelectObject.GDI32(00000000,00000000), ref: 0068CFA3
                                    • SelectObject.GDI32(00000000,00000000), ref: 0068CFB8
                                    • ReleaseDC.USER32(?,00000000), ref: 0068CFC0
                                    • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 0068D04B
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
                                    • String ID: U
                                    • API String ID: 4009187628-3372436214
                                    • Opcode ID: 681f39c55697ae31a44c5e3feecafa5c6dbc06776a1a17d1660cd8434cec1ee3
                                    • Instruction ID: 413bcdc22436cbd196444c7edeb8550485fe5fddecdbd8931a3c4a43b03de411
                                    • Opcode Fuzzy Hash: 681f39c55697ae31a44c5e3feecafa5c6dbc06776a1a17d1660cd8434cec1ee3
                                    • Instruction Fuzzy Hash: A871D230400205DFCF21AF64C895AEA7BB7FF49361F14836AEE559A2A6C7318C46DB70
                                    Function 006C8F5B Relevance: 13.9, APIs: 9, Instructions: 438COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetModuleFileNameW.KERNEL32(?,?,00000104,?,006DF910), ref: 006C903D
                                    • FreeLibrary.KERNEL32(00000000,00000001,00000000,?,006DF910), ref: 006C9071
                                    • QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 006C91EB
                                    • SysFreeString.OLEAUT32(?), ref: 006C9215
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: Free$FileLibraryModuleNamePathQueryStringType
                                    • String ID:
                                    • API String ID: 560350794-0
                                    • Opcode ID: a930013c501ba31815cc32d6d9a1888ed641bd890694b059e71411e2fe732794
                                    • Instruction ID: 96789e119b79a6fdae36ad7bb8e05c07890c22ede03812f1e57e9a8922486587
                                    • Opcode Fuzzy Hash: a930013c501ba31815cc32d6d9a1888ed641bd890694b059e71411e2fe732794
                                    • Instruction Fuzzy Hash: 31F1F771A00109EFDB14DF94C888EBEB7BAFF49315F148059F916AB251DB31AE46CB60
                                    Function 006CF9A8 Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON
                                    Download Yara Rule
                                    APIs
                                    • _memset.LIBCMT ref: 006CF9C9
                                    • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 006CFB5C
                                    • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 006CFB80
                                    • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 006CFBC0
                                    • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 006CFBE2
                                    • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 006CFD5E
                                    • GetLastError.KERNEL32(00000000,00000001,00000000), ref: 006CFD90
                                    • CloseHandle.KERNEL32(?), ref: 006CFDBF
                                    • CloseHandle.KERNEL32(?), ref: 006CFE36
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
                                    • String ID:
                                    • API String ID: 4090791747-0
                                    • Opcode ID: 8f17f7cd270fed4f7290d5c6fc9ef3cbc3b730568734518654b5f5ecff37db26
                                    • Instruction ID: a141b48f9e8fb9d07652c983101dd46ea871e1f4caa866dadc1a5d82ca647fed
                                    • Opcode Fuzzy Hash: 8f17f7cd270fed4f7290d5c6fc9ef3cbc3b730568734518654b5f5ecff37db26
                                    • Instruction Fuzzy Hash: 7FE16C31604241DFC754EF24C491BAABBE2EF85314F18856DF89A8B3A2DB31EC45CB56
                                    Function 006B4F63 Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 006B48AA: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,006B38D3,?), ref: 006B48C7
                                      • Part of subcall function 006B48AA: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,006B38D3,?), ref: 006B48E0
                                      • Part of subcall function 006B4CD3: GetFileAttributesW.KERNEL32(?,006B3947), ref: 006B4CD4
                                    • lstrcmpiW.KERNEL32(?,?), ref: 006B4FE2
                                    • _wcscmp.LIBCMT ref: 006B4FFC
                                    • MoveFileW.KERNEL32(?,?), ref: 006B5017
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
                                    • String ID:
                                    • API String ID: 793581249-0
                                    • Opcode ID: da2df34789249e02b2862c694962824c9a3f81259a439b291f0aa405d20e1bff
                                    • Instruction ID: 7b11fb7874eea4fe908fea61f6e32913fd5b95e6f844baa43640e260bbf2a716
                                    • Opcode Fuzzy Hash: da2df34789249e02b2862c694962824c9a3f81259a439b291f0aa405d20e1bff
                                    • Instruction Fuzzy Hash: 1C5177F24087855BC764EB64D881ADFB3EDAF84301F00492EF58AD7152EF75A18C876A
                                    Function 006D88B4 Relevance: 13.7, APIs: 9, Instructions: 168COMMON
                                    Download Yara Rule
                                    APIs
                                    • InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 006D896E
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: InvalidateRect
                                    • String ID:
                                    • API String ID: 634782764-0
                                    • Opcode ID: 378793d540ec044189b18d380836545973e524aa92d04b3a3ce1de1250e40978
                                    • Instruction ID: 06d1c1fd569e6ee2bf45e4d7e6980106e7006a8849852e931f022aa91355a7ab
                                    • Opcode Fuzzy Hash: 378793d540ec044189b18d380836545973e524aa92d04b3a3ce1de1250e40978
                                    • Instruction Fuzzy Hash: 16518130E00209BFDB209F28CC8DBA97B67BB05310F644117F915EB7A1DF71AA809B91
                                    Function 00652B72 Relevance: 13.7, APIs: 9, Instructions: 161windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 0068C547
                                    • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0068C569
                                    • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 0068C581
                                    • ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 0068C59F
                                    • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 0068C5C0
                                    • DestroyIcon.USER32(00000000), ref: 0068C5CF
                                    • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0068C5EC
                                    • DestroyIcon.USER32(?), ref: 0068C5FB
                                      • Part of subcall function 006DA71E: DeleteObject.GDI32(00000000), ref: 006DA757
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: Icon$DestroyExtractImageLoadMessageSend$DeleteObject
                                    • String ID:
                                    • API String ID: 2819616528-0
                                    • Opcode ID: eeb6437350ed85fb50c3f3ef55e8672527ae8aa986260d55d3ece8a185053244
                                    • Instruction ID: fa0726fa2d09a6cfec71cd307b66c574055e35729d0d140fbe645609c45b3f31
                                    • Opcode Fuzzy Hash: eeb6437350ed85fb50c3f3ef55e8672527ae8aa986260d55d3ece8a185053244
                                    • Instruction Fuzzy Hash: 5A517D74A00206AFDF20DF24DC55FAA37B6EB55321F104629F902972D0DB70ED91DB60
                                    Function 006A9B50 Relevance: 13.6, APIs: 9, Instructions: 66sleepkeyboardwindowCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 006AAE57: GetWindowThreadProcessId.USER32(?,00000000), ref: 006AAE77
                                      • Part of subcall function 006AAE57: GetCurrentThreadId.KERNEL32 ref: 006AAE7E
                                      • Part of subcall function 006AAE57: AttachThreadInput.USER32(00000000,?,006A9B65,?,00000001), ref: 006AAE85
                                    • MapVirtualKeyW.USER32(00000025,00000000), ref: 006A9B70
                                    • PostMessageW.USER32(?,00000100,00000025,00000000), ref: 006A9B8D
                                    • Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 006A9B90
                                    • MapVirtualKeyW.USER32(00000025,00000000), ref: 006A9B99
                                    • PostMessageW.USER32(?,00000100,00000027,00000000), ref: 006A9BB7
                                    • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 006A9BBA
                                    • MapVirtualKeyW.USER32(00000025,00000000), ref: 006A9BC3
                                    • PostMessageW.USER32(?,00000101,00000027,00000000), ref: 006A9BDA
                                    • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 006A9BDD
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
                                    • String ID:
                                    • API String ID: 2014098862-0
                                    • Opcode ID: 7a03657b5993217cb5e6cb1f86bc2a4c84270453ace4bde178e5f6019bb08c08
                                    • Instruction ID: 0cef067f6be6aa1d32a486f03f0e2efd9cfc4ee26527b67ac3b58d1858b8decb
                                    • Opcode Fuzzy Hash: 7a03657b5993217cb5e6cb1f86bc2a4c84270453ace4bde178e5f6019bb08c08
                                    • Instruction Fuzzy Hash: 8311E171A50218FEF7106B60DC89F6A3B2EEB4D751F20142AF245AB0A0CAF25C10DAB4
                                    Function 006A8E03 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,006A8A84,00000B00,?,?), ref: 006A8E0C
                                    • HeapAlloc.KERNEL32(00000000,?,006A8A84,00000B00,?,?), ref: 006A8E13
                                    • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,006A8A84,00000B00,?,?), ref: 006A8E28
                                    • GetCurrentProcess.KERNEL32(?,00000000,?,006A8A84,00000B00,?,?), ref: 006A8E30
                                    • DuplicateHandle.KERNEL32(00000000,?,006A8A84,00000B00,?,?), ref: 006A8E33
                                    • GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,006A8A84,00000B00,?,?), ref: 006A8E43
                                    • GetCurrentProcess.KERNEL32(006A8A84,00000000,?,006A8A84,00000B00,?,?), ref: 006A8E4B
                                    • DuplicateHandle.KERNEL32(00000000,?,006A8A84,00000B00,?,?), ref: 006A8E4E
                                    • CreateThread.KERNEL32(00000000,00000000,006A8E74,00000000,00000000,00000000), ref: 006A8E68
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
                                    • String ID:
                                    • API String ID: 1957940570-0
                                    • Opcode ID: e2742ad0cf6940990e69b4b88131b678f16b6c289efd59685e492f7b0d6721f8
                                    • Instruction ID: 1b432c5000369cfb12a1083150e3f89ec2b2c58b1cdc721bd3b13b89d4c48517
                                    • Opcode Fuzzy Hash: e2742ad0cf6940990e69b4b88131b678f16b6c289efd59685e492f7b0d6721f8
                                    • Instruction Fuzzy Hash: 9401BBB5A41308FFE710ABA5DC4DF6B3BADEB89711F015421FA05DB1A1CA709D00CB60
                                    Function 006C9A72 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 242COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 006A7652: CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,006A758C,80070057,?,?,?,006A799D), ref: 006A766F
                                      • Part of subcall function 006A7652: ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,006A758C,80070057,?,?), ref: 006A768A
                                      • Part of subcall function 006A7652: lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,006A758C,80070057,?,?), ref: 006A7698
                                      • Part of subcall function 006A7652: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,006A758C,80070057,?), ref: 006A76A8
                                    • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 006C9B1B
                                    • _memset.LIBCMT ref: 006C9B28
                                    • _memset.LIBCMT ref: 006C9C6B
                                    • CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000000), ref: 006C9C97
                                    • CoTaskMemFree.OLE32(?), ref: 006C9CA2
                                    Strings
                                    • NULL Pointer assignment, xrefs: 006C9CF0
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
                                    • String ID: NULL Pointer assignment
                                    • API String ID: 1300414916-2785691316
                                    • Opcode ID: e9974be6332dad15c94cacf0a6754a9dee1bfc6c8ab60f5383b820dd5d27c2f8
                                    • Instruction ID: 6ceb7923ec4dd13f6332c289855ca49b43a10309760bcf63b225b5771b0de6fc
                                    • Opcode Fuzzy Hash: e9974be6332dad15c94cacf0a6754a9dee1bfc6c8ab60f5383b820dd5d27c2f8
                                    • Instruction Fuzzy Hash: BA911A71D00219EBDB10DFA5DC85EEEBBBAEF08710F20415AF51AA7241DB719A45CFA0
                                    Function 006D6FEF Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 006D7093
                                    • SendMessageW.USER32(?,00001036,00000000,?), ref: 006D70A7
                                    • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 006D70C1
                                    • _wcscat.LIBCMT ref: 006D711C
                                    • SendMessageW.USER32(?,00001057,00000000,?), ref: 006D7133
                                    • SendMessageW.USER32(?,00001061,?,0000000F), ref: 006D7161
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: MessageSend$Window_wcscat
                                    • String ID: SysListView32
                                    • API String ID: 307300125-78025650
                                    • Opcode ID: f778977e5e05966e1aca860452bfc1a1324ac3bfe044be714d35d703e1270cdc
                                    • Instruction ID: e68159b2b1f26f11942f302cbd6b748bfb63b17b9da7e256429c1b80935d2c7e
                                    • Opcode Fuzzy Hash: f778977e5e05966e1aca860452bfc1a1324ac3bfe044be714d35d703e1270cdc
                                    • Instruction Fuzzy Hash: 4E419F70904308ABDB219F64CC85BEA77AAEF08350F10452BF545A73D2E6719D848B64
                                    Function 006CEC47 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 006B3E91: CreateToolhelp32Snapshot.KERNEL32 ref: 006B3EB6
                                      • Part of subcall function 006B3E91: Process32FirstW.KERNEL32(00000000,?), ref: 006B3EC4
                                      • Part of subcall function 006B3E91: CloseHandle.KERNEL32(00000000), ref: 006B3F8E
                                    • OpenProcess.KERNEL32(00000001,00000000,?), ref: 006CECB8
                                    • GetLastError.KERNEL32 ref: 006CECCB
                                    • OpenProcess.KERNEL32(00000001,00000000,?), ref: 006CECFA
                                    • TerminateProcess.KERNEL32(00000000,00000000), ref: 006CED77
                                    • GetLastError.KERNEL32(00000000), ref: 006CED82
                                    • CloseHandle.KERNEL32(00000000), ref: 006CEDB7
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
                                    • String ID: SeDebugPrivilege
                                    • API String ID: 2533919879-2896544425
                                    • Opcode ID: 8ea16fa52c34336746da7f287fddd66eac748551c2acfa1ba70ce2d992baeaac
                                    • Instruction ID: a45089f801ed91f40eb382710091e67fb2a1637bbb15d47abb1c50c4e6f49062
                                    • Opcode Fuzzy Hash: 8ea16fa52c34336746da7f287fddd66eac748551c2acfa1ba70ce2d992baeaac
                                    • Instruction Fuzzy Hash: 3F4179716002009FDB14EF24CC95FBEB7A6AF40714F08805DF9439B2D2DB76A904CBAA
                                    Function 006B3226 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • LoadIconW.USER32(00000000,00007F03), ref: 006B32C5
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: IconLoad
                                    • String ID: blank$info$question$stop$warning
                                    • API String ID: 2457776203-404129466
                                    • Opcode ID: 64cd030777ea5d8953a17b204ca8ad29792b196eef00b66b51cbc08657cf822b
                                    • Instruction ID: 6e2936cf46cd72ac69c480fe550c23e8cfa734169aa88a680f0ec6bf1d84ea6f
                                    • Opcode Fuzzy Hash: 64cd030777ea5d8953a17b204ca8ad29792b196eef00b66b51cbc08657cf822b
                                    • Instruction Fuzzy Hash: 7B1105B2748376FAE7015B64DC42DEAB3DEEF19360F20402AF504A63C2E6759B8147A5
                                    Function 006B4534 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 006B454E
                                    • LoadStringW.USER32(00000000), ref: 006B4555
                                    • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 006B456B
                                    • LoadStringW.USER32(00000000), ref: 006B4572
                                    • _wprintf.LIBCMT ref: 006B4598
                                    • MessageBoxW.USER32(00000000,?,?,00011010), ref: 006B45B6
                                    Strings
                                    • %s (%d) : ==> %s: %s %s, xrefs: 006B4593
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: HandleLoadModuleString$Message_wprintf
                                    • String ID: %s (%d) : ==> %s: %s %s
                                    • API String ID: 3648134473-3128320259
                                    • Opcode ID: 7883ad16b9d8835579ba23a2537a7be3ffbbe9e18a038cf5d2644299ec14fd98
                                    • Instruction ID: a359f50ff783c5ff77a14f2420dfdd535391c8670a3dca03b039a145cda589b2
                                    • Opcode Fuzzy Hash: 7883ad16b9d8835579ba23a2537a7be3ffbbe9e18a038cf5d2644299ec14fd98
                                    • Instruction Fuzzy Hash: 380162F3D00208BFE750ABA0DD89EE7776DDB08301F0045A6BB4AD2152EA749E858B75
                                    Function 006DD74C Relevance: 12.3, APIs: 8, Instructions: 257windowCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00652612: GetWindowLongW.USER32(?,000000EB), ref: 00652623
                                    • GetSystemMetrics.USER32(0000000F), ref: 006DD78A
                                    • GetSystemMetrics.USER32(0000000F), ref: 006DD7AA
                                    • MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 006DD9E5
                                    • SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 006DDA03
                                    • SendMessageW.USER32(00000003,00000469,?,00000000), ref: 006DDA24
                                    • ShowWindow.USER32(00000003,00000000), ref: 006DDA43
                                    • InvalidateRect.USER32(?,00000000,00000001), ref: 006DDA68
                                    • DefDlgProcW.USER32(?,00000005,?,?), ref: 006DDA8B
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
                                    • String ID:
                                    • API String ID: 1211466189-0
                                    • Opcode ID: 9390fb73524dc296d8c11f565afe7d818931c73aeb9990d3e326669e57fe1563
                                    • Instruction ID: 84ba91ae0c430442f14b74c5fe750dd9e380a9823dced1cac6158cb8ac34da5a
                                    • Opcode Fuzzy Hash: 9390fb73524dc296d8c11f565afe7d818931c73aeb9990d3e326669e57fe1563
                                    • Instruction Fuzzy Hash: 58B18771A00225ABDF14DF68C9957FD7BB2BF48701F08C06AEC489E399DB35A950CB90
                                    Function 00652A5B Relevance: 12.1, APIs: 8, Instructions: 129COMMON
                                    Download Yara Rule
                                    APIs
                                    • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,0068C417,00000004,00000000,00000000,00000000), ref: 00652ACF
                                    • ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,0068C417,00000004,00000000,00000000,00000000,000000FF), ref: 00652B17
                                    • ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,0068C417,00000004,00000000,00000000,00000000), ref: 0068C46A
                                    • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,0068C417,00000004,00000000,00000000,00000000), ref: 0068C4D6
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: ShowWindow
                                    • String ID:
                                    • API String ID: 1268545403-0
                                    • Opcode ID: 9d34caa6f78419e22ccfb6d184fb7e8d6f5cd16208465d641651af3e8a75d534
                                    • Instruction ID: 37af6fafa47ada48a00e68ed38f5c4082f626b58135066bec123937bc046f221
                                    • Opcode Fuzzy Hash: 9d34caa6f78419e22ccfb6d184fb7e8d6f5cd16208465d641651af3e8a75d534
                                    • Instruction Fuzzy Hash: 0B412C306046829AC7359B289CB87FB7BD3AB47316F18C91EE84786761C675988ED720
                                    Function 006B7368 Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • InterlockedExchange.KERNEL32(?,000001F5), ref: 006B737F
                                      • Part of subcall function 00670FF6: std::exception::exception.LIBCMT ref: 0067102C
                                      • Part of subcall function 00670FF6: __CxxThrowException@8.LIBCMT ref: 00671041
                                    • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 006B73B6
                                    • EnterCriticalSection.KERNEL32(?), ref: 006B73D2
                                    • _memmove.LIBCMT ref: 006B7420
                                    • _memmove.LIBCMT ref: 006B743D
                                    • LeaveCriticalSection.KERNEL32(?), ref: 006B744C
                                    • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 006B7461
                                    • InterlockedExchange.KERNEL32(?,000001F6), ref: 006B7480
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
                                    • String ID:
                                    • API String ID: 256516436-0
                                    • Opcode ID: 77975395bf9f662ffab82c6f8815a53b9f710c3daabe97b5f6493d2d1bf0c357
                                    • Instruction ID: 58a26f36e4cd8e904f75e3bc7f09936b290ecab6735876e35d2a322c52b4a1a9
                                    • Opcode Fuzzy Hash: 77975395bf9f662ffab82c6f8815a53b9f710c3daabe97b5f6493d2d1bf0c357
                                    • Instruction Fuzzy Hash: 4F318F71904205EBDF50DFA8DC85AAE7BB9FF45710B1481BAF904AB246DB309A50CBA4
                                    Function 006D6442 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • DeleteObject.GDI32(00000000), ref: 006D645A
                                    • GetDC.USER32(00000000), ref: 006D6462
                                    • GetDeviceCaps.GDI32(00000000,0000005A), ref: 006D646D
                                    • ReleaseDC.USER32(00000000,00000000), ref: 006D6479
                                    • CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 006D64B5
                                    • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 006D64C6
                                    • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,006D9299,?,?,000000FF,00000000,?,000000FF,?), ref: 006D6500
                                    • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 006D6520
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                                    • String ID:
                                    • API String ID: 3864802216-0
                                    • Opcode ID: e1229b6c409afba5fd6155e2971b6387d37619f73acc4cb053aa0c1f6daff16f
                                    • Instruction ID: 7dd46cbd9d9202585a063e72d0492ae0d56a9fb0e448097ebf0c68dcd756c74e
                                    • Opcode Fuzzy Hash: e1229b6c409afba5fd6155e2971b6387d37619f73acc4cb053aa0c1f6daff16f
                                    • Instruction Fuzzy Hash: 6D31A072601210BFEB208F50DC4AFEB3FAAEF0A765F044066FE099A291C6759C41CB74
                                    Function 006AC072 Relevance: 12.1, APIs: 8, Instructions: 92COMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: _memcmp
                                    • String ID:
                                    • API String ID: 2931989736-0
                                    • Opcode ID: 3656a7e753f0faa989be1ea7c1909d71087a2f4cfc0eacdfd6365e861a1a16fa
                                    • Instruction ID: 3dfcb8da978c35d36da36a7899d1f53a3cae24207854d21e631be175a9ed0cdc
                                    • Opcode Fuzzy Hash: 3656a7e753f0faa989be1ea7c1909d71087a2f4cfc0eacdfd6365e861a1a16fa
                                    • Instruction Fuzzy Hash: 8421D771741306BBDA50BA258C52FFB239FAF137B4B144025FD099A382E752ED1189A9
                                    Function 006BED8E Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 323COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00659997: __itow.LIBCMT ref: 006599C2
                                      • Part of subcall function 00659997: __swprintf.LIBCMT ref: 00659A0C
                                      • Part of subcall function 0066FEC6: _wcscpy.LIBCMT ref: 0066FEE9
                                    • _wcstok.LIBCMT ref: 006BEEFF
                                    • _wcscpy.LIBCMT ref: 006BEF8E
                                    • _memset.LIBCMT ref: 006BEFC1
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: _wcscpy$__itow__swprintf_memset_wcstok
                                    • String ID: X
                                    • API String ID: 774024439-3081909835
                                    • Opcode ID: 9efa3bceb802834238938bedc2b3a62a414947bc12556b95277e535d06c48940
                                    • Instruction ID: 7f4e61e794300e783a8bff3502a03c708d34f5b8baa4a2eeb739d0aaa0334bf1
                                    • Opcode Fuzzy Hash: 9efa3bceb802834238938bedc2b3a62a414947bc12556b95277e535d06c48940
                                    • Instruction Fuzzy Hash: DEC18171508300DFC754EF24D895A9AB7E6BF84310F04496DF89A9B3A2DB30ED49CB96
                                    Function 006C6E17 Relevance: 10.8, APIs: 7, Instructions: 250networkCOMMON
                                    Download Yara Rule
                                    APIs
                                    • __WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 006C6F14
                                    • #17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 006C6F35
                                    • WSAGetLastError.WSOCK32(00000000), ref: 006C6F48
                                    • htons.WSOCK32(?,?,?,00000000,?), ref: 006C6FFE
                                    • inet_ntoa.WSOCK32(?), ref: 006C6FBB
                                      • Part of subcall function 006AAE14: _strlen.LIBCMT ref: 006AAE1E
                                      • Part of subcall function 006AAE14: _memmove.LIBCMT ref: 006AAE40
                                    • _strlen.LIBCMT ref: 006C7058
                                    • _memmove.LIBCMT ref: 006C70C1
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: _memmove_strlen$ErrorLasthtonsinet_ntoa
                                    • String ID:
                                    • API String ID: 3619996494-0
                                    • Opcode ID: e5928886fae874845a9dbb5ae98ab0313338e54301ad65a51b80cd9b54cee73d
                                    • Instruction ID: bd3516bf5f88d04211a15d02914ecceb1002225fa20c670b4673fab168f3247b
                                    • Opcode Fuzzy Hash: e5928886fae874845a9dbb5ae98ab0313338e54301ad65a51b80cd9b54cee73d
                                    • Instruction Fuzzy Hash: B381B171608300ABD750EF24CC86FABB3EAEF84714F14451DF9569B292DA70AD05CBA6
                                    Function 00651424 Relevance: 10.7, APIs: 7, Instructions: 219COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 2e9003c32670c1a3301519100b784f126fcbe735f13a39ebe499998640a17be1
                                    • Instruction ID: 117fb26c04ecd4ba0f979b7fca06bc8e5034cfbd08b53ff4b6ed6f7c0e82c694
                                    • Opcode Fuzzy Hash: 2e9003c32670c1a3301519100b784f126fcbe735f13a39ebe499998640a17be1
                                    • Instruction Fuzzy Hash: DA717C30900109EFCB049F98CC49ABEBBBAFF86311F148159F915AA251C730AA55CBA4
                                    Function 006DB60B Relevance: 10.7, APIs: 7, Instructions: 199windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • IsWindow.USER32(016C4AF0), ref: 006DB6A5
                                    • IsWindowEnabled.USER32(016C4AF0), ref: 006DB6B1
                                    • SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 006DB795
                                    • SendMessageW.USER32(016C4AF0,000000B0,?,?), ref: 006DB7CC
                                    • IsDlgButtonChecked.USER32(?,?), ref: 006DB809
                                    • GetWindowLongW.USER32(016C4AF0,000000EC), ref: 006DB82B
                                    • SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 006DB843
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: MessageSendWindow$ButtonCheckedEnabledLong
                                    • String ID:
                                    • API String ID: 4072528602-0
                                    • Opcode ID: bcde49e4f349d040f0a16e8992fcd90b6f9371102fcfa1cd09391316ffd1ec66
                                    • Instruction ID: 614f1f866ff4ee7b015161ffafca93d5c6b325f8446172aebf18276fe5f64c30
                                    • Opcode Fuzzy Hash: bcde49e4f349d040f0a16e8992fcd90b6f9371102fcfa1cd09391316ffd1ec66
                                    • Instruction Fuzzy Hash: B3717D34E01244EFDB219F64C8A4FEA7BBBEF49300F16506AE946973A5C731E941CB54
                                    Function 006CF732 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON
                                    Download Yara Rule
                                    APIs
                                    • _memset.LIBCMT ref: 006CF75C
                                    • _memset.LIBCMT ref: 006CF825
                                    • ShellExecuteExW.SHELL32(?), ref: 006CF86A
                                      • Part of subcall function 00659997: __itow.LIBCMT ref: 006599C2
                                      • Part of subcall function 00659997: __swprintf.LIBCMT ref: 00659A0C
                                      • Part of subcall function 0066FEC6: _wcscpy.LIBCMT ref: 0066FEE9
                                    • GetProcessId.KERNEL32(00000000), ref: 006CF8E1
                                    • CloseHandle.KERNEL32(00000000), ref: 006CF910
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
                                    • String ID: @
                                    • API String ID: 3522835683-2766056989
                                    • Opcode ID: baaaf17a5736c7c06fb160ce12253bf1db7544f224ac5e2bf802159221528818
                                    • Instruction ID: eda8b77739b5a1fee2137f0c7874e1b373114364c0b459ead576b2b4be1227f4
                                    • Opcode Fuzzy Hash: baaaf17a5736c7c06fb160ce12253bf1db7544f224ac5e2bf802159221528818
                                    • Instruction Fuzzy Hash: 8A616A75A00619DFCF14EF54C580AAEBBB6FF48310F14846DE85AAB351CB30AD45CBA4
                                    Function 006B145D Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetParent.USER32(?), ref: 006B149C
                                    • GetKeyboardState.USER32(?), ref: 006B14B1
                                    • SetKeyboardState.USER32(?), ref: 006B1512
                                    • PostMessageW.USER32(?,00000101,00000010,?), ref: 006B1540
                                    • PostMessageW.USER32(?,00000101,00000011,?), ref: 006B155F
                                    • PostMessageW.USER32(?,00000101,00000012,?), ref: 006B15A5
                                    • PostMessageW.USER32(?,00000101,0000005B,?), ref: 006B15C8
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: MessagePost$KeyboardState$Parent
                                    • String ID:
                                    • API String ID: 87235514-0
                                    • Opcode ID: 1c5a715ee5f66b8eb6b2271f8397030cbf6141fae5f9b479b0603892e0348cd0
                                    • Instruction ID: 151a768a25fe7b93ed092579111228f5808a4b7127d7e72bc3650c254dc96b1e
                                    • Opcode Fuzzy Hash: 1c5a715ee5f66b8eb6b2271f8397030cbf6141fae5f9b479b0603892e0348cd0
                                    • Instruction Fuzzy Hash: 4A51F0E1A042D53EFB3643248C65BFA7FAB5B47304F488489E1D64A9C2D694ECC4D760
                                    Function 006B1276 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetParent.USER32(00000000), ref: 006B12B5
                                    • GetKeyboardState.USER32(?), ref: 006B12CA
                                    • SetKeyboardState.USER32(?), ref: 006B132B
                                    • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 006B1357
                                    • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 006B1374
                                    • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 006B13B8
                                    • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 006B13D9
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: MessagePost$KeyboardState$Parent
                                    • String ID:
                                    • API String ID: 87235514-0
                                    • Opcode ID: 7cbf9f059c3c5f904f2ab1bf9c4ec9508588a37389625aa16a2cc24ea3b60b0d
                                    • Instruction ID: 79a22d7dec7f9c679d866b1270a39a694ae4dfb48eac65163d25472a495dfee5
                                    • Opcode Fuzzy Hash: 7cbf9f059c3c5f904f2ab1bf9c4ec9508588a37389625aa16a2cc24ea3b60b0d
                                    • Instruction Fuzzy Hash: 7B51E0E09446D53DFB3287248C65BFABFEB5B07300F488489E1D58E9C2E695ACD4D760
                                    Function 006B589F Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: _wcsncpy$LocalTime
                                    • String ID:
                                    • API String ID: 2945705084-0
                                    • Opcode ID: 455d5c756630feb3a87055fbacc8897c7102983f8139248859ed81451ca723ad
                                    • Instruction ID: b02a39502499f78be0e39c7f33fce12a7900f0e5e9275325a1e8542dc152004f
                                    • Opcode Fuzzy Hash: 455d5c756630feb3a87055fbacc8897c7102983f8139248859ed81451ca723ad
                                    • Instruction Fuzzy Hash: F44186A5C2052476CB50FBB4888AACF73AEAF05310F50C95AF519E3222E734E755C7AD
                                    Function 006ADA5D Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 121comlibraryloaderCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 006ADAC5
                                    • SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 006ADAFB
                                    • GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 006ADB0C
                                    • SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 006ADB8E
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: ErrorMode$AddressCreateInstanceProc
                                    • String ID: ,,n$DllGetClassObject
                                    • API String ID: 753597075-149241901
                                    • Opcode ID: 4548440e39b37478ca18bdd02e1615f76b4b7eceedb76f671ddbaa82535783c5
                                    • Instruction ID: 1c8eb095565739796d41102ba1cb517174b1a7ec54f8178868d17c65ec21f3f4
                                    • Opcode Fuzzy Hash: 4548440e39b37478ca18bdd02e1615f76b4b7eceedb76f671ddbaa82535783c5
                                    • Instruction Fuzzy Hash: F84180B1601205EFDB15DF54C884A9A7BEAEF45710F1580AAE9069F205D7B1DD44CFA0
                                    Function 006B38AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 006B48AA: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,006B38D3,?), ref: 006B48C7
                                      • Part of subcall function 006B48AA: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,006B38D3,?), ref: 006B48E0
                                    • lstrcmpiW.KERNEL32(?,?), ref: 006B38F3
                                    • _wcscmp.LIBCMT ref: 006B390F
                                    • MoveFileW.KERNEL32(?,?), ref: 006B3927
                                    • _wcscat.LIBCMT ref: 006B396F
                                    • SHFileOperationW.SHELL32(?), ref: 006B39DB
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
                                    • String ID: \*.*
                                    • API String ID: 1377345388-1173974218
                                    • Opcode ID: 4ffc07deff58d5445f5ae499fd6735bb11d92f910095f34af7b78e740e1b97a7
                                    • Instruction ID: de8aa2a1e47519a9a4166c8448d322f382b236c15255bb73bc0fd14d012f1e34
                                    • Opcode Fuzzy Hash: 4ffc07deff58d5445f5ae499fd6735bb11d92f910095f34af7b78e740e1b97a7
                                    • Instruction Fuzzy Hash: 924160B25093549AC791EF64C481AEFB7E9AF89340F04092EB48AC3251EB74D68DC756
                                    Function 006D7500 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • _memset.LIBCMT ref: 006D7519
                                    • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 006D75C0
                                    • IsMenu.USER32(?), ref: 006D75D8
                                    • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 006D7620
                                    • DrawMenuBar.USER32 ref: 006D7633
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: Menu$Item$DrawInfoInsert_memset
                                    • String ID: 0
                                    • API String ID: 3866635326-4108050209
                                    • Opcode ID: fb87b115da7a9cecb795f202e57a75f4e7b61ca8679eaa76e86359a8d0b1003b
                                    • Instruction ID: 91db6fd4312046f53146b50cda3e5d01664ee0adc43ca11a1a1c44d4d90583f1
                                    • Opcode Fuzzy Hash: fb87b115da7a9cecb795f202e57a75f4e7b61ca8679eaa76e86359a8d0b1003b
                                    • Instruction Fuzzy Hash: D2412875A05649AFDB10DF58E884EDABBFAFB08314F04812AE91597390E731ED50CF91
                                    Function 006D122D Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 006D125C
                                    • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 006D1286
                                    • FreeLibrary.KERNEL32(00000000), ref: 006D133D
                                      • Part of subcall function 006D122D: RegCloseKey.ADVAPI32(?), ref: 006D12A3
                                      • Part of subcall function 006D122D: FreeLibrary.KERNEL32(?), ref: 006D12F5
                                      • Part of subcall function 006D122D: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 006D1318
                                    • RegDeleteKeyW.ADVAPI32(?,?), ref: 006D12E0
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: EnumFreeLibrary$CloseDeleteOpen
                                    • String ID:
                                    • API String ID: 395352322-0
                                    • Opcode ID: 0341e0e479a507ac939284dc71ca1dfdc3043d1170e8010e8f62ce7a10235dfe
                                    • Instruction ID: ce570b751f2e47a43343bf5dd3e59363405be056e3b86ba432864800f8a372da
                                    • Opcode Fuzzy Hash: 0341e0e479a507ac939284dc71ca1dfdc3043d1170e8010e8f62ce7a10235dfe
                                    • Instruction Fuzzy Hash: EB312BB1D01109BFDB149B90DC89EFEB7BDEF09300F00416BE512E6251EAB59F859AA0
                                    Function 006D653C Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 006D655B
                                    • GetWindowLongW.USER32(016C4AF0,000000F0), ref: 006D658E
                                    • GetWindowLongW.USER32(016C4AF0,000000F0), ref: 006D65C3
                                    • SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 006D65F5
                                    • SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 006D661F
                                    • GetWindowLongW.USER32(00000000,000000F0), ref: 006D6630
                                    • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 006D664A
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: LongWindow$MessageSend
                                    • String ID:
                                    • API String ID: 2178440468-0
                                    • Opcode ID: b17121a1ac2f0ec73e525f880f90ec4a969578c9a7cfdfed5e7ac2c2cadfd508
                                    • Instruction ID: 87a50de1f13e9bffea21b9bc7a277a0d4601c6cb36309e7a1692f6bbe01c5925
                                    • Opcode Fuzzy Hash: b17121a1ac2f0ec73e525f880f90ec4a969578c9a7cfdfed5e7ac2c2cadfd508
                                    • Instruction Fuzzy Hash: 0731F330A05150AFDB20CF18EC85FA537E2FB4A710F1981AAF5118B3B6CB61E880DB55
                                    Function 006C6486 Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 006C80A0: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 006C80CB
                                    • socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 006C64D9
                                    • WSAGetLastError.WSOCK32(00000000), ref: 006C64E8
                                    • ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 006C6521
                                    • connect.WSOCK32(00000000,?,00000010), ref: 006C652A
                                    • WSAGetLastError.WSOCK32 ref: 006C6534
                                    • closesocket.WSOCK32(00000000), ref: 006C655D
                                    • ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 006C6576
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
                                    • String ID:
                                    • API String ID: 910771015-0
                                    • Opcode ID: 45a18abbc1bb620665de8c6caf0daa43ffbe908047e231491c220d124b9b36a8
                                    • Instruction ID: da9d3cbb50ec6a1f527d04b1efe762146812625ddb6d9a1174df2468a4ba961f
                                    • Opcode Fuzzy Hash: 45a18abbc1bb620665de8c6caf0daa43ffbe908047e231491c220d124b9b36a8
                                    • Instruction Fuzzy Hash: 7A31A131600118AFDB10AF24DC85FBE7BBAEB44715F04802EFD0697291CB70AD08CB65
                                    Function 006AE0B5 Relevance: 10.6, APIs: 7, Instructions: 90memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 006AE0FA
                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 006AE120
                                    • SysAllocString.OLEAUT32(00000000), ref: 006AE123
                                    • SysAllocString.OLEAUT32 ref: 006AE144
                                    • SysFreeString.OLEAUT32 ref: 006AE14D
                                    • StringFromGUID2.OLE32(?,?,00000028), ref: 006AE167
                                    • SysAllocString.OLEAUT32(?), ref: 006AE175
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                    • String ID:
                                    • API String ID: 3761583154-0
                                    • Opcode ID: 2ea4f5a10cb13075ca533fab86b93abc4f493696f6c83630a804dfb431623776
                                    • Instruction ID: e1ad44cf851af13e9ad2b06235cae7bed592b2e0e3d970feaa3ed2ff24bc303d
                                    • Opcode Fuzzy Hash: 2ea4f5a10cb13075ca533fab86b93abc4f493696f6c83630a804dfb431623776
                                    • Instruction Fuzzy Hash: 2E215335605118AFDB10BFA8DC88DAB77EEEB0A760B108136F955CB261DA71DC41CF64
                                    Function 006AFB6E Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: __wcsnicmp
                                    • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
                                    • API String ID: 1038674560-2734436370
                                    • Opcode ID: b9fbce4ec27ec13ea4ce7d1aa4818b1d0364c459d65d789cced2356d8f490e1a
                                    • Instruction ID: 9f4e3b932a58aa385d371c5bf1a128ff4708952b00e1d3b27e04bc7244e8a49f
                                    • Opcode Fuzzy Hash: b9fbce4ec27ec13ea4ce7d1aa4818b1d0364c459d65d789cced2356d8f490e1a
                                    • Instruction Fuzzy Hash: 48216A3210025566D230B775DC12FE7B39FEF23310F14803AF88A86281FB51AD82D6AA
                                    Function 006D783C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00651D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00651D73
                                      • Part of subcall function 00651D35: GetStockObject.GDI32(00000011), ref: 00651D87
                                      • Part of subcall function 00651D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00651D91
                                    • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 006D78A1
                                    • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 006D78AE
                                    • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 006D78B9
                                    • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 006D78C8
                                    • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 006D78D4
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: MessageSend$CreateObjectStockWindow
                                    • String ID: Msctls_Progress32
                                    • API String ID: 1025951953-3636473452
                                    • Opcode ID: cb8ce9dd7aa14fe8ac308f4205f3eed47db567f6b69fd3003dab50066a91bc19
                                    • Instruction ID: f1738ef433580fe4278b387eb0b8449fdee7a89367dda0ba18e4f55cc01b2463
                                    • Opcode Fuzzy Hash: cb8ce9dd7aa14fe8ac308f4205f3eed47db567f6b69fd3003dab50066a91bc19
                                    • Instruction Fuzzy Hash: 041193B1510119BFEF159F60CC85EE77F6EEF08758F014125BA04A6190D7729C21DBA4
                                    Function 006741C9 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize,00674292,?), ref: 006741E3
                                    • GetProcAddress.KERNEL32(00000000), ref: 006741EA
                                    • EncodePointer.KERNEL32(00000000), ref: 006741F6
                                    • DecodePointer.KERNEL32(00000001,00674292,?), ref: 00674213
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
                                    • String ID: RoInitialize$combase.dll
                                    • API String ID: 3489934621-340411864
                                    • Opcode ID: 030858d88be49b5e660ae7307abbde8b703b0f7d6f6ad9630cf9d3fb7bd233b1
                                    • Instruction ID: bc3aaceb688ddc592e7b644c230df140b8157da180804abee169fcbaf6ea5a73
                                    • Opcode Fuzzy Hash: 030858d88be49b5e660ae7307abbde8b703b0f7d6f6ad9630cf9d3fb7bd233b1
                                    • Instruction Fuzzy Hash: 82E092B0992305BEDF101BB5EC0CB943697BB10702F02D424F512D50E0DBB880919F04
                                    Function 0067429E Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,006741B8), ref: 006742B8
                                    • GetProcAddress.KERNEL32(00000000), ref: 006742BF
                                    • EncodePointer.KERNEL32(00000000), ref: 006742CA
                                    • DecodePointer.KERNEL32(006741B8), ref: 006742E5
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
                                    • String ID: RoUninitialize$combase.dll
                                    • API String ID: 3489934621-2819208100
                                    • Opcode ID: cf5325a8c72bdb434a4d8e40a652be7541151297aaeae443c01749a97a1a0415
                                    • Instruction ID: 6d6fd9e668d584a22494724736abee33d1f18538b4424cdb4c9f5ebf0290d4f2
                                    • Opcode Fuzzy Hash: cf5325a8c72bdb434a4d8e40a652be7541151297aaeae443c01749a97a1a0415
                                    • Instruction Fuzzy Hash: 4EE0BF78982305BBEB119B65EC0DB853BA7BB14742F15D025F112F11E0CBB84654DA5C
                                    Function 006B675A Relevance: 9.2, APIs: 6, Instructions: 205COMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: _memmove$__itow__swprintf
                                    • String ID:
                                    • API String ID: 3253778849-0
                                    • Opcode ID: fe2f17f79ebd84cb438237771d0d4cdbd62087dd95f3309a9b711921911bb9bb
                                    • Instruction ID: 761eba7be322c25d9d4594d1093c869db08e6535eeab02c74eb2c6c76d1edafb
                                    • Opcode Fuzzy Hash: fe2f17f79ebd84cb438237771d0d4cdbd62087dd95f3309a9b711921911bb9bb
                                    • Instruction Fuzzy Hash: 7061AD7050065A9BDF51EF24CC81EFE37AAAF05308F08455DFC5A5B292DB38AD85CB64
                                    Function 006D046F Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00657F41: _memmove.LIBCMT ref: 00657F82
                                      • Part of subcall function 006D10A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,006D0038,?,?), ref: 006D10BC
                                    • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 006D0548
                                    • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 006D0588
                                    • RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 006D05AB
                                    • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 006D05D4
                                    • RegCloseKey.ADVAPI32(?,?,00000000), ref: 006D0617
                                    • RegCloseKey.ADVAPI32(00000000), ref: 006D0624
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
                                    • String ID:
                                    • API String ID: 4046560759-0
                                    • Opcode ID: 4d7f2e07cd61926eec24a48bf3c39e3066bce9cac12b48102a038eb350b7b3a0
                                    • Instruction ID: 0bee1712739dded84fb20414b3813dfe45358170f18f638362635a26de849eac
                                    • Opcode Fuzzy Hash: 4d7f2e07cd61926eec24a48bf3c39e3066bce9cac12b48102a038eb350b7b3a0
                                    • Instruction Fuzzy Hash: D1515A31908240AFD714EF24D895E6FBBEAFF89314F04491EF946872A1DB31E909CB56
                                    Function 006D5A20 Relevance: 9.2, APIs: 6, Instructions: 160windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetMenu.USER32(?), ref: 006D5A82
                                    • GetMenuItemCount.USER32(00000000), ref: 006D5AB9
                                    • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 006D5AE1
                                    • GetMenuItemID.USER32(?,?), ref: 006D5B50
                                    • GetSubMenu.USER32(?,?), ref: 006D5B5E
                                    • PostMessageW.USER32(?,00000111,?,00000000), ref: 006D5BAF
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: Menu$Item$CountMessagePostString
                                    • String ID:
                                    • API String ID: 650687236-0
                                    • Opcode ID: c038d1c55a878b061d505c8781a5bb7ebb4ca63c79a448d4acee4d71a96d3f1a
                                    • Instruction ID: 14104c963409a6037035650ac4fe49e068ac87526cf139ba72589e34bd175f0f
                                    • Opcode Fuzzy Hash: c038d1c55a878b061d505c8781a5bb7ebb4ca63c79a448d4acee4d71a96d3f1a
                                    • Instruction Fuzzy Hash: CA516E35E00629EFCF11EF64C855AEEB7B6EF48310F14446AE816BB351CB30AE418B95
                                    Function 006AF3DD Relevance: 9.2, APIs: 6, Instructions: 159COMMON
                                    Download Yara Rule
                                    APIs
                                    • VariantInit.OLEAUT32(?), ref: 006AF3F7
                                    • VariantClear.OLEAUT32(00000013), ref: 006AF469
                                    • VariantClear.OLEAUT32(00000000), ref: 006AF4C4
                                    • _memmove.LIBCMT ref: 006AF4EE
                                    • VariantClear.OLEAUT32(?), ref: 006AF53B
                                    • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 006AF569
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: Variant$Clear$ChangeInitType_memmove
                                    • String ID:
                                    • API String ID: 1101466143-0
                                    • Opcode ID: a57e873efb35ede4d1b48744986da819ced38bd24658e511c7208572462d4ba4
                                    • Instruction ID: 7e1293e3453825b1a3840b1fdc3220fdc40c5635b7a4298c402c9c65cb77ae79
                                    • Opcode Fuzzy Hash: a57e873efb35ede4d1b48744986da819ced38bd24658e511c7208572462d4ba4
                                    • Instruction Fuzzy Hash: FE5169B5A00209EFCB10DF58D884AAAB7F9FF4D354B15856AE959DB301D730E912CFA0
                                    Function 006B26F9 Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • _memset.LIBCMT ref: 006B2747
                                    • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 006B2792
                                    • IsMenu.USER32(00000000), ref: 006B27B2
                                    • CreatePopupMenu.USER32 ref: 006B27E6
                                    • GetMenuItemCount.USER32(000000FF), ref: 006B2844
                                    • InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 006B2875
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: Menu$Item$CountCreateInfoInsertPopup_memset
                                    • String ID:
                                    • API String ID: 3311875123-0
                                    • Opcode ID: 7ba29a9bc7c89a3182bb9cd861de1c47e66ccd1b73b8ad2e2b8800804a7129de
                                    • Instruction ID: c85f0cc99416406ef35336c3dc92e0180656bafd7eca6932a1b61355973680ff
                                    • Opcode Fuzzy Hash: 7ba29a9bc7c89a3182bb9cd861de1c47e66ccd1b73b8ad2e2b8800804a7129de
                                    • Instruction Fuzzy Hash: 9151C2B0A0034BDFDF25CF68D898BEEBBF6AF44314F104269E4159B291D7708988CB51
                                    Function 00651765 Relevance: 9.1, APIs: 6, Instructions: 113COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00652612: GetWindowLongW.USER32(?,000000EB), ref: 00652623
                                    • BeginPaint.USER32(?,?,?,?,?,?), ref: 0065179A
                                    • GetWindowRect.USER32(?,?), ref: 006517FE
                                    • ScreenToClient.USER32(?,?), ref: 0065181B
                                    • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 0065182C
                                    • EndPaint.USER32(?,?), ref: 00651876
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: PaintWindow$BeginClientLongRectScreenViewport
                                    • String ID:
                                    • API String ID: 1827037458-0
                                    • Opcode ID: 7591f2e0e7694158c299181d93b4b84fda7bfdf80c928c8a05f93c078ca0d258
                                    • Instruction ID: 922fce7c525d1e808d18d836b54472243866ea403a92bebfd0c4abfd5e243381
                                    • Opcode Fuzzy Hash: 7591f2e0e7694158c299181d93b4b84fda7bfdf80c928c8a05f93c078ca0d258
                                    • Instruction Fuzzy Hash: 6E41BE70500301AFD720DF28CC84FBA7BEAEB4A725F044669F9A58B2A1C7319849DB61
                                    Function 006DB958 Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • ShowWindow.USER32(007167B0,00000000,016C4AF0,?,?,007167B0,?,006DB862,?,?), ref: 006DB9CC
                                    • EnableWindow.USER32(00000000,00000000), ref: 006DB9F0
                                    • ShowWindow.USER32(007167B0,00000000,016C4AF0,?,?,007167B0,?,006DB862,?,?), ref: 006DBA50
                                    • ShowWindow.USER32(00000000,00000004,?,006DB862,?,?), ref: 006DBA62
                                    • EnableWindow.USER32(00000000,00000001), ref: 006DBA86
                                    • SendMessageW.USER32(?,0000130C,?,00000000), ref: 006DBAA9
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: Window$Show$Enable$MessageSend
                                    • String ID:
                                    • API String ID: 642888154-0
                                    • Opcode ID: 7dac9ec9cc19d23f07e71dc67330e1bd7a52a21a2d2f40872cc84d3e311b76c0
                                    • Instruction ID: f6e5876c44f531dc539c88eac996e4454c304935dd6ba9f9595cf59cc52debc5
                                    • Opcode Fuzzy Hash: 7dac9ec9cc19d23f07e71dc67330e1bd7a52a21a2d2f40872cc84d3e311b76c0
                                    • Instruction Fuzzy Hash: D3414134A01281EFDB21CF14C499BD57BE2FB0A310F1A51ABFA498F7A6C731A845CB51
                                    Function 006C73B1 Relevance: 9.1, APIs: 6, Instructions: 97COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetForegroundWindow.USER32(?,?,?,?,?,?,006C5134,?,?,00000000,00000001), ref: 006C73BF
                                      • Part of subcall function 006C3C94: GetWindowRect.USER32(?,?), ref: 006C3CA7
                                    • GetDesktopWindow.USER32 ref: 006C73E9
                                    • GetWindowRect.USER32(00000000), ref: 006C73F0
                                    • mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 006C7422
                                      • Part of subcall function 006B54E6: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 006B555E
                                    • GetCursorPos.USER32(?), ref: 006C744E
                                    • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 006C74AC
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
                                    • String ID:
                                    • API String ID: 4137160315-0
                                    • Opcode ID: e7f145d062a78da455acdb3151d341e759e2f72491656f189dec9dd1ad48e00e
                                    • Instruction ID: 9feec843ccbeb3ab92d24eba29853008c56694bd36474bf446d1a7ba335fa8d8
                                    • Opcode Fuzzy Hash: e7f145d062a78da455acdb3151d341e759e2f72491656f189dec9dd1ad48e00e
                                    • Instruction Fuzzy Hash: 9F31E672509305ABD724DF14D849FABBBEAFF88314F00491EF58997191CB30EA49CB92
                                    Function 006A8D5B Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 006A85F1: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 006A8608
                                      • Part of subcall function 006A85F1: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 006A8612
                                      • Part of subcall function 006A85F1: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 006A8621
                                      • Part of subcall function 006A85F1: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 006A8628
                                      • Part of subcall function 006A85F1: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 006A863E
                                    • GetLengthSid.ADVAPI32(?,00000000,006A8977), ref: 006A8DAC
                                    • GetProcessHeap.KERNEL32(00000008,00000000), ref: 006A8DB8
                                    • HeapAlloc.KERNEL32(00000000), ref: 006A8DBF
                                    • CopySid.ADVAPI32(00000000,00000000,?), ref: 006A8DD8
                                    • GetProcessHeap.KERNEL32(00000000,00000000,006A8977), ref: 006A8DEC
                                    • HeapFree.KERNEL32(00000000), ref: 006A8DF3
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
                                    • String ID:
                                    • API String ID: 3008561057-0
                                    • Opcode ID: cad6723fd5f520aa5a623b3531a05c08963514580aa041dff6f7342245c053f9
                                    • Instruction ID: 97023ed437081bf59d444ad642b34b110698664fd095ae251d9459a41efdc670
                                    • Opcode Fuzzy Hash: cad6723fd5f520aa5a623b3531a05c08963514580aa041dff6f7342245c053f9
                                    • Instruction Fuzzy Hash: DB11AC31901605FFDB10AFA4CC09BEEBBABFF56315F14802AE84697250CB329D00CB60
                                    Function 006A8AF9 Relevance: 9.1, APIs: 6, Instructions: 65processCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 006A8B2A
                                    • OpenProcessToken.ADVAPI32(00000000), ref: 006A8B31
                                    • CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 006A8B40
                                    • CloseHandle.KERNEL32(00000004), ref: 006A8B4B
                                    • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 006A8B7A
                                    • DestroyEnvironmentBlock.USERENV(00000000), ref: 006A8B8E
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
                                    • String ID:
                                    • API String ID: 1413079979-0
                                    • Opcode ID: 4a856de2f7eeb5ff8a350e28cd9d2e18d11328696e23ee19f5470f0db0d4481a
                                    • Instruction ID: a9269abc5411c3f0b925d43366b74785068c426508f80840c9a3823dee664593
                                    • Opcode Fuzzy Hash: 4a856de2f7eeb5ff8a350e28cd9d2e18d11328696e23ee19f5470f0db0d4481a
                                    • Instruction Fuzzy Hash: 01112CB2501209AFDF019FA4ED49FEA7BAAEF09304F045065FE05A2260C7759D619B60
                                    Function 006DC19A Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 006512F3: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 0065134D
                                      • Part of subcall function 006512F3: SelectObject.GDI32(?,00000000), ref: 0065135C
                                      • Part of subcall function 006512F3: BeginPath.GDI32(?), ref: 00651373
                                      • Part of subcall function 006512F3: SelectObject.GDI32(?,00000000), ref: 0065139C
                                    • MoveToEx.GDI32(00000000,-00000002,?,00000000), ref: 006DC1C4
                                    • LineTo.GDI32(00000000,00000003,?), ref: 006DC1D8
                                    • MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 006DC1E6
                                    • LineTo.GDI32(00000000,00000000,?), ref: 006DC1F6
                                    • EndPath.GDI32(00000000), ref: 006DC206
                                    • StrokePath.GDI32(00000000), ref: 006DC216
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: Path$LineMoveObjectSelect$BeginCreateStroke
                                    • String ID:
                                    • API String ID: 43455801-0
                                    • Opcode ID: 05c1e0f4e43417c68967758b172136e04cc090bdad8f23a8e7cb76cc45fc6112
                                    • Instruction ID: a7ab948d86f5d2d89485e2306ec0c718cb245e7df2cceb9c4bd7532b4df549be
                                    • Opcode Fuzzy Hash: 05c1e0f4e43417c68967758b172136e04cc090bdad8f23a8e7cb76cc45fc6112
                                    • Instruction Fuzzy Hash: D4111E7680010DBFDF119F95DC48FDA7FAEEF04354F048022B9194A1A1C7719E55DBA0
                                    Function 006703A2 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON
                                    Download Yara Rule
                                    APIs
                                    • MapVirtualKeyW.USER32(0000005B,00000000), ref: 006703D3
                                    • MapVirtualKeyW.USER32(00000010,00000000), ref: 006703DB
                                    • MapVirtualKeyW.USER32(000000A0,00000000), ref: 006703E6
                                    • MapVirtualKeyW.USER32(000000A1,00000000), ref: 006703F1
                                    • MapVirtualKeyW.USER32(00000011,00000000), ref: 006703F9
                                    • MapVirtualKeyW.USER32(00000012,00000000), ref: 00670401
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: Virtual
                                    • String ID:
                                    • API String ID: 4278518827-0
                                    • Opcode ID: d96844e4dcb564708030834919a6fe736a1e2b18513b15f147b9cd3d656fb381
                                    • Instruction ID: fd2c2dc1c633868f413f8aa23eea9c5f78792c13d348880b57776b812f992860
                                    • Opcode Fuzzy Hash: d96844e4dcb564708030834919a6fe736a1e2b18513b15f147b9cd3d656fb381
                                    • Instruction Fuzzy Hash: 97016CB09027597DE3008F5A8C85B52FFA8FF19354F00411BA15C47941C7F5A864CBE5
                                    Function 006B568B Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON
                                    Download Yara Rule
                                    APIs
                                    • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 006B569B
                                    • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 006B56B1
                                    • GetWindowThreadProcessId.USER32(?,?), ref: 006B56C0
                                    • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 006B56CF
                                    • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 006B56D9
                                    • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 006B56E0
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
                                    • String ID:
                                    • API String ID: 839392675-0
                                    • Opcode ID: 68f3f1f55b0ba5d50a6c658edf55d5c771681bce7628858bb885307ec5e6b49a
                                    • Instruction ID: eaa2284347aac635a5d231ac7fca4372c0b89ccca9ae7306ec89e2c622b1dc66
                                    • Opcode Fuzzy Hash: 68f3f1f55b0ba5d50a6c658edf55d5c771681bce7628858bb885307ec5e6b49a
                                    • Instruction Fuzzy Hash: C8F03032A42158BBE7215BA2DC0DEEF7B7DEFC6B11F04016AFA06D1160DBA15A0186B5
                                    Function 006B74D2 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • InterlockedExchange.KERNEL32(?,?), ref: 006B74E5
                                    • EnterCriticalSection.KERNEL32(?,?,00661044,?,?), ref: 006B74F6
                                    • TerminateThread.KERNEL32(00000000,000001F6,?,00661044,?,?), ref: 006B7503
                                    • WaitForSingleObject.KERNEL32(00000000,000003E8,?,00661044,?,?), ref: 006B7510
                                      • Part of subcall function 006B6ED7: CloseHandle.KERNEL32(00000000,?,006B751D,?,00661044,?,?), ref: 006B6EE1
                                    • InterlockedExchange.KERNEL32(?,000001F6), ref: 006B7523
                                    • LeaveCriticalSection.KERNEL32(?,?,00661044,?,?), ref: 006B752A
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                                    • String ID:
                                    • API String ID: 3495660284-0
                                    • Opcode ID: 3dae515c30cae7894b88b18786bc8f54e4419de2b9ee1289e4ccfa817ad18e2a
                                    • Instruction ID: 1a529e7de8f9cc0c874bfe1fed336fed0c5bb313376ffd018708957c1e24f3a0
                                    • Opcode Fuzzy Hash: 3dae515c30cae7894b88b18786bc8f54e4419de2b9ee1289e4ccfa817ad18e2a
                                    • Instruction Fuzzy Hash: A2F0547A945612EBD7211BA4FC4C9DB772BEF45302B011532F143910B0CB755A41CB90
                                    Function 006A8E74 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON
                                    Download Yara Rule
                                    APIs
                                    • WaitForSingleObject.KERNEL32(?,000000FF), ref: 006A8E7F
                                    • UnloadUserProfile.USERENV(?,?), ref: 006A8E8B
                                    • CloseHandle.KERNEL32(?), ref: 006A8E94
                                    • CloseHandle.KERNEL32(?), ref: 006A8E9C
                                    • GetProcessHeap.KERNEL32(00000000,?), ref: 006A8EA5
                                    • HeapFree.KERNEL32(00000000), ref: 006A8EAC
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
                                    • String ID:
                                    • API String ID: 146765662-0
                                    • Opcode ID: 06624d57115b1533a490801758b82e2a62128cd789339399435d1315c771d1d4
                                    • Instruction ID: 7bf567777ef715ef3411931ef5103153011a2bc78ea4188118cb080025d1ed8a
                                    • Opcode Fuzzy Hash: 06624d57115b1533a490801758b82e2a62128cd789339399435d1315c771d1d4
                                    • Instruction Fuzzy Hash: A0E0E536905001FBDB012FE5EC0C95ABF7AFF89322B119232F21AC1170CB329420DB90
                                    Function 006A7A78 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 231COMMON
                                    Download Yara Rule
                                    APIs
                                    • ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,006E2C7C,?), ref: 006A7C32
                                    • CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,006E2C7C,?), ref: 006A7C4A
                                    • CLSIDFromProgID.OLE32(?,?,00000000,006DFB80,000000FF,?,00000000,00000800,00000000,?,006E2C7C,?), ref: 006A7C6F
                                    • _memcmp.LIBCMT ref: 006A7C90
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: FromProg$FreeTask_memcmp
                                    • String ID: ,,n
                                    • API String ID: 314563124-1563246951
                                    • Opcode ID: 341c8263e76975cf3ba0b98830b3911b03067ee11ff91ebf75c0fb3ac1919848
                                    • Instruction ID: 44da9b5ab90af5bd584119fd6e806371b47bf38d08d11091c9310ca2c268d6f3
                                    • Opcode Fuzzy Hash: 341c8263e76975cf3ba0b98830b3911b03067ee11ff91ebf75c0fb3ac1919848
                                    • Instruction Fuzzy Hash: FB810B75A00109EFCB04DF94C984EEEB7BAFF89315F204199E516AB250DB71AE06CF60
                                    Function 006C8902 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON
                                    Download Yara Rule
                                    APIs
                                    • VariantInit.OLEAUT32(?), ref: 006C8928
                                    • CharUpperBuffW.USER32(?,?), ref: 006C8A37
                                    • VariantClear.OLEAUT32(?), ref: 006C8BAF
                                      • Part of subcall function 006B7804: VariantInit.OLEAUT32(00000000), ref: 006B7844
                                      • Part of subcall function 006B7804: VariantCopy.OLEAUT32(00000000,?), ref: 006B784D
                                      • Part of subcall function 006B7804: VariantClear.OLEAUT32(00000000), ref: 006B7859
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: Variant$ClearInit$BuffCharCopyUpper
                                    • String ID: AUTOIT.ERROR$Incorrect Parameter format
                                    • API String ID: 4237274167-1221869570
                                    • Opcode ID: ce9b0b0894f7d289af967be1449e52a2894da18f8dad90419ec955526743e0f4
                                    • Instruction ID: 8ba9b395d33b495728f2a8862d4f872e9c24b4bd4dea6a7563198d2a13bb9335
                                    • Opcode Fuzzy Hash: ce9b0b0894f7d289af967be1449e52a2894da18f8dad90419ec955526743e0f4
                                    • Instruction Fuzzy Hash: D4914B756043019FC750DF28C484E6ABBE6EF89314F14896EF89A8B361DB31E946CB52
                                    Function 006B2F86 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0066FEC6: _wcscpy.LIBCMT ref: 0066FEE9
                                    • _memset.LIBCMT ref: 006B3077
                                    • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 006B30A6
                                    • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 006B3159
                                    • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 006B3187
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: ItemMenu$Info$Default_memset_wcscpy
                                    • String ID: 0
                                    • API String ID: 4152858687-4108050209
                                    • Opcode ID: 13557fbf4e9a820b1922844dd6c3d093218cbac14ab298ba1c8a3bee2b8247b9
                                    • Instruction ID: 918c838a24dde7a8204bca142ac9c061ba1bdf7424907af23b9dccb1b514b0fd
                                    • Opcode Fuzzy Hash: 13557fbf4e9a820b1922844dd6c3d093218cbac14ab298ba1c8a3bee2b8247b9
                                    • Instruction Fuzzy Hash: 2051E1B17083219AD724AF2CC845AEBB7EAEF55310F044A2DF885D7391EB70CA858756
                                    Function 006B2C42 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • _memset.LIBCMT ref: 006B2CAF
                                    • GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 006B2CCB
                                    • DeleteMenu.USER32(?,00000007,00000000), ref: 006B2D11
                                    • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00716890,00000000), ref: 006B2D5A
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: Menu$Delete$InfoItem_memset
                                    • String ID: 0
                                    • API String ID: 1173514356-4108050209
                                    • Opcode ID: ea5966cb52cb201f82e5c098d4d87821c85a1e50063def5888e2aaea0d31265c
                                    • Instruction ID: 45e4ab92116adaa15462afe7d20f66d93896ec02477d3e1efb7081369eab0732
                                    • Opcode Fuzzy Hash: ea5966cb52cb201f82e5c098d4d87821c85a1e50063def5888e2aaea0d31265c
                                    • Instruction Fuzzy Hash: 8E41BFB02043029FD720DF24D855B9ABBEAEF85320F04461EF9669B391D770E944CB96
                                    Function 006CDAB9 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON
                                    Download Yara Rule
                                    APIs
                                    • CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 006CDAD9
                                      • Part of subcall function 006579AB: _memmove.LIBCMT ref: 006579F9
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: BuffCharLower_memmove
                                    • String ID: cdecl$none$stdcall$winapi
                                    • API String ID: 3425801089-567219261
                                    • Opcode ID: 9f6fbb389adeccddf529171cad5f6faa14713ea33fda93dd37404392ccd8d603
                                    • Instruction ID: 9eb80f0a7194c02952f8a953c888e960042b20d2f79010c568bc26c1c6ab330a
                                    • Opcode Fuzzy Hash: 9f6fbb389adeccddf529171cad5f6faa14713ea33fda93dd37404392ccd8d603
                                    • Instruction Fuzzy Hash: A9315EB090061AEBCF50EF54C8919FEB3B6FF05310B10866DA866A77D1DB71AE05CB94
                                    Function 006A9372 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00657F41: _memmove.LIBCMT ref: 00657F82
                                      • Part of subcall function 006AB0C4: GetClassNameW.USER32(?,?,000000FF), ref: 006AB0E7
                                    • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 006A93F6
                                    • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 006A9409
                                    • SendMessageW.USER32(?,00000189,?,00000000), ref: 006A9439
                                      • Part of subcall function 00657D2C: _memmove.LIBCMT ref: 00657D66
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: MessageSend$_memmove$ClassName
                                    • String ID: ComboBox$ListBox
                                    • API String ID: 365058703-1403004172
                                    • Opcode ID: 89e3bb1a1b85523e1dca93da395cbf5f1a50cd0a8e1bfe5250f96dd1b6d17967
                                    • Instruction ID: 92a8b8d77937860839845057cf47fd60daae422b68fd1b91f5b7f55092001169
                                    • Opcode Fuzzy Hash: 89e3bb1a1b85523e1dca93da395cbf5f1a50cd0a8e1bfe5250f96dd1b6d17967
                                    • Instruction Fuzzy Hash: 4B21B471D01108AADB14AB74DC858FFB7BADF06350F24821DF926972E1DB355E0A9A20
                                    Function 006C1B21 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86networkCOMMON
                                    Download Yara Rule
                                    APIs
                                    • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 006C1B40
                                    • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 006C1B66
                                    • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 006C1B96
                                    • InternetCloseHandle.WININET(00000000), ref: 006C1BDD
                                      • Part of subcall function 006C2777: GetLastError.KERNEL32(?,?,006C1B0B,00000000,00000000,00000001), ref: 006C278C
                                      • Part of subcall function 006C2777: SetEvent.KERNEL32(?,?,006C1B0B,00000000,00000000,00000001), ref: 006C27A1
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
                                    • String ID:
                                    • API String ID: 3113390036-3916222277
                                    • Opcode ID: 685e60d8b2193c36c7f0dc166398fa0f194b1e237b02ac9808e35abfeacb1e75
                                    • Instruction ID: f59cf3c1250a3586493c8ed2db8754036acdb45e3eba6176d4bb7e489f2265cf
                                    • Opcode Fuzzy Hash: 685e60d8b2193c36c7f0dc166398fa0f194b1e237b02ac9808e35abfeacb1e75
                                    • Instruction Fuzzy Hash: 28217CB1500208BFEB11AF609CD5FFB77EEEB4A744F10412EF506AA241EB249D059AA5
                                    Function 006D6656 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00651D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00651D73
                                      • Part of subcall function 00651D35: GetStockObject.GDI32(00000011), ref: 00651D87
                                      • Part of subcall function 00651D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00651D91
                                    • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 006D66D0
                                    • LoadLibraryW.KERNEL32(?), ref: 006D66D7
                                    • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 006D66EC
                                    • DestroyWindow.USER32(?), ref: 006D66F4
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
                                    • String ID: SysAnimate32
                                    • API String ID: 4146253029-1011021900
                                    • Opcode ID: 6c1e51131ea24b46010d50befabbdd46ba286ba536785404338a9086e5c0a018
                                    • Instruction ID: 19558a00dde203f9d9c4de753e60788de79365fe8609a1f4f7f5d6f99d89bf17
                                    • Opcode Fuzzy Hash: 6c1e51131ea24b46010d50befabbdd46ba286ba536785404338a9086e5c0a018
                                    • Instruction Fuzzy Hash: 53218E71900249ABEF104F64DC80EEB37AEEB59368F10462AF911923E0D772CC519761
                                    Function 006B703E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetStdHandle.KERNEL32(0000000C), ref: 006B705E
                                    • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 006B7091
                                    • GetStdHandle.KERNEL32(0000000C), ref: 006B70A3
                                    • CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 006B70DD
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: CreateHandle$FilePipe
                                    • String ID: nul
                                    • API String ID: 4209266947-2873401336
                                    • Opcode ID: 3a2c0e09262303785e10c2a92157e767813ca929f6ead1a3fac0bd20bbbad3b8
                                    • Instruction ID: 5549e53b0a403e44fde9af3ac14b5c272c360e9f0e8e7e3cdc7e9cc0fa8bc5ba
                                    • Opcode Fuzzy Hash: 3a2c0e09262303785e10c2a92157e767813ca929f6ead1a3fac0bd20bbbad3b8
                                    • Instruction Fuzzy Hash: 632151F4504209ABDB20AF78DC05ADA77AAAF94720F20461AFCA1D73D0D77099918B60
                                    Function 006B710C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetStdHandle.KERNEL32(000000F6), ref: 006B712B
                                    • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 006B715D
                                    • GetStdHandle.KERNEL32(000000F6), ref: 006B716E
                                    • CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 006B71A8
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: CreateHandle$FilePipe
                                    • String ID: nul
                                    • API String ID: 4209266947-2873401336
                                    • Opcode ID: 6ae4eab37013eebdbcf3933802e65f0e517d660d3e98db7c855c6678fc503c55
                                    • Instruction ID: 041bc71ba6697ee893eef513d06e0d458ae0be9c9145e7b2fc7506aa4239474f
                                    • Opcode Fuzzy Hash: 6ae4eab37013eebdbcf3933802e65f0e517d660d3e98db7c855c6678fc503c55
                                    • Instruction Fuzzy Hash: 942171B5904205ABDB209F6CDC04AEAB7EAAF95720F240619FDA1D73D0D77099818B64
                                    Function 006BAEAB Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON
                                    Download Yara Rule
                                    APIs
                                    • SetErrorMode.KERNEL32(00000001), ref: 006BAEBF
                                    • GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 006BAF13
                                    • __swprintf.LIBCMT ref: 006BAF2C
                                    • SetErrorMode.KERNEL32(00000000,00000001,00000000,006DF910), ref: 006BAF6A
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: ErrorMode$InformationVolume__swprintf
                                    • String ID: %lu
                                    • API String ID: 3164766367-685833217
                                    • Opcode ID: 86006bffdec165cf6f887488ea9e3b384c35c3e2a8b7ef0dea452ddc5d848311
                                    • Instruction ID: 4d8facc292ba64fefb1af3df1414f8ae06c2c92f2dd4eac52a0ebad293924360
                                    • Opcode Fuzzy Hash: 86006bffdec165cf6f887488ea9e3b384c35c3e2a8b7ef0dea452ddc5d848311
                                    • Instruction Fuzzy Hash: CE217F74A00209AFCB50EFA4CD85DEE7BB9EF89704B144069F909EB351DB31EA45CB21
                                    Function 006AA52F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 68windowCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00657D2C: _memmove.LIBCMT ref: 00657D66
                                      • Part of subcall function 006AA37C: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 006AA399
                                      • Part of subcall function 006AA37C: GetWindowThreadProcessId.USER32(?,00000000), ref: 006AA3AC
                                      • Part of subcall function 006AA37C: GetCurrentThreadId.KERNEL32 ref: 006AA3B3
                                      • Part of subcall function 006AA37C: AttachThreadInput.USER32(00000000), ref: 006AA3BA
                                    • GetFocus.USER32 ref: 006AA554
                                      • Part of subcall function 006AA3C5: GetParent.USER32(?), ref: 006AA3D3
                                    • GetClassNameW.USER32(?,?,00000100), ref: 006AA59D
                                    • EnumChildWindows.USER32(?,006AA615), ref: 006AA5C5
                                    • __swprintf.LIBCMT ref: 006AA5DF
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows__swprintf_memmove
                                    • String ID: %s%d
                                    • API String ID: 1941087503-1110647743
                                    • Opcode ID: 82744f82bd9ba3d5417a81994fa7b5bfc15e9e4beba3e4a99e2cc83e62a61e39
                                    • Instruction ID: 8e2012bf4e62817adf9a4f2fbfda1a32af415f9f7f3120948a948cf79f4264df
                                    • Opcode Fuzzy Hash: 82744f82bd9ba3d5417a81994fa7b5bfc15e9e4beba3e4a99e2cc83e62a61e39
                                    • Instruction Fuzzy Hash: B311A271600208ABDF51BFA0EC85FEA777A9F49701F04807ABD09AA152CB705D45CF79
                                    Function 006B2017 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49COMMON
                                    Download Yara Rule
                                    APIs
                                    • CharUpperBuffW.USER32(?,?), ref: 006B2048
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: BuffCharUpper
                                    • String ID: APPEND$EXISTS$KEYS$REMOVE
                                    • API String ID: 3964851224-769500911
                                    • Opcode ID: 356722f5d3992e465db0780cfb6269a8522f06c0ec9ee071452479fffee84494
                                    • Instruction ID: adfcf5abc583b616955b384aeccfbdc3695855e6ca53871e0494edda0af3066b
                                    • Opcode Fuzzy Hash: 356722f5d3992e465db0780cfb6269a8522f06c0ec9ee071452479fffee84494
                                    • Instruction Fuzzy Hash: 4A115B7091020ADFCF50EFA8D8514EEB7F6FF19304F108969D856A7392EB32691ACB50
                                    Function 006CEE69 Relevance: 7.7, APIs: 5, Instructions: 247COMMON
                                    Download Yara Rule
                                    APIs
                                    • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 006CEF1B
                                    • GetProcessIoCounters.KERNEL32(00000000,?), ref: 006CEF4B
                                    • GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 006CF07E
                                    • CloseHandle.KERNEL32(?), ref: 006CF0FF
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: Process$CloseCountersHandleInfoMemoryOpen
                                    • String ID:
                                    • API String ID: 2364364464-0
                                    • Opcode ID: dd571c5a980cce67ce5cb69b3059768aff0deb81109cda54aeda1eb23862ccc7
                                    • Instruction ID: 1363bc7dd075f5e9bd957980487ec1b7da84caaeb84b949126281442f21c0bd3
                                    • Opcode Fuzzy Hash: dd571c5a980cce67ce5cb69b3059768aff0deb81109cda54aeda1eb23862ccc7
                                    • Instruction Fuzzy Hash: A2815E716043009FD760DF28CC46F6AB7E6EF48B10F14881DF9969B392DB71AC458B95
                                    Function 006D02C2 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00657F41: _memmove.LIBCMT ref: 00657F82
                                      • Part of subcall function 006D10A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,006D0038,?,?), ref: 006D10BC
                                    • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 006D0388
                                    • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 006D03C7
                                    • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 006D040E
                                    • RegCloseKey.ADVAPI32(?,?), ref: 006D043A
                                    • RegCloseKey.ADVAPI32(00000000), ref: 006D0447
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
                                    • String ID:
                                    • API String ID: 3440857362-0
                                    • Opcode ID: 6eac98816d05e59d955027badf6510209f89ff1e84bbd27737d6064be81815b2
                                    • Instruction ID: 5dd4b40909f7a642bac84102979d4710ac6e62fe1d08e451d9551a44472ab0df
                                    • Opcode Fuzzy Hash: 6eac98816d05e59d955027badf6510209f89ff1e84bbd27737d6064be81815b2
                                    • Instruction Fuzzy Hash: 6D514A31608205EFD744EF64D891F6EB7EAFF88304F04892EB59687291DB70E909CB56
                                    Function 006BE7DC Relevance: 7.6, APIs: 5, Instructions: 135COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 006BE88A
                                    • GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 006BE8B3
                                    • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 006BE8F2
                                      • Part of subcall function 00659997: __itow.LIBCMT ref: 006599C2
                                      • Part of subcall function 00659997: __swprintf.LIBCMT ref: 00659A0C
                                    • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 006BE917
                                    • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 006BE91F
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
                                    • String ID:
                                    • API String ID: 1389676194-0
                                    • Opcode ID: 522d30ce6404378d806d84b0c2a89943b99b5a86b1644535b58e21001de95007
                                    • Instruction ID: faa5330b59a72f193d59247536ca5e3874483f0f263fb6629716e8015d2a8aeb
                                    • Opcode Fuzzy Hash: 522d30ce6404378d806d84b0c2a89943b99b5a86b1644535b58e21001de95007
                                    • Instruction Fuzzy Hash: F9513035A00209DFCF41EF64C9819ADBBF6EF08311F188099E80AAB361DB31ED55CB64
                                    Function 006DA2C5 Relevance: 7.6, APIs: 5, Instructions: 130COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 939d6b3752ed94dbdb2baaddc2f4c714ce5cea9e55d174dd73946b12a3866d33
                                    • Instruction ID: a0aeaa32d4e5af42ab191f4f085a4483c5ba3ef89f641810768363a4291160e2
                                    • Opcode Fuzzy Hash: 939d6b3752ed94dbdb2baaddc2f4c714ce5cea9e55d174dd73946b12a3866d33
                                    • Instruction Fuzzy Hash: 8841D235D09104AFC720DFA8CC48BE9BBA7EB09310F164266E856E73E1D770AE41DA51
                                    Function 00652344 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetCursorPos.USER32(?), ref: 00652357
                                    • ScreenToClient.USER32(007167B0,?), ref: 00652374
                                    • GetAsyncKeyState.USER32(00000001), ref: 00652399
                                    • GetAsyncKeyState.USER32(00000002), ref: 006523A7
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: AsyncState$ClientCursorScreen
                                    • String ID:
                                    • API String ID: 4210589936-0
                                    • Opcode ID: 31fee62aff19ee61a0fdf414b5ce2c4944c63fc2558bb364c1e22228d71534da
                                    • Instruction ID: d46554374bfd73bee4e02810039a282a00efc723d4cf081d25cb3625c6d8872e
                                    • Opcode Fuzzy Hash: 31fee62aff19ee61a0fdf414b5ce2c4944c63fc2558bb364c1e22228d71534da
                                    • Instruction Fuzzy Hash: 7F418F3190411AFBDF159F68C854AE9BB76FB46321F20436AF82992290C7349E58DFA1
                                    Function 006A6920 Relevance: 7.6, APIs: 5, Instructions: 97windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 006A695D
                                    • TranslateAcceleratorW.USER32(?,?,?), ref: 006A69A9
                                    • TranslateMessage.USER32(?), ref: 006A69D2
                                    • DispatchMessageW.USER32(?), ref: 006A69DC
                                    • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 006A69EB
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: Message$PeekTranslate$AcceleratorDispatch
                                    • String ID:
                                    • API String ID: 2108273632-0
                                    • Opcode ID: 910050750789f1398234aa3c165fdcf3b1505438f0e5936b9b27a36691299240
                                    • Instruction ID: 45a5d26b7ffb9cc56856c4154f8ad4943f0263ed00ef0a59c3e52bd9b84767f5
                                    • Opcode Fuzzy Hash: 910050750789f1398234aa3c165fdcf3b1505438f0e5936b9b27a36691299240
                                    • Instruction Fuzzy Hash: 4D31B271900247AADB60AF78DC49BF77BAEAB03304F18C169F522D22A1D674DC85DF90
                                    Function 006A8F01 Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetWindowRect.USER32(?,?), ref: 006A8F12
                                    • PostMessageW.USER32(?,00000201,00000001), ref: 006A8FBC
                                    • Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 006A8FC4
                                    • PostMessageW.USER32(?,00000202,00000000), ref: 006A8FD2
                                    • Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 006A8FDA
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: MessagePostSleep$RectWindow
                                    • String ID:
                                    • API String ID: 3382505437-0
                                    • Opcode ID: 7c4966b7f5195afc720d70ef848ae333ff4fb1518e9f51deca35ab0721fd255d
                                    • Instruction ID: aeb7afed6924d8e9f4e209dba2ce25b5af78bee41521554e99ab8297bc3cbb1f
                                    • Opcode Fuzzy Hash: 7c4966b7f5195afc720d70ef848ae333ff4fb1518e9f51deca35ab0721fd255d
                                    • Instruction Fuzzy Hash: 9531AB7190021AEFDB14DF68D94CADE7BB6EB46315F10422AF925AB2D0CBB09D14DF90
                                    Function 006AB6AF Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • IsWindowVisible.USER32(?), ref: 006AB6C7
                                    • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 006AB6E4
                                    • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 006AB71C
                                    • CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 006AB742
                                    • _wcsstr.LIBCMT ref: 006AB74C
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
                                    • String ID:
                                    • API String ID: 3902887630-0
                                    • Opcode ID: db438ca717ea56d526f898e5ec0702eb203aaba91ecbbd8bab45704c81e2bc35
                                    • Instruction ID: 8d738eab5ae046ce3736ddfba4fc4158d98fa2384fd25ccf2094e2cf15dc71b1
                                    • Opcode Fuzzy Hash: db438ca717ea56d526f898e5ec0702eb203aaba91ecbbd8bab45704c81e2bc35
                                    • Instruction Fuzzy Hash: 2221FC31605244BBEB156B399C49E7B7B9EDF46710F10903EFC09CA2A2EFA1DC419B60
                                    Function 006DB405 Relevance: 7.6, APIs: 5, Instructions: 85COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00652612: GetWindowLongW.USER32(?,000000EB), ref: 00652623
                                    • GetWindowLongW.USER32(?,000000F0), ref: 006DB44C
                                    • SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 006DB471
                                    • SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 006DB489
                                    • GetSystemMetrics.USER32(00000004), ref: 006DB4B2
                                    • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,006C1184,00000000), ref: 006DB4D0
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: Window$Long$MetricsSystem
                                    • String ID:
                                    • API String ID: 2294984445-0
                                    • Opcode ID: d8fa7e09d2f58e551b0558fe629612ac9c6515829e3f72af9c39a96a9992b655
                                    • Instruction ID: 0866a41b6aec382c8984a23ee390c38c02b77dfef61b1426251045c9523a8005
                                    • Opcode Fuzzy Hash: d8fa7e09d2f58e551b0558fe629612ac9c6515829e3f72af9c39a96a9992b655
                                    • Instruction Fuzzy Hash: 3C219471D10255EFCB10CF389C04AA937E6EB05720F16973AF926C23E9E7309811DB80
                                    Function 006A97E9 Relevance: 7.6, APIs: 5, Instructions: 84windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 006A9802
                                      • Part of subcall function 00657D2C: _memmove.LIBCMT ref: 00657D66
                                    • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 006A9834
                                    • __itow.LIBCMT ref: 006A984C
                                    • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 006A9874
                                    • __itow.LIBCMT ref: 006A9885
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: MessageSend$__itow$_memmove
                                    • String ID:
                                    • API String ID: 2983881199-0
                                    • Opcode ID: 05b5451e22b4caa58101dd2cb0b11691496287c225c551b19afe34bc33e7c8e9
                                    • Instruction ID: 8437808523ad4daa0be60e2a695fdd4b47c9b816d632d499f2874fd7434fc911
                                    • Opcode Fuzzy Hash: 05b5451e22b4caa58101dd2cb0b11691496287c225c551b19afe34bc33e7c8e9
                                    • Instruction Fuzzy Hash: 4021F831B01208ABDB10AB659C86EEE7BBBDF4B710F144029FD05DB281D6748D459BA1
                                    Function 006512F3 Relevance: 7.6, APIs: 5, Instructions: 67COMMON
                                    Download Yara Rule
                                    APIs
                                    • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 0065134D
                                    • SelectObject.GDI32(?,00000000), ref: 0065135C
                                    • BeginPath.GDI32(?), ref: 00651373
                                    • SelectObject.GDI32(?,00000000), ref: 0065139C
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: ObjectSelect$BeginCreatePath
                                    • String ID:
                                    • API String ID: 3225163088-0
                                    • Opcode ID: 417c6d044c94026f37761d688a1ca57207f15749d39f8a3763a5c92d3993f25e
                                    • Instruction ID: 55dd0ff01476fb422af1345d22c9c35d39d3a045dd1c69007909be11b37ce9d6
                                    • Opcode Fuzzy Hash: 417c6d044c94026f37761d688a1ca57207f15749d39f8a3763a5c92d3993f25e
                                    • Instruction Fuzzy Hash: 70214C70C01208EFDB119F2DDC187E97BBAFB01322F14C226F8119A6E0D775999ADB94
                                    Function 006AC161 Relevance: 7.6, APIs: 5, Instructions: 61COMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: _memcmp
                                    • String ID:
                                    • API String ID: 2931989736-0
                                    • Opcode ID: 1e947a57780b0cd30dbbfe043b375f130bba452f9bbe26a12783385be3df8f1e
                                    • Instruction ID: 67bb26b96d80af1f787a7a6d3444dd1b2d52bf11ee2cb9d8d75ceaeeec43cbe2
                                    • Opcode Fuzzy Hash: 1e947a57780b0cd30dbbfe043b375f130bba452f9bbe26a12783385be3df8f1e
                                    • Instruction Fuzzy Hash: 9201B9B17052067BD604B9259C52FAB739F9F237B4F148115FD049A343FA50EE1187E4
                                    Function 006B4D35 Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetCurrentThreadId.KERNEL32 ref: 006B4D5C
                                    • __beginthreadex.LIBCMT ref: 006B4D7A
                                    • MessageBoxW.USER32(?,?,?,?), ref: 006B4D8F
                                    • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 006B4DA5
                                    • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 006B4DAC
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
                                    • String ID:
                                    • API String ID: 3824534824-0
                                    • Opcode ID: 35b9c9332e8eef78ce24c4376911e4bd93dcbcf785f4bd2738ceb49c411d1383
                                    • Instruction ID: 10b28d7f9c903ece0bc1f2819e6f78295ec9f24a7ab2986188626ed900959a40
                                    • Opcode Fuzzy Hash: 35b9c9332e8eef78ce24c4376911e4bd93dcbcf785f4bd2738ceb49c411d1383
                                    • Instruction Fuzzy Hash: 9F1108B2D05244BFC7019BACDC08AEA7FAEEF49320F148366F915D3391DA758D4087A1
                                    Function 006A874A Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 006A8766
                                    • GetLastError.KERNEL32(?,006A822A,?,?,?), ref: 006A8770
                                    • GetProcessHeap.KERNEL32(00000008,?,?,006A822A,?,?,?), ref: 006A877F
                                    • HeapAlloc.KERNEL32(00000000,?,006A822A,?,?,?), ref: 006A8786
                                    • GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 006A879D
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: HeapObjectSecurityUser$AllocErrorLastProcess
                                    • String ID:
                                    • API String ID: 842720411-0
                                    • Opcode ID: 466ed1d0a9c170e278c21090a5061a2166a74d8bb62105d8e500d96e633a6d7b
                                    • Instruction ID: a4e33feeab44a4f4de9616231f3258ce2f9de13933742b8d09fbc6c8a3dde06b
                                    • Opcode Fuzzy Hash: 466ed1d0a9c170e278c21090a5061a2166a74d8bb62105d8e500d96e633a6d7b
                                    • Instruction Fuzzy Hash: ED011271A01204FFDB105FA5DC48DABBB6EFF8A755720057AF84AC3260DA31DD00CA60
                                    Function 006B54E6 Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON
                                    Download Yara Rule
                                    APIs
                                    • QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 006B5502
                                    • QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 006B5510
                                    • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 006B5518
                                    • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 006B5522
                                    • Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 006B555E
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: PerformanceQuery$CounterSleep$Frequency
                                    • String ID:
                                    • API String ID: 2833360925-0
                                    • Opcode ID: 47fdd6bd4c3e4cdb7daceedbd571713596a5ec22d4b65cc1ed5deb16a76b6e10
                                    • Instruction ID: 4e5ba4f322d532e262f662550793660b132374cbba52a915cc2f82b7318a0a9b
                                    • Opcode Fuzzy Hash: 47fdd6bd4c3e4cdb7daceedbd571713596a5ec22d4b65cc1ed5deb16a76b6e10
                                    • Instruction Fuzzy Hash: 40012176D01A19DBDF10EFE4EC486EDBB7AFB09712F040556E502B2240DB305594C7A1
                                    Function 006A7652 Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,006A758C,80070057,?,?,?,006A799D), ref: 006A766F
                                    • ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,006A758C,80070057,?,?), ref: 006A768A
                                    • lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,006A758C,80070057,?,?), ref: 006A7698
                                    • CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,006A758C,80070057,?), ref: 006A76A8
                                    • CLSIDFromString.OLE32(?,?,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,006A758C,80070057,?,?), ref: 006A76B4
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: From$Prog$FreeStringTasklstrcmpi
                                    • String ID:
                                    • API String ID: 3897988419-0
                                    • Opcode ID: fc8a5561298822696cc3767619610981a0db1d5ce0dcf7fefb19f332233f533e
                                    • Instruction ID: 3c9fa27e5ae253b84e0f1886f79d2e6a0aa533036f1fcb4b610550dd8082fec2
                                    • Opcode Fuzzy Hash: fc8a5561298822696cc3767619610981a0db1d5ce0dcf7fefb19f332233f533e
                                    • Instruction Fuzzy Hash: 800184B2A01614BBDB106F58DC44BAA7BFEEB45751F145029FD05D2211E731DE419BA0
                                    Function 006A85F1 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 006A8608
                                    • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 006A8612
                                    • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 006A8621
                                    • HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 006A8628
                                    • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 006A863E
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: HeapInformationToken$AllocErrorLastProcess
                                    • String ID:
                                    • API String ID: 44706859-0
                                    • Opcode ID: 2fbd7342c8f1566b9790ef255cbf66001a55b1e40a61be4e4cef423c0f30f477
                                    • Instruction ID: 0aa5f174658a80a9ece5edb072903d07aa8545ead49fab2c495f61922e9583bc
                                    • Opcode Fuzzy Hash: 2fbd7342c8f1566b9790ef255cbf66001a55b1e40a61be4e4cef423c0f30f477
                                    • Instruction Fuzzy Hash: B5F06231602204AFEB101FA5DD9DEAB3BAEEF8A754B045426F946C7250CB719C41DE60
                                    Function 006A8652 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 006A8669
                                    • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 006A8673
                                    • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 006A8682
                                    • HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 006A8689
                                    • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 006A869F
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: HeapInformationToken$AllocErrorLastProcess
                                    • String ID:
                                    • API String ID: 44706859-0
                                    • Opcode ID: a7f8800de8e8367ada7c81e9739aab26fc0a1530087013b27fded684606a8d23
                                    • Instruction ID: 1af62a146f325f8577f381dc2e833864ef7d22eeba8eab6f090cb8ab6603c1fa
                                    • Opcode Fuzzy Hash: a7f8800de8e8367ada7c81e9739aab26fc0a1530087013b27fded684606a8d23
                                    • Instruction Fuzzy Hash: EEF06271601314AFEB112FA5EC88EA77BBEEF8A754B141026F946C7250CB71DD41DE60
                                    Function 006AC6A6 Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetDlgItem.USER32(?,000003E9), ref: 006AC6BA
                                    • GetWindowTextW.USER32(00000000,?,00000100), ref: 006AC6D1
                                    • MessageBeep.USER32(00000000), ref: 006AC6E9
                                    • KillTimer.USER32(?,0000040A), ref: 006AC705
                                    • EndDialog.USER32(?,00000001), ref: 006AC71F
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: BeepDialogItemKillMessageTextTimerWindow
                                    • String ID:
                                    • API String ID: 3741023627-0
                                    • Opcode ID: e31fc3db883daeeec87fad6164d818ea6ca111b4e924cbb418cae9157c7de71b
                                    • Instruction ID: c514396709b032b916a54d9dd3bad5ddff8855c59c2d20c9b860871dde3ae7fc
                                    • Opcode Fuzzy Hash: e31fc3db883daeeec87fad6164d818ea6ca111b4e924cbb418cae9157c7de71b
                                    • Instruction Fuzzy Hash: 4E016230901704ABEB21AB20ED4EF9677BAFF01715F0416AAF543A15E1DBE1ED558F80
                                    Function 006513B0 Relevance: 7.5, APIs: 5, Instructions: 29COMMON
                                    Download Yara Rule
                                    APIs
                                    • EndPath.GDI32(?), ref: 006513BF
                                    • StrokeAndFillPath.GDI32(?,?,0068BAD8,00000000,?), ref: 006513DB
                                    • SelectObject.GDI32(?,00000000), ref: 006513EE
                                    • DeleteObject.GDI32 ref: 00651401
                                    • StrokePath.GDI32(?), ref: 0065141C
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: Path$ObjectStroke$DeleteFillSelect
                                    • String ID:
                                    • API String ID: 2625713937-0
                                    • Opcode ID: a6f3f415185e399e639ccc989620ed8c5386c8ed21244346a36a1527a459ad39
                                    • Instruction ID: e582a4c2cd772945c4748a24e59691f5eeab733c955d6db5442f6a2c0c6d6dc7
                                    • Opcode Fuzzy Hash: a6f3f415185e399e639ccc989620ed8c5386c8ed21244346a36a1527a459ad39
                                    • Instruction Fuzzy Hash: 81F0E730405308EBDB115F2EEC1C7983FA6AB02326F04D225E82A895F1C73989A9DF64
                                    Function 00662E5B Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00670FF6: std::exception::exception.LIBCMT ref: 0067102C
                                      • Part of subcall function 00670FF6: __CxxThrowException@8.LIBCMT ref: 00671041
                                      • Part of subcall function 00657F41: _memmove.LIBCMT ref: 00657F82
                                      • Part of subcall function 00657BB1: _memmove.LIBCMT ref: 00657C0B
                                    • __swprintf.LIBCMT ref: 0066302D
                                    Strings
                                    • \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00662EC6
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
                                    • String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
                                    • API String ID: 1943609520-557222456
                                    • Opcode ID: 5f6e4460a962e840082f6996a4fc284ca59579b00bc87ca6e1584ab491bb89b0
                                    • Instruction ID: e1ad662b41089fa608295a3a6dc5de253b75658865b534ad2598b38d83f74442
                                    • Opcode Fuzzy Hash: 5f6e4460a962e840082f6996a4fc284ca59579b00bc87ca6e1584ab491bb89b0
                                    • Instruction Fuzzy Hash: 75919F715083119FCB58EF24D895C6EB7AAEF85740F04491DF8869B3A1DB30EE48CB66
                                    Function 006AB7B6 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 241comCOMMON
                                    Download Yara Rule
                                    APIs
                                    • OleSetContainedObject.OLE32(?,00000001), ref: 006AB981
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: ContainedObject
                                    • String ID: AutoIt3GUI$Container$%n
                                    • API String ID: 3565006973-1483441161
                                    • Opcode ID: 86cbec4ef433a2a5c5d74cb6c80a717ee18fb42069d84792d0d0f6728f353cfc
                                    • Instruction ID: a85efe88569bd82293c34c0061e8887b8b782551963f6e1482f97135f20de3f2
                                    • Opcode Fuzzy Hash: 86cbec4ef433a2a5c5d74cb6c80a717ee18fb42069d84792d0d0f6728f353cfc
                                    • Instruction Fuzzy Hash: 6E913B706006019FDB54DF68C884A6AB7EAFF4A710F14956DE94ACB7A2DB70EC41CF60
                                    Function 0067524D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON
                                    Download Yara Rule
                                    APIs
                                    • __startOneArgErrorHandling.LIBCMT ref: 006752DD
                                      • Part of subcall function 00680340: __87except.LIBCMT ref: 0068037B
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: ErrorHandling__87except__start
                                    • String ID: pow
                                    • API String ID: 2905807303-2276729525
                                    • Opcode ID: 0fdaa0de95a45edf08ff7f8e2053a8d1ea38f7ea6ede32b09c8b828b318e5a2f
                                    • Instruction ID: df0fdac46ec364cbe0bfb44822d5ed8497a2734feaf724341e912300e7ee3596
                                    • Opcode Fuzzy Hash: 0fdaa0de95a45edf08ff7f8e2053a8d1ea38f7ea6ede32b09c8b828b318e5a2f
                                    • Instruction Fuzzy Hash: F4514C61A0DA01C7E7917724C9413BA27D79B00750F20CF98E49E453E6EFB4CDD99B46
                                    Function 0067023B Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: #$+
                                    • API String ID: 0-2552117581
                                    • Opcode ID: 2430aade28b163f8b1638a64b67b007964195f68bcf57885398a9f665c6caa25
                                    • Instruction ID: 0fef4e35c9571c8f4db442c3e7ccf7d024aad370c846ff660f08ed9a5edf1652
                                    • Opcode Fuzzy Hash: 2430aade28b163f8b1638a64b67b007964195f68bcf57885398a9f665c6caa25
                                    • Instruction Fuzzy Hash: 60512175504246DFDF15FF28C888AFA7BA6EF1A320F188055EC969B3A0D7309D46CB64
                                    Function 00663297 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 161COMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: _memmove$_free
                                    • String ID: Oaf
                                    • API String ID: 2620147621-1555074404
                                    • Opcode ID: 862335924f52fa75c7e7cd58799c29b72c072dc05607e6d977ad5ddfe3f4de4e
                                    • Instruction ID: 3f74dcf8f53cd0428506e855cacecd80e8679dd1f1eba0dd6346423813c31154
                                    • Opcode Fuzzy Hash: 862335924f52fa75c7e7cd58799c29b72c072dc05607e6d977ad5ddfe3f4de4e
                                    • Instruction Fuzzy Hash: BA513A716183519FDB64CF28C451B6BBBE6BF85314F04892DE98AC7351DB31EA01CB92
                                    Function 006662F2 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 143COMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: _memset$_memmove
                                    • String ID: ERCP
                                    • API String ID: 2532777613-1384759551
                                    • Opcode ID: 1770eb2a1b91366eba3573ae86a0f8f8617e6d2e8e5888d551850afefc5356b5
                                    • Instruction ID: a44d99e25089975bef12adfbd4d6c7b76c2310da01c9cc90f4e6ed7883490a67
                                    • Opcode Fuzzy Hash: 1770eb2a1b91366eba3573ae86a0f8f8617e6d2e8e5888d551850afefc5356b5
                                    • Instruction Fuzzy Hash: 9851A071900309DBDB24CF65D8817EABBF6EF04714F20856EE54ADB341EB71AA85CB50
                                    Function 006D7648 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SendMessageW.USER32(00000000,00001009,00000000,?), ref: 006D76D0
                                    • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 006D76E4
                                    • SendMessageW.USER32(?,00001002,00000000,?), ref: 006D7708
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: MessageSend$Window
                                    • String ID: SysMonthCal32
                                    • API String ID: 2326795674-1439706946
                                    • Opcode ID: ccf4f7689e7858d44c6b06e8f35934ccfc60e0dc1b28df95ecda7b583721c68a
                                    • Instruction ID: a896d8c074fa7917475452a31d119d8fabf87711cf2499e46556cc65d649ba5b
                                    • Opcode Fuzzy Hash: ccf4f7689e7858d44c6b06e8f35934ccfc60e0dc1b28df95ecda7b583721c68a
                                    • Instruction Fuzzy Hash: 2D21B532900219BBDF11CF54CC46FEA3B7AEF48714F111215FE156B2D0E6B5E8519BA0
                                    Function 006D6F1F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 006D6FAA
                                    • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 006D6FBA
                                    • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 006D6FDF
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: MessageSend$MoveWindow
                                    • String ID: Listbox
                                    • API String ID: 3315199576-2633736733
                                    • Opcode ID: a0167a50c2ee12c0e4e2514ea84112f720777f0ec8c46c56ddd02b8087bf606c
                                    • Instruction ID: b6adc5205642149e6b2741692c3d98d187848efe13e3aa7b3585783d222d26b9
                                    • Opcode Fuzzy Hash: a0167a50c2ee12c0e4e2514ea84112f720777f0ec8c46c56ddd02b8087bf606c
                                    • Instruction Fuzzy Hash: A8219232A11118BFDF118F54DC85FEB37ABEF89754F018126F9159B290CA71AC518BA0
                                    Function 006D797D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 006D79E1
                                    • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 006D79F6
                                    • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 006D7A03
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: MessageSend
                                    • String ID: msctls_trackbar32
                                    • API String ID: 3850602802-1010561917
                                    • Opcode ID: 99b6ecf944338def7f795ff804591ef59637fca5914b11e9e236d0954b2df78b
                                    • Instruction ID: b21e2b68335c164cacf48b3d3464f34438bcea984dcffc294e99c8c25717195c
                                    • Opcode Fuzzy Hash: 99b6ecf944338def7f795ff804591ef59637fca5914b11e9e236d0954b2df78b
                                    • Instruction Fuzzy Hash: E411E372644208BAEF109F64CC05FEB37AAEF89764F02461AFA41A62D0E671D811DB64
                                    Function 00654C95 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                    Download Yara Rule
                                    APIs
                                    • LoadLibraryA.KERNEL32(kernel32.dll,?,00654C2E), ref: 00654CA3
                                    • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00654CB5
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: AddressLibraryLoadProc
                                    • String ID: GetNativeSystemInfo$kernel32.dll
                                    • API String ID: 2574300362-192647395
                                    • Opcode ID: db0e6ffb52e31530759999aa7eababe4ffac11945022ef3cdc3bd07a902e27df
                                    • Instruction ID: 6fb95732ec53a1bf4f5b5ac0b74410649ff0f8a23271b134060c084f6f643470
                                    • Opcode Fuzzy Hash: db0e6ffb52e31530759999aa7eababe4ffac11945022ef3cdc3bd07a902e27df
                                    • Instruction Fuzzy Hash: C6D01730911723CFD7209F31DE18A4676E7AF06796F16887B9897D6250EBB0D8C4CA50
                                    Function 00654D61 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                    Download Yara Rule
                                    APIs
                                    • LoadLibraryA.KERNEL32(kernel32.dll,?,00654D2E,?,00654F4F,?,007162F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00654D6F
                                    • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00654D81
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: AddressLibraryLoadProc
                                    • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
                                    • API String ID: 2574300362-3689287502
                                    • Opcode ID: 78bdcc5a0d1f2d4962b09c4e46d51e1939c5a5c9f1cbba2052282ff92aae0083
                                    • Instruction ID: b993f5fbf67233979e85193a508ad324b723c9d54c98ba107f43d38eacec4e9a
                                    • Opcode Fuzzy Hash: 78bdcc5a0d1f2d4962b09c4e46d51e1939c5a5c9f1cbba2052282ff92aae0083
                                    • Instruction Fuzzy Hash: ACD0C731900313CFC7208F30CC0864272EAAF00352F119A3B9883C2390EB78D8C0CA50
                                    Function 00654D94 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                    Download Yara Rule
                                    APIs
                                    • LoadLibraryA.KERNEL32(kernel32.dll,?,00654CE1,?), ref: 00654DA2
                                    • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00654DB4
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: AddressLibraryLoadProc
                                    • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
                                    • API String ID: 2574300362-1355242751
                                    • Opcode ID: b3b1d271876d8eba7c27096309cd8181bc999aba5266a5fcc27401a08246340d
                                    • Instruction ID: d989cce969cb80a5a8d6ec2820d5022841e44f661681bef0410935446258b0bf
                                    • Opcode Fuzzy Hash: b3b1d271876d8eba7c27096309cd8181bc999aba5266a5fcc27401a08246340d
                                    • Instruction Fuzzy Hash: D1D01771950713CFD7209F31DC08A8676E6AF0535AF15897BD8D6D6290EB78D8C4CA50
                                    Function 006D1072 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                    Download Yara Rule
                                    APIs
                                    • LoadLibraryA.KERNEL32(advapi32.dll,?,006D12C1), ref: 006D1080
                                    • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 006D1092
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: AddressLibraryLoadProc
                                    • String ID: RegDeleteKeyExW$advapi32.dll
                                    • API String ID: 2574300362-4033151799
                                    • Opcode ID: ada41598f5d265b39206277ad4831a35cb8e33c4eaba45a1cce05fb312e9254d
                                    • Instruction ID: 01222601863fc796aa1676f88b0ac00ff6a78fc6ac358a55fac8a8112ca42582
                                    • Opcode Fuzzy Hash: ada41598f5d265b39206277ad4831a35cb8e33c4eaba45a1cce05fb312e9254d
                                    • Instruction Fuzzy Hash: 53D01270910713DFD7205F35DC2895676E5AF05751B158D3BA496DA290DBB4C4C0C650
                                    Function 006C93F5 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                    Download Yara Rule
                                    APIs
                                    • LoadLibraryA.KERNEL32(kernel32.dll,00000001,006C9009,?,006DF910), ref: 006C9403
                                    • GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 006C9415
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: AddressLibraryLoadProc
                                    • String ID: GetModuleHandleExW$kernel32.dll
                                    • API String ID: 2574300362-199464113
                                    • Opcode ID: 40a1be481347d2222b30d7c92e5829bf27fb5d766a019ac07e2b8690a9ede7e3
                                    • Instruction ID: 4e06331262774ef4b1fc6b05f18a9b03b51df75debc2b2b46926526576280485
                                    • Opcode Fuzzy Hash: 40a1be481347d2222b30d7c92e5829bf27fb5d766a019ac07e2b8690a9ede7e3
                                    • Instruction Fuzzy Hash: 2BD01774910713DFDB209F31DD0CA5777E6AF06351B16C83FA496D6690EB74C880CA60
                                    Function 00691B3E Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: LocalTime__swprintf
                                    • String ID: %.3d$WIN_XPe
                                    • API String ID: 2070861257-2409531811
                                    • Opcode ID: ebf939cb4cb9dfbe16ca543e1928c15ce923b53a18bfb13ae88f9f9d4f4bfb56
                                    • Instruction ID: 9eb561e5c058d884cd4d3ebffcc53ecbae872f0e837e02f30303dc7fd5b4542c
                                    • Opcode Fuzzy Hash: ebf939cb4cb9dfbe16ca543e1928c15ce923b53a18bfb13ae88f9f9d4f4bfb56
                                    • Instruction Fuzzy Hash: B5D012B5C0421AEACF449B90DC449F9737FA709311F704593B90695848F2359B86AB25
                                    Function 006A76C5 Relevance: 6.3, APIs: 4, Instructions: 333COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 5d6bc68faa4a1b67db2bceff7032deffc85d17dd7dc7f001b4e0a4f5ad4a404b
                                    • Instruction ID: fbc0bb2aa491f38d835301b0608778fefb0dc17bbdb2af4eb2288bfcbbb8d8ed
                                    • Opcode Fuzzy Hash: 5d6bc68faa4a1b67db2bceff7032deffc85d17dd7dc7f001b4e0a4f5ad4a404b
                                    • Instruction Fuzzy Hash: 15C15B75A04216EFCB14EF94C884AAEB7B6FF49710B158599E806EB351D730EE81CF90
                                    Function 006CE33E Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CharLowerBuffW.USER32(?,?), ref: 006CE3D2
                                    • CharLowerBuffW.USER32(?,?), ref: 006CE415
                                      • Part of subcall function 006CDAB9: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 006CDAD9
                                    • VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 006CE615
                                    • _memmove.LIBCMT ref: 006CE628
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: BuffCharLower$AllocVirtual_memmove
                                    • String ID:
                                    • API String ID: 3659485706-0
                                    • Opcode ID: 053a4352e8fc7053a33c896e70bc282c9dddf1096863c84ef1b5a3bc2f44ad5d
                                    • Instruction ID: 88a2000208a8fa5b78866e898a62cef2a300da075a5676c761cb7fa0d71b400c
                                    • Opcode Fuzzy Hash: 053a4352e8fc7053a33c896e70bc282c9dddf1096863c84ef1b5a3bc2f44ad5d
                                    • Instruction Fuzzy Hash: F4C14A71A083019FC754DF28C480A6ABBF6FF48314F14896EF89A9B351D731E946CB92
                                    Function 006C83A8 Relevance: 6.3, APIs: 4, Instructions: 267COMMON
                                    Download Yara Rule
                                    APIs
                                    • CoInitialize.OLE32(00000000), ref: 006C83D8
                                    • CoUninitialize.OLE32 ref: 006C83E3
                                      • Part of subcall function 006ADA5D: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 006ADAC5
                                    • VariantInit.OLEAUT32(?), ref: 006C83EE
                                    • VariantClear.OLEAUT32(?), ref: 006C86BF
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
                                    • String ID:
                                    • API String ID: 780911581-0
                                    • Opcode ID: 375ada345b625c79e9d1b076c241be26e33dce806dcdb37b427f35cb2b4a4468
                                    • Instruction ID: a817634f3e95146adbf769e9eda779471b4ca6e9964a13a1aa7def60efab2687
                                    • Opcode Fuzzy Hash: 375ada345b625c79e9d1b076c241be26e33dce806dcdb37b427f35cb2b4a4468
                                    • Instruction Fuzzy Hash: FDA102752046019FCB60DF15C881B6AB7E6FF88314F08845DF99A9B3A1CB30ED05CB96
                                    Function 006A6DF3 Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: Variant$AllocClearCopyInitString
                                    • String ID:
                                    • API String ID: 2808897238-0
                                    • Opcode ID: 49e1d37b8d70f111bb27b7d9795e76427ad7a96272c111986158dc4d3ff804aa
                                    • Instruction ID: af4057041f62785fedc99d312c07f0962ca93f7a58f7ad0da8410102b6892201
                                    • Opcode Fuzzy Hash: 49e1d37b8d70f111bb27b7d9795e76427ad7a96272c111986158dc4d3ff804aa
                                    • Instruction Fuzzy Hash: 7F51E770608301DEDB60BF65D891A6AB3E7AF4A310F24881FF956CB291DB709C41DF25
                                    Function 006D9A63 Relevance: 6.1, APIs: 4, Instructions: 140COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetWindowRect.USER32(016CE738,?), ref: 006D9AD2
                                    • ScreenToClient.USER32(00000002,00000002), ref: 006D9B05
                                    • MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,00000002,?,?), ref: 006D9B72
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: Window$ClientMoveRectScreen
                                    • String ID:
                                    • API String ID: 3880355969-0
                                    • Opcode ID: 12346cc7ac2a1f0e2a84297cf8097ec45ddde18eb84d584c10ba002af9c3b532
                                    • Instruction ID: fff6dad7f54d078c52f321f2bb9ebf154b1415e133c7d5354d3c98196541b516
                                    • Opcode Fuzzy Hash: 12346cc7ac2a1f0e2a84297cf8097ec45ddde18eb84d584c10ba002af9c3b532
                                    • Instruction Fuzzy Hash: 1851FC35E01249AFCF14DF68D881AEE7BB6FB55360F15826AF8159B390D730AD41CBA0
                                    Function 006C6CBD Relevance: 6.1, APIs: 4, Instructions: 127networkCOMMON
                                    Download Yara Rule
                                    APIs
                                    • socket.WSOCK32(00000002,00000002,00000011), ref: 006C6CE4
                                    • WSAGetLastError.WSOCK32(00000000), ref: 006C6CF4
                                      • Part of subcall function 00659997: __itow.LIBCMT ref: 006599C2
                                      • Part of subcall function 00659997: __swprintf.LIBCMT ref: 00659A0C
                                    • #21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 006C6D58
                                    • WSAGetLastError.WSOCK32(00000000), ref: 006C6D64
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: ErrorLast$__itow__swprintfsocket
                                    • String ID:
                                    • API String ID: 2214342067-0
                                    • Opcode ID: b8bd99c7cec75160df151ed4d8b35abc4ee46a45e3fed4efd02fb085d9ee336f
                                    • Instruction ID: e6c1531364bc0716c37a0ede0ad57b7fce4772dd58acc3472fedd1acb5ed11b3
                                    • Opcode Fuzzy Hash: b8bd99c7cec75160df151ed4d8b35abc4ee46a45e3fed4efd02fb085d9ee336f
                                    • Instruction Fuzzy Hash: 21418274740200AFEB50AF24DC87F7A77E6DF44B10F44801DFA5AAB2D2DA719D048BA9
                                    Function 006C672D Relevance: 6.1, APIs: 4, Instructions: 116COMMON
                                    Download Yara Rule
                                    APIs
                                    • #16.WSOCK32(?,?,00000000,00000000,00000000,00000000,?,?,00000000,006DF910), ref: 006C67BA
                                    • _strlen.LIBCMT ref: 006C67EC
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: _strlen
                                    • String ID:
                                    • API String ID: 4218353326-0
                                    • Opcode ID: f91c66c1bae54d6155a3c0198179f1967943116d51aff4fb349c301ce47b30c8
                                    • Instruction ID: c941c33257519e06dab5f8d6c7e49a02af0087eb75fc9f3f3d82f82f3fc0dd12
                                    • Opcode Fuzzy Hash: f91c66c1bae54d6155a3c0198179f1967943116d51aff4fb349c301ce47b30c8
                                    • Instruction Fuzzy Hash: 2141A231A01104ABCB54EB64DCD5FBEB3ABEF44314F14816DF91A9B292DB30AD05CB69
                                    Function 006BBA5F Relevance: 6.1, APIs: 4, Instructions: 111fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 006BBB09
                                    • GetLastError.KERNEL32(?,00000000), ref: 006BBB2F
                                    • DeleteFileW.KERNEL32(00000002,?,00000000), ref: 006BBB54
                                    • CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 006BBB80
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: CreateHardLink$DeleteErrorFileLast
                                    • String ID:
                                    • API String ID: 3321077145-0
                                    • Opcode ID: 8bafd03f70c27ddcec9ef3752e9e0ecd276283d6642ef36b40860e6664e5bc90
                                    • Instruction ID: a045812fc260efd76c2026ece1c74ea2fb28ebc4bec2873325632357f8aaa4f9
                                    • Opcode Fuzzy Hash: 8bafd03f70c27ddcec9ef3752e9e0ecd276283d6642ef36b40860e6664e5bc90
                                    • Instruction Fuzzy Hash: 4B413639600610DFCB10EF15C584A9DBBE2EF89310F098489EC8A9B362CB70FD45CBA5
                                    Function 006D8AC0 Relevance: 6.1, APIs: 4, Instructions: 109COMMON
                                    Download Yara Rule
                                    APIs
                                    • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 006D8B4D
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: InvalidateRect
                                    • String ID:
                                    • API String ID: 634782764-0
                                    • Opcode ID: 299da3fb10575fe3cae842c45fe1b07201670ecacbe32d707a283e472804aa0d
                                    • Instruction ID: 3236e7c6c96276287de3f71ebe8bfba19c292918ec089ef2b4d80310b9a6dba2
                                    • Opcode Fuzzy Hash: 299da3fb10575fe3cae842c45fe1b07201670ecacbe32d707a283e472804aa0d
                                    • Instruction Fuzzy Hash: 113190B4E00204BEEB219B18CC4DFE937A7EB05310F248517FA51D73E1CE30A9409B51
                                    Function 006DADF1 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • ClientToScreen.USER32(?,?), ref: 006DAE1A
                                    • GetWindowRect.USER32(?,?), ref: 006DAE90
                                    • PtInRect.USER32(?,?,006DC304), ref: 006DAEA0
                                    • MessageBeep.USER32(00000000), ref: 006DAF11
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: Rect$BeepClientMessageScreenWindow
                                    • String ID:
                                    • API String ID: 1352109105-0
                                    • Opcode ID: 92b57778c70e6eac728cc73e6d2caeb0848a22a7fb57422ef46b6c9f982e3b1e
                                    • Instruction ID: e72de18e74efc959d033382c5cada842129bbbf0c8b75875ece83e1f639eef4c
                                    • Opcode Fuzzy Hash: 92b57778c70e6eac728cc73e6d2caeb0848a22a7fb57422ef46b6c9f982e3b1e
                                    • Instruction Fuzzy Hash: B9416F70A08115DFCB11CF99C884BA9BBF6FB89350F1881AAE415DB351D730E942EB56
                                    Function 006B0FE6 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetKeyboardState.USER32(?,00000000,?,00000001), ref: 006B1037
                                    • SetKeyboardState.USER32(00000080,?,00000001), ref: 006B1053
                                    • PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 006B10B9
                                    • SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 006B110B
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: KeyboardState$InputMessagePostSend
                                    • String ID:
                                    • API String ID: 432972143-0
                                    • Opcode ID: 4d4106853f30434e56ea54a4d34deec56dbeef61385ef6e930350d196ac1d84b
                                    • Instruction ID: 6024d2e2c68fd2dd5bea67f82806ab19ba82b76c2fbb0bfca1c1573cdd30cbc5
                                    • Opcode Fuzzy Hash: 4d4106853f30434e56ea54a4d34deec56dbeef61385ef6e930350d196ac1d84b
                                    • Instruction Fuzzy Hash: 8B3180B0E40698FEFF309B658C157FABBABAF46310F84432AF5815A2D0CB7449C19765
                                    Function 006B1121 Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetKeyboardState.USER32(?,7694C0D0,?,00008000), ref: 006B1176
                                    • SetKeyboardState.USER32(00000080,?,00008000), ref: 006B1192
                                    • PostMessageW.USER32(00000000,00000101,00000000), ref: 006B11F1
                                    • SendInput.USER32(00000001,?,0000001C,7694C0D0,?,00008000), ref: 006B1243
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: KeyboardState$InputMessagePostSend
                                    • String ID:
                                    • API String ID: 432972143-0
                                    • Opcode ID: f64b0b32b9fa81461e725c004354c291a5f9cd0d96e590b4ad68612ceec275cc
                                    • Instruction ID: d5414a2b096f9e0c32155c298dc4a718b5a585ebae69b11babd531c5c06a8e38
                                    • Opcode Fuzzy Hash: f64b0b32b9fa81461e725c004354c291a5f9cd0d96e590b4ad68612ceec275cc
                                    • Instruction Fuzzy Hash: C0314BB0D402187AFF208B698C257FA7BABAB46310F84431FE6919A6D1C3354AD58751
                                    Function 00686415 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0068644B
                                    • __isleadbyte_l.LIBCMT ref: 00686479
                                    • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 006864A7
                                    • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 006864DD
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                    • String ID:
                                    • API String ID: 3058430110-0
                                    • Opcode ID: d2238880bf422297911690249cc108e04c1db1a8e15e833fbf54b5657e493d27
                                    • Instruction ID: dac6b534151aeb0488c1330d3c7c7a608671ca40119f33c9c47418d6c6033598
                                    • Opcode Fuzzy Hash: d2238880bf422297911690249cc108e04c1db1a8e15e833fbf54b5657e493d27
                                    • Instruction Fuzzy Hash: 1331CF31600256EFDB21AF65CC45BAE7BE7FF40320F158229F855872A1EB31D851DB90
                                    Function 006D5175 Relevance: 6.1, APIs: 4, Instructions: 95COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetForegroundWindow.USER32 ref: 006D5189
                                      • Part of subcall function 006B387D: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 006B3897
                                      • Part of subcall function 006B387D: GetCurrentThreadId.KERNEL32 ref: 006B389E
                                      • Part of subcall function 006B387D: AttachThreadInput.USER32(00000000,?,006B52A7), ref: 006B38A5
                                    • GetCaretPos.USER32(?), ref: 006D519A
                                    • ClientToScreen.USER32(00000000,?), ref: 006D51D5
                                    • GetForegroundWindow.USER32 ref: 006D51DB
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                                    • String ID:
                                    • API String ID: 2759813231-0
                                    • Opcode ID: 96f16ee0ffec38ec37aa74049522f245340b70c55410de9c2bece3e6a1ebacbf
                                    • Instruction ID: e746339cf9a59603aa8a3e8316a8b9e2b57565ac341cdf26e0ae402db71efe59
                                    • Opcode Fuzzy Hash: 96f16ee0ffec38ec37aa74049522f245340b70c55410de9c2bece3e6a1ebacbf
                                    • Instruction Fuzzy Hash: 4C312F71E00118AFDB40EFA5CC459EFB7FAEF98300F10406AE816E7241DA759E45CBA4
                                    Function 006DC788 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00652612: GetWindowLongW.USER32(?,000000EB), ref: 00652623
                                    • GetCursorPos.USER32(?), ref: 006DC7C2
                                    • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,0068BBFB,?,?,?,?,?), ref: 006DC7D7
                                    • GetCursorPos.USER32(?), ref: 006DC824
                                    • DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,0068BBFB,?,?,?), ref: 006DC85E
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: Cursor$LongMenuPopupProcTrackWindow
                                    • String ID:
                                    • API String ID: 2864067406-0
                                    • Opcode ID: 8e69aab2f2341044991c50bcddcae8983766d633b3f149f26b4ab18778991a91
                                    • Instruction ID: 00c05830e7b7d8383dd352f704df314c97e551aef05f5f01bd15637415bb86ce
                                    • Opcode Fuzzy Hash: 8e69aab2f2341044991c50bcddcae8983766d633b3f149f26b4ab18778991a91
                                    • Instruction Fuzzy Hash: 69318535A00019AFCB15CF98D898EEA7FBBEB49320F04406AF906873A1C7355D51EF64
                                    Function 00670BD0 Relevance: 6.1, APIs: 4, Instructions: 79COMMON
                                    Download Yara Rule
                                    APIs
                                    • __setmode.LIBCMT ref: 00670BF2
                                      • Part of subcall function 00655B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,006B7B20,?,?,00000000), ref: 00655B8C
                                      • Part of subcall function 00655B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,006B7B20,?,?,00000000,?,?), ref: 00655BB0
                                    • _fprintf.LIBCMT ref: 00670C29
                                    • OutputDebugStringW.KERNEL32(?), ref: 006A6331
                                      • Part of subcall function 00674CDA: _flsall.LIBCMT ref: 00674CF3
                                    • __setmode.LIBCMT ref: 00670C5E
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
                                    • String ID:
                                    • API String ID: 521402451-0
                                    • Opcode ID: 341ceb289e7ee92091e452b344dd08f28024689f6b845c288c8fe6d3e1f93f23
                                    • Instruction ID: dd68e7b27fb7438578866be1a8b6bd886131a883d8432f740c12fc951eaffa71
                                    • Opcode Fuzzy Hash: 341ceb289e7ee92091e452b344dd08f28024689f6b845c288c8fe6d3e1f93f23
                                    • Instruction Fuzzy Hash: 57112731904208BEDB45B3B89C4B9FE7B6F9F45320F18815EF20957192DF311D8687A9
                                    Function 006A8B9E Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 006A8652: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 006A8669
                                      • Part of subcall function 006A8652: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 006A8673
                                      • Part of subcall function 006A8652: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 006A8682
                                      • Part of subcall function 006A8652: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 006A8689
                                      • Part of subcall function 006A8652: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 006A869F
                                    • LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 006A8BEB
                                    • _memcmp.LIBCMT ref: 006A8C0E
                                    • GetProcessHeap.KERNEL32(00000000,00000000), ref: 006A8C44
                                    • HeapFree.KERNEL32(00000000), ref: 006A8C4B
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
                                    • String ID:
                                    • API String ID: 1592001646-0
                                    • Opcode ID: 1947faf47c71ccbd6348512db6980ac7f2c33af67aa64a9f72b7ca0bcdb5db9c
                                    • Instruction ID: 3d07022bd3231f4bfc351bd2aa3219858acc45433e2e73ae31818d4068879956
                                    • Opcode Fuzzy Hash: 1947faf47c71ccbd6348512db6980ac7f2c33af67aa64a9f72b7ca0bcdb5db9c
                                    • Instruction Fuzzy Hash: 6C216871E02208AFDB00EFA4C944BEEB7BAEB41351F044099E456A7240DA30AE06CF60
                                    Function 006C1A5B Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON
                                    Download Yara Rule
                                    APIs
                                    • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 006C1A97
                                      • Part of subcall function 006C1B21: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 006C1B40
                                      • Part of subcall function 006C1B21: InternetCloseHandle.WININET(00000000), ref: 006C1BDD
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: Internet$CloseConnectHandleOpen
                                    • String ID:
                                    • API String ID: 1463438336-0
                                    • Opcode ID: 925d60ef2ca3373e1b41aa593ab9a259d8a28e7a3891859569933bc75be233db
                                    • Instruction ID: c77cb4468a1f789369e496d6ee30d4320cee5d2a9468d61f8b50352dfb005408
                                    • Opcode Fuzzy Hash: 925d60ef2ca3373e1b41aa593ab9a259d8a28e7a3891859569933bc75be233db
                                    • Instruction Fuzzy Hash: 5C21A175201605BFDB129F609C01FBBB7AFFF46701F14001EFA169A652EB71E8119BA4
                                    Function 006AE1AF Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 006AF5AD: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,006AE1C4,?,?,?,006AEFB7,00000000,000000EF,00000119,?,?), ref: 006AF5BC
                                      • Part of subcall function 006AF5AD: lstrcpyW.KERNEL32(00000000,?,?,006AE1C4,?,?,?,006AEFB7,00000000,000000EF,00000119,?,?,00000000), ref: 006AF5E2
                                      • Part of subcall function 006AF5AD: lstrcmpiW.KERNEL32(00000000,?,006AE1C4,?,?,?,006AEFB7,00000000,000000EF,00000119,?,?), ref: 006AF613
                                    • lstrlenW.KERNEL32(?,00000002,?,?,?,?,006AEFB7,00000000,000000EF,00000119,?,?,00000000), ref: 006AE1DD
                                    • lstrcpyW.KERNEL32(00000000,?,?,006AEFB7,00000000,000000EF,00000119,?,?,00000000), ref: 006AE203
                                    • lstrcmpiW.KERNEL32(00000002,cdecl,?,006AEFB7,00000000,000000EF,00000119,?,?,00000000), ref: 006AE237
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: lstrcmpilstrcpylstrlen
                                    • String ID: cdecl
                                    • API String ID: 4031866154-3896280584
                                    • Opcode ID: 04ca5b27595d179ebd0218d01fa45fb45d94ef76acb87498e84cb16959d1b88c
                                    • Instruction ID: 0fc788031163ae65a78be7794aa991b52da7ef2b2a7ae86abea9027338572e5f
                                    • Opcode Fuzzy Hash: 04ca5b27595d179ebd0218d01fa45fb45d94ef76acb87498e84cb16959d1b88c
                                    • Instruction Fuzzy Hash: 5B119336200345EFCB25BF64DC45E7A77AAFF46350B40802AF806CB264EB729D51DBA5
                                    Function 00685332 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • _free.LIBCMT ref: 00685351
                                      • Part of subcall function 0067594C: __FF_MSGBANNER.LIBCMT ref: 00675963
                                      • Part of subcall function 0067594C: __NMSG_WRITE.LIBCMT ref: 0067596A
                                      • Part of subcall function 0067594C: RtlAllocateHeap.NTDLL(016B0000,00000000,00000001,00000000,?,?,?,00671013,?), ref: 0067598F
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: AllocateHeap_free
                                    • String ID:
                                    • API String ID: 614378929-0
                                    • Opcode ID: 030720d4fbc13d540949316eb17d2670bf0b83dc55e822eb6cddd2694cf5a55e
                                    • Instruction ID: 636b0383632b261384597566884067bec7f84e48f12770384abffb813a2b69e6
                                    • Opcode Fuzzy Hash: 030720d4fbc13d540949316eb17d2670bf0b83dc55e822eb6cddd2694cf5a55e
                                    • Instruction Fuzzy Hash: BF110432544A15AFCF313F70E80869937975F103E0B10862EF90A9B290EAB58D419394
                                    Function 00654531 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • _memset.LIBCMT ref: 00654560
                                      • Part of subcall function 0065410D: _memset.LIBCMT ref: 0065418D
                                      • Part of subcall function 0065410D: _wcscpy.LIBCMT ref: 006541E1
                                      • Part of subcall function 0065410D: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 006541F1
                                    • KillTimer.USER32(?,00000001,?,?), ref: 006545B5
                                    • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 006545C4
                                    • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 0068D6CE
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
                                    • String ID:
                                    • API String ID: 1378193009-0
                                    • Opcode ID: e86efbe86fb271a034b6df4e64080372c1a1557b4f57851f3638ef1b17149dbc
                                    • Instruction ID: 0811fcb6cdfcb3f8cb2b19d9588740d1199650e948e95dfe20cf3e19d50af765
                                    • Opcode Fuzzy Hash: e86efbe86fb271a034b6df4e64080372c1a1557b4f57851f3638ef1b17149dbc
                                    • Instruction Fuzzy Hash: 3F212C709047889FEB329B24DC45BE7BBEEAF01309F00009EE69E562C1DB741AC9CB51
                                    Function 006B40B1 Relevance: 6.1, APIs: 4, Instructions: 65fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 006B40D1
                                    • _memset.LIBCMT ref: 006B40F2
                                    • DeviceIoControl.KERNEL32(00000000,0004D02C,?,00000200,?,00000200,?,00000000), ref: 006B4144
                                    • CloseHandle.KERNEL32(00000000), ref: 006B414D
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: CloseControlCreateDeviceFileHandle_memset
                                    • String ID:
                                    • API String ID: 1157408455-0
                                    • Opcode ID: fdc45ed8a834c93c5f841ec94cce8a2815bb0daacdf26776c6c1b48ce264ffa7
                                    • Instruction ID: bcc3ec797a2fae5ccbddaee9421d8eb77fa40ba6672caea67c5df361a6908b89
                                    • Opcode Fuzzy Hash: fdc45ed8a834c93c5f841ec94cce8a2815bb0daacdf26776c6c1b48ce264ffa7
                                    • Instruction Fuzzy Hash: 25119875D412287AD7309BA59C4DFEBBB7DEB44760F10419AF908D7280D6744F808BA4
                                    Function 006C667C Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00655B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,006B7B20,?,?,00000000), ref: 00655B8C
                                      • Part of subcall function 00655B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,006B7B20,?,?,00000000,?,?), ref: 00655BB0
                                    • gethostbyname.WSOCK32(?,?,?), ref: 006C66AC
                                    • WSAGetLastError.WSOCK32(00000000), ref: 006C66B7
                                    • _memmove.LIBCMT ref: 006C66E4
                                    • inet_ntoa.WSOCK32(?), ref: 006C66EF
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
                                    • String ID:
                                    • API String ID: 1504782959-0
                                    • Opcode ID: 93f578d9858f5e85855db485c83ab46031b09fec6c7f8bd71a4f0656ffc0a61e
                                    • Instruction ID: 2419f52478a7fada19ee5fd88227842475be49192802f077e78fd0c4dc9941bc
                                    • Opcode Fuzzy Hash: 93f578d9858f5e85855db485c83ab46031b09fec6c7f8bd71a4f0656ffc0a61e
                                    • Instruction Fuzzy Hash: 81114F35900508AFCB40EBA4D99ADEE77BAEF14311B14406DF907A7161DF309F04DBA5
                                    Function 006A9023 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SendMessageW.USER32(?,000000B0,?,?), ref: 006A9043
                                    • SendMessageW.USER32(?,000000C9,?,00000000), ref: 006A9055
                                    • SendMessageW.USER32(?,000000C9,?,00000000), ref: 006A906B
                                    • SendMessageW.USER32(?,000000C9,?,00000000), ref: 006A9086
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: MessageSend
                                    • String ID:
                                    • API String ID: 3850602802-0
                                    • Opcode ID: 48725077ede48ddd8524ea1902ab79d0686450f7dc7be43bc0978a19a7615a12
                                    • Instruction ID: b1bd8e2b4d6d6fed3e9a800fc789c56ed8600325b1aeb44de51d1731eb83aae7
                                    • Opcode Fuzzy Hash: 48725077ede48ddd8524ea1902ab79d0686450f7dc7be43bc0978a19a7615a12
                                    • Instruction Fuzzy Hash: 8A115E79901218FFDB10DFA5CC84EDDBB75FB49350F204095E904B7290D6716E10DBA4
                                    Function 00651290 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00652612: GetWindowLongW.USER32(?,000000EB), ref: 00652623
                                    • DefDlgProcW.USER32(?,00000020,?), ref: 006512D8
                                    • GetClientRect.USER32(?,?), ref: 0068B84B
                                    • GetCursorPos.USER32(?), ref: 0068B855
                                    • ScreenToClient.USER32(?,?), ref: 0068B860
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: Client$CursorLongProcRectScreenWindow
                                    • String ID:
                                    • API String ID: 4127811313-0
                                    • Opcode ID: 25e87bffb83d2e057ac46aca461a5c157d63cd174ae394dd04b98d464862c9d3
                                    • Instruction ID: 5f43c04678c5353809181fde0f4c1a4f71e415123d18c3b2a17d7c01eabbe1b8
                                    • Opcode Fuzzy Hash: 25e87bffb83d2e057ac46aca461a5c157d63cd174ae394dd04b98d464862c9d3
                                    • Instruction Fuzzy Hash: 93110D35901019BFCB10DFA8D885AFE77BAEB06305F104556F911E7251C730BB95CBA9
                                    Function 006B1652 Relevance: 6.1, APIs: 4, Instructions: 51sleepCOMMON
                                    Download Yara Rule
                                    APIs
                                    • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,006B01FD,?,006B1250,?,00008000), ref: 006B166F
                                    • Sleep.KERNEL32(00000000,?,?,?,?,?,?,006B01FD,?,006B1250,?,00008000), ref: 006B1694
                                    • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,006B01FD,?,006B1250,?,00008000), ref: 006B169E
                                    • Sleep.KERNEL32(?,?,?,?,?,?,?,006B01FD,?,006B1250,?,00008000), ref: 006B16D1
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: CounterPerformanceQuerySleep
                                    • String ID:
                                    • API String ID: 2875609808-0
                                    • Opcode ID: 6368033ec2d34332fb11618dfc4acebb0fd37cba6f82117a037c1086a5604cfe
                                    • Instruction ID: 003112455097cec4198e3751fc09fa621edc15886445f6e5a1c6a308da805b85
                                    • Opcode Fuzzy Hash: 6368033ec2d34332fb11618dfc4acebb0fd37cba6f82117a037c1086a5604cfe
                                    • Instruction Fuzzy Hash: 86118E71C0151CE7CF009FA5D858AEEBB79FF0A741F54405AE941BA240DB3055A0CB96
                                    Function 00687207 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                    • String ID:
                                    • API String ID: 3016257755-0
                                    • Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                    • Instruction ID: f8e381d61c0df0911694416f5b74bfd1fae0993a9c4bf7895775315fd98728a9
                                    • Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                    • Instruction Fuzzy Hash: 3F018C3204814ABBCF526E84DC518EE3F23BF29340B288615FA2858131D337CAB1AB81
                                    Function 006DB57F Relevance: 6.0, APIs: 4, Instructions: 47COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetWindowRect.USER32(?,?), ref: 006DB59E
                                    • ScreenToClient.USER32(?,?), ref: 006DB5B6
                                    • ScreenToClient.USER32(?,?), ref: 006DB5DA
                                    • InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 006DB5F5
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: ClientRectScreen$InvalidateWindow
                                    • String ID:
                                    • API String ID: 357397906-0
                                    • Opcode ID: 22dd4180203abc6017a599394385c3db27124c49c081852419a3c916734dde69
                                    • Instruction ID: e3062c49514a6650303790f08d754a072c7acbf36186bd4bac9f1521370b6e97
                                    • Opcode Fuzzy Hash: 22dd4180203abc6017a599394385c3db27124c49c081852419a3c916734dde69
                                    • Instruction Fuzzy Hash: 431163B9D00249EFDB01CFA9D8849EEFBB9FB08310F109166E915E3720D731AA518F90
                                    Function 006DB8EF Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON
                                    Download Yara Rule
                                    APIs
                                    • _memset.LIBCMT ref: 006DB8FE
                                    • _memset.LIBCMT ref: 006DB90D
                                    • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00717F20,00717F64), ref: 006DB93C
                                    • CloseHandle.KERNEL32 ref: 006DB94E
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: _memset$CloseCreateHandleProcess
                                    • String ID:
                                    • API String ID: 3277943733-0
                                    • Opcode ID: 56b7d7a91fd07fcada7dc1fa97ee78c57fc2095465c40f5f5784c5918affb79a
                                    • Instruction ID: f36811fa157d35681f0a6e3046b339685034ea3dec0de8dfffd1e501e0962aaa
                                    • Opcode Fuzzy Hash: 56b7d7a91fd07fcada7dc1fa97ee78c57fc2095465c40f5f5784c5918affb79a
                                    • Instruction Fuzzy Hash: BDF05EB2544310BBE3106769AC06FFB3AAEEB09754F01D031BA09D52D2D7798902C7AD
                                    Function 006B6E7C Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                    Download Yara Rule
                                    APIs
                                    • EnterCriticalSection.KERNEL32(?), ref: 006B6E88
                                      • Part of subcall function 006B794E: _memset.LIBCMT ref: 006B7983
                                    • _memmove.LIBCMT ref: 006B6EAB
                                    • _memset.LIBCMT ref: 006B6EB8
                                    • LeaveCriticalSection.KERNEL32(?), ref: 006B6EC8
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: CriticalSection_memset$EnterLeave_memmove
                                    • String ID:
                                    • API String ID: 48991266-0
                                    • Opcode ID: c3f78375985cbb92bd5498568a4c367e5daba9a37900c5c101b87b4e56ca7cb1
                                    • Instruction ID: d4b0e55a295cd2497474a6734b37912d715bda29f2993605537bab3755b7e4d9
                                    • Opcode Fuzzy Hash: c3f78375985cbb92bd5498568a4c367e5daba9a37900c5c101b87b4e56ca7cb1
                                    • Instruction Fuzzy Hash: 92F0547A100210AFCF416F95DC85A89BB2BEF45320B04C065FE095F217C731A951DBB5
                                    Function 006DC00C Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 006512F3: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 0065134D
                                      • Part of subcall function 006512F3: SelectObject.GDI32(?,00000000), ref: 0065135C
                                      • Part of subcall function 006512F3: BeginPath.GDI32(?), ref: 00651373
                                      • Part of subcall function 006512F3: SelectObject.GDI32(?,00000000), ref: 0065139C
                                    • MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 006DC030
                                    • LineTo.GDI32(00000000,?,?), ref: 006DC03D
                                    • EndPath.GDI32(00000000), ref: 006DC04D
                                    • StrokePath.GDI32(00000000), ref: 006DC05B
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
                                    • String ID:
                                    • API String ID: 1539411459-0
                                    • Opcode ID: 9b2d0c1ddb6a7a09f11408f09e86cc3466867f50cdc7d487f86965a2c3199db6
                                    • Instruction ID: 171d9a8f9b2bdf3b42ea0b03582a413b9d2e76a00222467fea24b7877119e934
                                    • Opcode Fuzzy Hash: 9b2d0c1ddb6a7a09f11408f09e86cc3466867f50cdc7d487f86965a2c3199db6
                                    • Instruction Fuzzy Hash: 58F0E931401219F7DB121F54AC09FCE3F566F05311F048001FA12211E1C7750650CFD9
                                    Function 006AA37C Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 006AA399
                                    • GetWindowThreadProcessId.USER32(?,00000000), ref: 006AA3AC
                                    • GetCurrentThreadId.KERNEL32 ref: 006AA3B3
                                    • AttachThreadInput.USER32(00000000), ref: 006AA3BA
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
                                    • String ID:
                                    • API String ID: 2710830443-0
                                    • Opcode ID: 5a4bb87a4c70b6d5c6b88215351fc4cd4ff79b692600f3af6819cacd72750fc5
                                    • Instruction ID: 929295b5cbc405cddae55bf0b6edd2f30b654ef7fc77ecaf7c30f64f7f81e79e
                                    • Opcode Fuzzy Hash: 5a4bb87a4c70b6d5c6b88215351fc4cd4ff79b692600f3af6819cacd72750fc5
                                    • Instruction Fuzzy Hash: F0E01531942268BADF202BA2DC0CEE73F1EEF167A1F048026B50AC4460C771C940CBA0
                                    Function 00652218 Relevance: 6.0, APIs: 4, Instructions: 23COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetSysColor.USER32(00000008), ref: 00652231
                                    • SetTextColor.GDI32(?,000000FF), ref: 0065223B
                                    • SetBkMode.GDI32(?,00000001), ref: 00652250
                                    • GetStockObject.GDI32(00000005), ref: 00652258
                                    • GetWindowDC.USER32(?,00000000), ref: 0068C0D3
                                    • GetPixel.GDI32(00000000,00000000,00000000), ref: 0068C0E0
                                    • GetPixel.GDI32(00000000,?,00000000), ref: 0068C0F9
                                    • GetPixel.GDI32(00000000,00000000,?), ref: 0068C112
                                    • GetPixel.GDI32(00000000,?,?), ref: 0068C132
                                    • ReleaseDC.USER32(?,00000000), ref: 0068C13D
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
                                    • String ID:
                                    • API String ID: 1946975507-0
                                    • Opcode ID: 68c7b6ba081dce46c7c4b32eeee895d9adcb476fc325b6941985ff170d154602
                                    • Instruction ID: 6b7416263d6d0919634c0217eb540012d7c1670c83f87727b2d47cf833787f94
                                    • Opcode Fuzzy Hash: 68c7b6ba081dce46c7c4b32eeee895d9adcb476fc325b6941985ff170d154602
                                    • Instruction Fuzzy Hash: 85E06D32900244EADB215FA4FC0D7D83B12EB16332F048367FAAA481E187724A84DB21
                                    Function 006A8C5A Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetCurrentThread.KERNEL32 ref: 006A8C63
                                    • OpenThreadToken.ADVAPI32(00000000,?,?,?,006A882E), ref: 006A8C6A
                                    • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,006A882E), ref: 006A8C77
                                    • OpenProcessToken.ADVAPI32(00000000,?,?,?,006A882E), ref: 006A8C7E
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: CurrentOpenProcessThreadToken
                                    • String ID:
                                    • API String ID: 3974789173-0
                                    • Opcode ID: 48977ee24e0aa0abcb950b3206cef81fa57cf1b2f38535598b4e836bafc43513
                                    • Instruction ID: c8c6153501b415f68d5161d8e5d69516f80df3cb72e4946d44d7be70e78a30ff
                                    • Opcode Fuzzy Hash: 48977ee24e0aa0abcb950b3206cef81fa57cf1b2f38535598b4e836bafc43513
                                    • Instruction Fuzzy Hash: 96E04F36A432119BD7206FB06D0CB963BAAAF51BA2F099829B247CA040DA3488418F61
                                    Function 00692187 Relevance: 6.0, APIs: 4, Instructions: 20COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetDesktopWindow.USER32 ref: 00692187
                                    • GetDC.USER32(00000000), ref: 00692191
                                    • GetDeviceCaps.GDI32(00000000,0000000C), ref: 006921B1
                                    • ReleaseDC.USER32(?), ref: 006921D2
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: CapsDesktopDeviceReleaseWindow
                                    • String ID:
                                    • API String ID: 2889604237-0
                                    • Opcode ID: b5723bf9377e7b7ccf3f9789163db14cf3969b3bcaa07713b9f5c51eeb24abfa
                                    • Instruction ID: 9329d55918f88e2a91c778720557c270cec3a231b81124195f8c128d31db97bf
                                    • Opcode Fuzzy Hash: b5723bf9377e7b7ccf3f9789163db14cf3969b3bcaa07713b9f5c51eeb24abfa
                                    • Instruction Fuzzy Hash: 61E0E575801204EFDF119F60C808A9D7BF6EB4C361F10842AFD5B97620CB3982429F50
                                    Function 0069219B Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetDesktopWindow.USER32 ref: 0069219B
                                    • GetDC.USER32(00000000), ref: 006921A5
                                    • GetDeviceCaps.GDI32(00000000,0000000C), ref: 006921B1
                                    • ReleaseDC.USER32(?), ref: 006921D2
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: CapsDesktopDeviceReleaseWindow
                                    • String ID:
                                    • API String ID: 2889604237-0
                                    • Opcode ID: 7eb01dd8a8bc11730ea89aa9c322d72f1f16f261c8f7015f137e9697a71e2bbe
                                    • Instruction ID: 2cce584e16bda52f87285989bef682fdbfc4f66a04b14d76be80e0cedc900719
                                    • Opcode Fuzzy Hash: 7eb01dd8a8bc11730ea89aa9c322d72f1f16f261c8f7015f137e9697a71e2bbe
                                    • Instruction Fuzzy Hash: DFE0EEB5C01204AFCB119FA0C80869D7BE2EB4C321F10802AF95AA7620CB3992429F50
                                    Function 006563A0 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 317COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: %n
                                    • API String ID: 0-2798127140
                                    • Opcode ID: 93b259975066fa91168fa49d1c0e5ab3fde785333cedd011976ed6a9fdd377f0
                                    • Instruction ID: 5c4c324fae1ed6786e06cafbeeb4520107acbae130223e7b654d8e0bffaf9db3
                                    • Opcode Fuzzy Hash: 93b259975066fa91168fa49d1c0e5ab3fde785333cedd011976ed6a9fdd377f0
                                    • Instruction Fuzzy Hash: 5AB1A37190010A9BCF14EF94C4959EDB7B6FF44312F94416AFD02A7291EB309E8ACB65
                                    Function 006CB1B7 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 313COMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: __itow_s
                                    • String ID: xrq$xrq
                                    • API String ID: 3653519197-2399829976
                                    • Opcode ID: ee8ff3ff0657bbe9ccb6345ba52cb86cb94d471e0e396c44c345b56baa54f275
                                    • Instruction ID: eb94c269c3e9fc45d465307c6ce41f4dce8e859d48faccaa78d4e1bde8c3c14b
                                    • Opcode Fuzzy Hash: ee8ff3ff0657bbe9ccb6345ba52cb86cb94d471e0e396c44c345b56baa54f275
                                    • Instruction Fuzzy Hash: 0EB17E70A04209AFCB14DF54C891EFAB7BAFF58300F14945DF9459B292DB34DA85CB64
                                    Function 006BB217 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0066FEC6: _wcscpy.LIBCMT ref: 0066FEE9
                                      • Part of subcall function 00659997: __itow.LIBCMT ref: 006599C2
                                      • Part of subcall function 00659997: __swprintf.LIBCMT ref: 00659A0C
                                    • __wcsnicmp.LIBCMT ref: 006BB298
                                    • WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 006BB361
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
                                    • String ID: LPT
                                    • API String ID: 3222508074-1350329615
                                    • Opcode ID: 0b1d319092c8ef5f4a8c2831235a7fff94a13aa93d10e8178689892d2eee29b0
                                    • Instruction ID: a7295571355fdfd8d4aaf00b1e7dab4e6153bdc119aef5b9669a71f6b5749d7f
                                    • Opcode Fuzzy Hash: 0b1d319092c8ef5f4a8c2831235a7fff94a13aa93d10e8178689892d2eee29b0
                                    • Instruction Fuzzy Hash: AF6160B5A00219EFCB14DF54C881EEEB7F6AF08310F15505AF946AB391DBB0AE84CB54
                                    Function 00698A77 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 148COMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: _memmove
                                    • String ID: Oaf
                                    • API String ID: 4104443479-1555074404
                                    • Opcode ID: 2595069ae295486306208ec29ce359bb72bb0a4b749955b45350b7f300c18984
                                    • Instruction ID: 593c4c5f0c6ee02d700a85a7a4de875b67765e651cf9230d21452d44e87a0c83
                                    • Opcode Fuzzy Hash: 2595069ae295486306208ec29ce359bb72bb0a4b749955b45350b7f300c18984
                                    • Instruction Fuzzy Hash: 2B512BB0A00609DFCF64CF68C880AAEBBB6FF45314F14452AE85AD7750EB31AD55CB51
                                    Function 00662AB7 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON
                                    Download Yara Rule
                                    APIs
                                    • Sleep.KERNEL32(00000000), ref: 00662AC8
                                    • GlobalMemoryStatusEx.KERNEL32(?), ref: 00662AE1
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: GlobalMemorySleepStatus
                                    • String ID: @
                                    • API String ID: 2783356886-2766056989
                                    • Opcode ID: cc2a638f1d332ed4748c39d0685582fadf32bb32e2ea4372d744a888769eed07
                                    • Instruction ID: 31e45818ff2933c4d1c09a4cb3107c9291942f81cd239cc0e8c90b0036f53fd8
                                    • Opcode Fuzzy Hash: cc2a638f1d332ed4748c39d0685582fadf32bb32e2ea4372d744a888769eed07
                                    • Instruction Fuzzy Hash: 63514472418744DBD360AF50DC86BABBBE8FF84315F82885DF5D9411A1DB30892DCB2A
                                    Function 006B99BE Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0065506B: __fread_nolock.LIBCMT ref: 00655089
                                    • _wcscmp.LIBCMT ref: 006B9AAE
                                    • _wcscmp.LIBCMT ref: 006B9AC1
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: _wcscmp$__fread_nolock
                                    • String ID: FILE
                                    • API String ID: 4029003684-3121273764
                                    • Opcode ID: 26ef2698b9018ac36892192b8a082aefb426a9886bcdafecd843b8a6b44eac31
                                    • Instruction ID: f927a386418d14a3fb72d21e5038b9088ddae599f7a1a6e8285d68e92699497f
                                    • Opcode Fuzzy Hash: 26ef2698b9018ac36892192b8a082aefb426a9886bcdafecd843b8a6b44eac31
                                    • Instruction Fuzzy Hash: 4041D6B1A00619BBDF20AAA0DC45FEFBBFEDF45710F00406DBA05A72C1DA759A4487A5
                                    Function 0069099E Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 115COMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: ClearVariant
                                    • String ID: Dtq$Dtq
                                    • API String ID: 1473721057-1304160401
                                    • Opcode ID: 1e382372359c5a64be82be6c253905b19240196cf5a4bc15c80f57cf4e24394a
                                    • Instruction ID: c93dd07e44a0a6719ace18af1798a81cdf8a2af7ce8a6687bd02f41e73036e7a
                                    • Opcode Fuzzy Hash: 1e382372359c5a64be82be6c253905b19240196cf5a4bc15c80f57cf4e24394a
                                    • Instruction Fuzzy Hash: BE5104786083418FD754CF58C080A6ABBF2BB99355F548A5DE8858B361D332EC85CB82
                                    Function 006C2882 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON
                                    Download Yara Rule
                                    APIs
                                    • _memset.LIBCMT ref: 006C2892
                                    • InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 006C28C8
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: CrackInternet_memset
                                    • String ID: |
                                    • API String ID: 1413715105-2343686810
                                    • Opcode ID: f57c3df70feb79328dd8987c53ebd6da8c2028a9a1544a737fba737bcf07c559
                                    • Instruction ID: b981268f39d462b2932f239f658ae6b3a1308956fdcfbba08efc4b4146efcd0f
                                    • Opcode Fuzzy Hash: f57c3df70feb79328dd8987c53ebd6da8c2028a9a1544a737fba737bcf07c559
                                    • Instruction Fuzzy Hash: 25311C7180011AAFCF41DFA1DC85EEEBFBAFF08310F104069FC15A6265DA31595ADB60
                                    Function 006D6CD2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON
                                    Download Yara Rule
                                    APIs
                                    • DestroyWindow.USER32(?,?,?,?), ref: 006D6D86
                                    • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 006D6DC2
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: Window$DestroyMove
                                    • String ID: static
                                    • API String ID: 2139405536-2160076837
                                    • Opcode ID: ef75e1a6383c3eb517a0a9b36af0ebcab8100d58744a6414869bbbbf8262970c
                                    • Instruction ID: 12b1322953e19dc191c1f426f98011ce7fa38bf2de4bbdb8423480a322da2c45
                                    • Opcode Fuzzy Hash: ef75e1a6383c3eb517a0a9b36af0ebcab8100d58744a6414869bbbbf8262970c
                                    • Instruction Fuzzy Hash: 0B31A171600204AEDB109F24DC40BFB73BAFF48720F10961EF89687290CB31AC51CB64
                                    Function 006B2D91 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • _memset.LIBCMT ref: 006B2E00
                                    • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 006B2E3B
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: InfoItemMenu_memset
                                    • String ID: 0
                                    • API String ID: 2223754486-4108050209
                                    • Opcode ID: 0423086028ef77d0155e943f216533160e1df8749d066fd16e0c0abfe09e58b3
                                    • Instruction ID: e6bc118ee11d517f6a9ab584a85c1263cc68c6ed2a63b59ed78b19e4ff67b69c
                                    • Opcode Fuzzy Hash: 0423086028ef77d0155e943f216533160e1df8749d066fd16e0c0abfe09e58b3
                                    • Instruction Fuzzy Hash: 7131F7B1600306ABEB248F49C8857EEBBFBFF45340F14402EE985962A1E770D9C2CB15
                                    Function 006D6943 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 006D69D0
                                    • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 006D69DB
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: MessageSend
                                    • String ID: Combobox
                                    • API String ID: 3850602802-2096851135
                                    • Opcode ID: 3a286f0e741e74da30d0556a6bf8e2966c47ae42b99f0b923433011a89255baf
                                    • Instruction ID: 5088d820a2ba2f6145886cff74d6dbf902f4b5c81597bbba490bfa0995832980
                                    • Opcode Fuzzy Hash: 3a286f0e741e74da30d0556a6bf8e2966c47ae42b99f0b923433011a89255baf
                                    • Instruction Fuzzy Hash: F3119871B002096FEF119F14CC90EFB376BEB953A4F114126F9589B3D0D6759C5187A0
                                    Function 006D6E76 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00651D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00651D73
                                      • Part of subcall function 00651D35: GetStockObject.GDI32(00000011), ref: 00651D87
                                      • Part of subcall function 00651D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00651D91
                                    • GetWindowRect.USER32(00000000,?), ref: 006D6EE0
                                    • GetSysColor.USER32(00000012), ref: 006D6EFA
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: Window$ColorCreateMessageObjectRectSendStock
                                    • String ID: static
                                    • API String ID: 1983116058-2160076837
                                    • Opcode ID: 3630c65e92baeb0d82f58efc14c168a0718471e65f0ce49d7700e7dfdaf111c6
                                    • Instruction ID: 0329a2c2a41b0cd8e32a51163ae40ac89671c9fce113ae2222a802dd7e3940e3
                                    • Opcode Fuzzy Hash: 3630c65e92baeb0d82f58efc14c168a0718471e65f0ce49d7700e7dfdaf111c6
                                    • Instruction Fuzzy Hash: B8215972A10209AFDB04DFA8DC45AEA7BBAFB08314F01462AFD55D3250D734E8619B50
                                    Function 006D6B8F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetWindowTextLengthW.USER32(00000000), ref: 006D6C11
                                    • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 006D6C20
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: LengthMessageSendTextWindow
                                    • String ID: edit
                                    • API String ID: 2978978980-2167791130
                                    • Opcode ID: eff033097b1a870db3195c1c11ddc678cd646dbfe2b75ed0c14bdb32117a95ff
                                    • Instruction ID: 01336e12911c9ac528bbcebfb4354428dcc64d7dca39aca1771ee0ac16565c6f
                                    • Opcode Fuzzy Hash: eff033097b1a870db3195c1c11ddc678cd646dbfe2b75ed0c14bdb32117a95ff
                                    • Instruction Fuzzy Hash: 9D116A71911208ABEB108F64DC41AEA3B6BEB15368F218726F961D73E0C775DCA19B60
                                    Function 006B2E9E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • _memset.LIBCMT ref: 006B2F11
                                    • GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 006B2F30
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: InfoItemMenu_memset
                                    • String ID: 0
                                    • API String ID: 2223754486-4108050209
                                    • Opcode ID: e779cdf56132c0fbbc1db8473f327b3c4e8ab97bfa575aa455c9bfce24c3bf91
                                    • Instruction ID: f512bd4cb2b92bfd5c2c50b6040408d5520ff95bca719723f58df9f85045fb8a
                                    • Opcode Fuzzy Hash: e779cdf56132c0fbbc1db8473f327b3c4e8ab97bfa575aa455c9bfce24c3bf91
                                    • Instruction Fuzzy Hash: AD11E2B1901216ABDB20DB58DD54BE977FFEB05310F0880B5E864A73A0D7B0EE86C795
                                    Function 006C24CA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON
                                    Download Yara Rule
                                    APIs
                                    • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 006C2520
                                    • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 006C2549
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: Internet$OpenOption
                                    • String ID: <local>
                                    • API String ID: 942729171-4266983199
                                    • Opcode ID: 4e884b5ee0a7ae36afd8556ea19f9637549e054691aeb0aa06b67494fd2a8dc1
                                    • Instruction ID: bd2f864aabd82f9ebb9d5069290b58af7ec35b31e5e63789856921a0dd1c40b3
                                    • Opcode Fuzzy Hash: 4e884b5ee0a7ae36afd8556ea19f9637549e054691aeb0aa06b67494fd2a8dc1
                                    • Instruction Fuzzy Hash: D011A0B0501226BADB288F55CCA9FFBFFAAFB06751F50812EFD0556140D270A991DAE0
                                    Function 006C80A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55networkCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 006C830B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,006C80C8,?,00000000,?,?), ref: 006C8322
                                    • inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 006C80CB
                                    • htons.WSOCK32(00000000,?,00000000), ref: 006C8108
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: ByteCharMultiWidehtonsinet_addr
                                    • String ID: 255.255.255.255
                                    • API String ID: 2496851823-2422070025
                                    • Opcode ID: bf55988d9c2ec18a90b6381e81363d5104eaa3a10c13533cf5b017b856d73e5a
                                    • Instruction ID: 1492362ff99cd763dec61d00dbd86c620c27ac8c6dba85d65c03720207194781
                                    • Opcode Fuzzy Hash: bf55988d9c2ec18a90b6381e81363d5104eaa3a10c13533cf5b017b856d73e5a
                                    • Instruction Fuzzy Hash: 1411CE34600206ABCB20AFA4CC46FFEB366EF15320F14852FE91297291DB32A805C699
                                    Function 00660A8D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00653C26,007162F8,?,?,?), ref: 00660ACE
                                      • Part of subcall function 00657D2C: _memmove.LIBCMT ref: 00657D66
                                    • _wcscat.LIBCMT ref: 006950E1
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: FullNamePath_memmove_wcscat
                                    • String ID: cq
                                    • API String ID: 257928180-2380524882
                                    • Opcode ID: d737e050f98f03870877b18f134043bf499340bdd1da84226a2ff54b854527ba
                                    • Instruction ID: 2de09a684d016322c9f675665fb1383645993ac16e5900e992d35bfa7a0607e8
                                    • Opcode Fuzzy Hash: d737e050f98f03870877b18f134043bf499340bdd1da84226a2ff54b854527ba
                                    • Instruction Fuzzy Hash: 0C11A53490420C9B8B41EB64DC01EEA73BAEF08350F0141BAB959D7281EA74DB888755
                                    Function 006A92E7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00657F41: _memmove.LIBCMT ref: 00657F82
                                      • Part of subcall function 006AB0C4: GetClassNameW.USER32(?,?,000000FF), ref: 006AB0E7
                                    • SendMessageW.USER32(?,000001A2,000000FF,?), ref: 006A9355
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: ClassMessageNameSend_memmove
                                    • String ID: ComboBox$ListBox
                                    • API String ID: 372448540-1403004172
                                    • Opcode ID: e85d893315140b0525543309402ab1f1707f2f1f8f3a940d2235dd7e34e45b0d
                                    • Instruction ID: f2233ca9314229d116a6593348bc0d1913c6fe90b3474367aa5c6bd31829c46d
                                    • Opcode Fuzzy Hash: e85d893315140b0525543309402ab1f1707f2f1f8f3a940d2235dd7e34e45b0d
                                    • Instruction Fuzzy Hash: 15019E71A05214ABCF04FBA4CC958FE77ABBF07320B240619B972572D2DB316D0C9A60
                                    Function 006A91DF Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00657F41: _memmove.LIBCMT ref: 00657F82
                                      • Part of subcall function 006AB0C4: GetClassNameW.USER32(?,?,000000FF), ref: 006AB0E7
                                    • SendMessageW.USER32(?,00000180,00000000,?), ref: 006A924D
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: ClassMessageNameSend_memmove
                                    • String ID: ComboBox$ListBox
                                    • API String ID: 372448540-1403004172
                                    • Opcode ID: c3583a5ae2437f14abad3d7f0927e82cf2fb8c9a1f634c4abf1b9bc94abed631
                                    • Instruction ID: a561637c77d205532f3cfebe89543df069b16ce99b2bdac7691faf8a6e418af8
                                    • Opcode Fuzzy Hash: c3583a5ae2437f14abad3d7f0927e82cf2fb8c9a1f634c4abf1b9bc94abed631
                                    • Instruction Fuzzy Hash: D3018471E51204BBCB14FBA0C996EFF73AA9F46300F240119B913672D2EA156F1C9A75
                                    Function 006A9264 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00657F41: _memmove.LIBCMT ref: 00657F82
                                      • Part of subcall function 006AB0C4: GetClassNameW.USER32(?,?,000000FF), ref: 006AB0E7
                                    • SendMessageW.USER32(?,00000182,?,00000000), ref: 006A92D0
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: ClassMessageNameSend_memmove
                                    • String ID: ComboBox$ListBox
                                    • API String ID: 372448540-1403004172
                                    • Opcode ID: 12c646a82121d81af72adbe9d6dd89592b28d2b890f0b8b3513c5f2906719412
                                    • Instruction ID: f4bfb12aa5e134039084ed9234ced8cef279e6a17a1451b3e718d2244b187b5f
                                    • Opcode Fuzzy Hash: 12c646a82121d81af72adbe9d6dd89592b28d2b890f0b8b3513c5f2906719412
                                    • Instruction Fuzzy Hash: 2A01A2B1E51208B7CB04FBA4C996EFF77AE9F12301F240119B912632C2DA259F0C9A75
                                    Function 00676DAE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: __calloc_crt
                                    • String ID: @Rq
                                    • API String ID: 3494438863-542386862
                                    • Opcode ID: c35c03a646aeef0fafb257f1eb835f797fc0f970a5aaabc763d4ab8e9aa593fb
                                    • Instruction ID: 82bfff7c3280331fda400c97e0de7606545ee3a58f0b7e7aaedfedba5f5073e1
                                    • Opcode Fuzzy Hash: c35c03a646aeef0fafb257f1eb835f797fc0f970a5aaabc763d4ab8e9aa593fb
                                    • Instruction Fuzzy Hash: 0BF06D71759A169FF778CF2CFD11AE12796FB04720B10C53AF209CB2D0EB3888818698
                                    Function 006B51CA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: ClassName_wcscmp
                                    • String ID: #32770
                                    • API String ID: 2292705959-463685578
                                    • Opcode ID: 383da1b0ae79632d00eb7a376d42725d956d9741c9a31191479af62000c76ae7
                                    • Instruction ID: 45d4288297184a6806458337c27069cdf19a9f21b22866580eeff7afcc14fb6f
                                    • Opcode Fuzzy Hash: 383da1b0ae79632d00eb7a376d42725d956d9741c9a31191479af62000c76ae7
                                    • Instruction Fuzzy Hash: B3E02B7290132826E7109699AC05BD7F7ACEB44721F00016BFD14D3140D5709A4487D4
                                    Function 006A81BC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 006A81CA
                                      • Part of subcall function 00673598: _doexit.LIBCMT ref: 006735A2
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: Message_doexit
                                    • String ID: AutoIt$Error allocating memory.
                                    • API String ID: 1993061046-4017498283
                                    • Opcode ID: 11617ee581226028507a080edb9368bb7349e7081cddce031c9aabedc87a690f
                                    • Instruction ID: 3a10eab90766a78f20b26511ce3a0d55c206ce85cca688fa6b0064db6ba25f54
                                    • Opcode Fuzzy Hash: 11617ee581226028507a080edb9368bb7349e7081cddce031c9aabedc87a690f
                                    • Instruction Fuzzy Hash: 62D0C2322C535832D25033A86C06BC6268A4B06B52F10801ABB08995D38DD58CC1529C
                                    Function 0068B511 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0068B564: _memset.LIBCMT ref: 0068B571
                                      • Part of subcall function 00670B84: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,0068B540,?,?,?,0065100A), ref: 00670B89
                                    • IsDebuggerPresent.KERNEL32(?,?,?,0065100A), ref: 0068B544
                                    • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0065100A), ref: 0068B553
                                    Strings
                                    • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 0068B54E
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2183643518.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true
                                    • Associated: 00000000.00000002.2183593966.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183773274.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183857053.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2183869845.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_650000_Bonifico 9252024pdf.jbxd
                                    Similarity
                                    • API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
                                    • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
                                    • API String ID: 3158253471-631824599
                                    • Opcode ID: 6ba7c0e9abee62cf1e91532675fbf33c2ab1bf4e3bb02de441c6c5b8710a3690
                                    • Instruction ID: bb43039f74b7abd4b271daf14e44cc3cec82f77b11f0e7b3ae333adc8370aba3
                                    • Opcode Fuzzy Hash: 6ba7c0e9abee62cf1e91532675fbf33c2ab1bf4e3bb02de441c6c5b8710a3690
                                    • Instruction Fuzzy Hash: 92E092B06003128FD360EF28D8043427BE2AF04704F05CA2DE946C37A0E7B8D548CFA2